CN108777805B - Detection method and device for illegal access request, central control server and system - Google Patents

Detection method and device for illegal access request, central control server and system Download PDF

Info

Publication number
CN108777805B
CN108777805B CN201810474713.XA CN201810474713A CN108777805B CN 108777805 B CN108777805 B CN 108777805B CN 201810474713 A CN201810474713 A CN 201810474713A CN 108777805 B CN108777805 B CN 108777805B
Authority
CN
China
Prior art keywords
video server
preset time
time period
flow
total access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810474713.XA
Other languages
Chinese (zh)
Other versions
CN108777805A (en
Inventor
丁浩
胡文
吴岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201810474713.XA priority Critical patent/CN108777805B/en
Publication of CN108777805A publication Critical patent/CN108777805A/en
Application granted granted Critical
Publication of CN108777805B publication Critical patent/CN108777805B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/632Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing using a connection between clients on a wide area network, e.g. setting up a peer-to-peer communication via Internet for retrieving video segments from the hard-disk of other client devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/239Interfacing the upstream path of the transmission network, e.g. prioritizing client content requests
    • H04N21/2393Interfacing the upstream path of the transmission network, e.g. prioritizing client content requests involving handling client requests
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/24Monitoring of processes or resources, e.g. monitoring of server load, available bandwidth, upstream requests
    • H04N21/2405Monitoring of the internal components or processes of the server, e.g. server load
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/262Content or additional data distribution scheduling, e.g. sending additional data at off-peak times, updating software modules, calculating the carousel transmission frequency, delaying a video stream transmission, generating play-lists
    • H04N21/26208Content or additional data distribution scheduling, e.g. sending additional data at off-peak times, updating software modules, calculating the carousel transmission frequency, delaying a video stream transmission, generating play-lists the scheduling operation being performed under constraints

Abstract

The invention discloses a method, a device and a system for detecting an illegal access request, wherein when a first video server with actual total access flow not larger than total distribution flow exists in a preset time period within a current preset time period from the current moment, the actual total access flow and training parameter data of the first video server with the current total access flow in the preset time period of the current preset time period of the first video server are obtained, the training parameter data are brought into a training model to obtain the predicted total access flow of the first video server in the preset time period of the current preset time period, and whether the illegal access request occurs in the preset time period of the first video server is determined by comparing the actual total access flow and the predicted total access flow of the first video server with the current total access flow. Therefore, the invention can determine whether the video server has the illegal access request when the illegal access request is not obvious, thereby improving the safety of the video server.

Description

Detection method and device for illegal access request, central control server and system
Technical Field
The invention relates to the technical field of network security, in particular to a method, a device, a central control server and a system for detecting an illegal access request.
Background
The video distribution system refers to a network system capable of providing a real-time downloading function for an online video service. In a video distribution system, a scheduler and a video server are two important components. Before a client needs to download a video file from a video server, a query request needs to be sent to a scheduler, and the scheduler allocates one video server to the client according to information such as strategy configuration, user IP and the like.
Therefore, the access request sent by the client to the video server directly by bypassing the scheduler through a series of methods can be regarded as an illegal access request. Theoretically, when an illegal access request occurs, the actual total access flow of the video server is higher than the total allocation flow of the scheduler for the video server. However, due to the existence of the P2P (Peer-to-Peer) system, the actual total access traffic of the video server may be lower than the traffic allocated by the scheduler for the video server, and therefore, when the illegal access request is not obvious, that is, when the access amount of the illegal access request is relatively small, it is also possible that the actual total access traffic of the video server may be lower than the total allocation traffic allocated by the scheduler for the video server, in which case, the illegal access request will not be easily found.
Disclosure of Invention
In view of this, the invention discloses a method, an apparatus, a central control server and a system for detecting an illegal access request, so as to determine whether the video server has the illegal access request when the illegal access request is not obvious, thereby improving the security of the video server.
A detection method for illegal access requests is applied to a central control server, the central control server is respectively connected with a plurality of schedulers and a plurality of video servers, and the detection method comprises the following steps:
judging whether the actual total access flow of each video server in a preset time period is larger than the total distribution flow distributed by all schedulers in the preset time period;
when a first video server with actual total access flow not greater than total distribution flow exists, acquiring the actual total access flow and training parameter data of the first video server in the preset time period, wherein the training parameter data comprises: the total distributed flow quantity distributed to the first video server by all the schedulers in the preset time period, and the actual total access flow quantity of the first video server and the total distributed flow quantity distributed by all the schedulers in each preset time period in a plurality of preset time periods before the preset time period, wherein the first video server is one of the plurality of video servers;
substituting the training parameter data into a pre-obtained training model to obtain the predicted total access flow of the first video server in the preset time period;
comparing the actual total access flow of the first video server with the predicted total access flow, and when the actual total access flow of the first video server is greater than the predicted total access flow and the difference value between the actual total access flow of the first video server and the predicted total access flow exceeds a threshold value, determining that an illegal access request occurs in the first video server within the preset time period.
Preferably, the detection method further comprises:
and when a second video server with actual total access flow larger than total distribution flow exists, judging that an illegal access request occurs in the second video server within the preset time period, wherein the second video server is one of the video servers.
Preferably, before the training parameter data is substituted into a pre-obtained training model to obtain the predicted total access flow of the first video server in the preset time period, the method further includes:
acquiring training data required for establishing the training model;
selecting the actual total access flow of the first video server to be detected within the preset time period at the moment of t from the training data as a target variable of the training model, wherein t is a positive integer;
training the target variable and the characteristic value to obtain the training model; the characteristic values include: and in the training data, all schedulers within the preset time period from the time t allocate total traffic to the first video server, and the actual total access traffic of the first video server and the total allocated traffic allocated by all the schedulers within each preset time period in a plurality of continuous preset time periods before the preset time period from the time t.
Preferably, the acquiring training data required for establishing the training model includes:
acquiring original training data required for establishing the training model from a plurality of schedulers and a plurality of video servers;
and screening the original training data according to a preset screening condition for detecting the illegal access request, filtering data which is determined to have the illegal access request in the preset time period, and taking the data obtained after the original training data is filtered as the training data.
Preferably, the process of obtaining the raw training data required for building the training model from the plurality of schedulers and the plurality of video servers includes:
obtaining flow information of each scheduler, wherein the flow information comprises: in the preset time period, the scheduler allocates IP addresses of all video servers and corresponding total allocation flow to the users;
merging the flow information of all the schedulers to obtain the total distributed flow of the video server with the same IP address distributed by all the schedulers in the preset time period;
acquiring actual total access flow fed back by each video server within the preset time period;
and in the preset time period, the actual total access flow of each video server and the total distribution flow distributed by all the schedulers are correlated through the same IP address to obtain the original training data.
Preferably, the detection method further comprises:
and when the actual total access flow of the first video server is not greater than the predicted total access flow, or the difference value between the actual total access flow of the first video server and the predicted total access flow does not exceed a threshold value, determining that the first video server has not generated an illegal access request within the preset time period.
Preferably, when it is determined that the first video server does not have an illegal access request within the preset time period, the detection method further includes:
and training the training model by taking the actual total access flow and the training parameter data of the first video server as training parameters to obtain an updated training model.
A detection device for illegal access requests is applied to a central control server, the central control server is respectively connected with a plurality of schedulers and a plurality of video servers, and the detection device comprises:
the judging unit is used for judging whether the actual total access flow of each video server in a preset time period is larger than the total distribution flow distributed by all the schedulers in the preset time period;
a first obtaining unit, configured to obtain, when there is a first video server whose actual total access traffic is not greater than a total allocation traffic, actual total access traffic of the first video server in the preset time period and training parameter data, where the training parameter data includes: the total distributed flow quantity distributed to the first video server by all the schedulers in the preset time period, and the actual total access flow quantity of the first video server and the total distributed flow quantity distributed by all the schedulers in each preset time period in a plurality of preset time periods before the preset time period, wherein the first video server is one of the plurality of video servers;
the predicted total access flow calculation unit is used for substituting the training parameter data into a pre-obtained training model to obtain the predicted total access flow of the first video server in the preset time period;
a first determining unit, configured to compare an actual total access traffic of the first video server with the predicted total access traffic, and determine that an illegal access request occurs in the first video server within the preset time period when the actual total access traffic of the first video server is greater than the predicted total access traffic and a difference between the actual total access traffic of the first video server and the predicted total access traffic exceeds a threshold.
Preferably, the detection device further comprises:
and a second determining unit, configured to determine that an illegal access request occurs to a second video server within the preset time period when there is a second video server having an actual total access traffic that is greater than a total distributed traffic, where the second video server is one of the plurality of video servers.
Preferably, the method further comprises the following steps:
a second obtaining unit, configured to obtain training data required for establishing the training model before the predicted total access traffic of the first video server in the preset time period is obtained by substituting the training parameter data into a pre-obtained training model by the predicted total access traffic calculating unit;
a target variable selecting unit, configured to select, from the training data, an actual total access flow of a first video server to be detected within the preset time period from a time t as a target variable of the training model, where t is a positive integer;
a training model obtaining unit, configured to train the target variable and the feature value to obtain the training model, where the feature value includes: and in the training data, all schedulers within the preset time period from the time t allocate total traffic to the first video server, and the actual total access traffic of the first video server and the total allocated traffic allocated by all the schedulers within each preset time period in a plurality of continuous preset time periods before the preset time period from the time t.
Preferably, the second obtaining unit specifically includes:
the acquisition subunit is used for acquiring original training data required for establishing the training model from the schedulers and the video servers;
and the screening subunit is used for screening the original training data according to a preset screening condition for detecting the illegal access request, filtering data determined to have the illegal access request in the preset time period, and taking the data obtained by filtering the original training data as the training data.
Preferably, the obtaining subunit is specifically configured to:
obtaining flow information of each scheduler, wherein the flow information comprises: in the preset time period, the scheduler allocates IP addresses of all video servers and corresponding total allocation flow to the users;
merging the flow information of all the schedulers to obtain the total distributed flow of the video server with the same IP address distributed by all the schedulers in the preset time period;
acquiring actual total access flow fed back by each video server within the preset time period;
and in the preset time period, the actual total access flow of each video server and the total distribution flow distributed by all the schedulers are correlated through the same IP address to obtain the original training data.
Preferably, the method further comprises the following steps:
a third determining unit, configured to determine that an illegal access request does not occur to the first video server within the preset time period when an actual total access traffic of the first video server is not greater than the predicted total access traffic, or a difference between the actual total access traffic of the first video server and the predicted total access traffic does not exceed a threshold.
Preferably, the method further comprises the following steps:
and the training perfecting unit is used for training the training model by taking the actual total access flow and the training parameter data of the first video server as training parameters when the first video server is judged not to have the illegal access request in the preset time period, so as to obtain the updated training model.
A central control server is characterized by comprising the detection device.
A video distribution system, comprising: the central control server is respectively connected with the schedulers and the video servers.
From the above technical solution, the present invention discloses a method, an apparatus, and a system for detecting an illegal access request, wherein when it is determined that there exists a first video server having an actual total access traffic not greater than a total allocated traffic within a preset time period, the actual total access traffic of the first video server and training parameter data of the first video server within the preset time period are obtained, and the training parameter data includes: the total distribution flow rate distributed by all the schedulers to the first video server in the preset time period, and in k preset time periods before the preset time period, the actual total access flow of the first video server and the total distribution flow distributed by all the schedulers in each preset time period bring the training parameter data into the training model to obtain the predicted total access flow of the first video server in the preset time period, determining whether the first video server has an illegal access request within a preset time period by comparing an actual total access traffic of the first video server with a predicted total access traffic, and when the actual total access flow of the first video server is larger than the predicted total access flow and the difference value between the actual total access flow and the predicted total access flow of the first video server exceeds a threshold value, judging that the first video server has an illegal access request within a preset time period. Therefore, the invention can determine whether the video server has the illegal access request when the illegal access request is not obvious, thereby improving the safety of the video server.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the disclosed drawings without creative efforts.
Fig. 1 is an architecture diagram of a video distribution system according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for detecting an illegal access request according to an embodiment of the present invention;
FIG. 3 is a flowchart of a training model building method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for detecting an illegal access request according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus for building a training model according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a method, a device, a central control server and a system for detecting an illegal access request, which are used for determining whether the video server has the illegal access request or not when the illegal access request is not obvious, so that the safety of the video server is improved.
Referring to fig. 1, an architecture diagram of a video distribution system, that is, a video CDN (Content Delivery Network) disclosed in an embodiment of the present invention includes: the system comprises a central control server 11, a plurality of schedulers 12 and a plurality of video servers 13, wherein the central control server 11 is respectively connected with the schedulers 12 and the video servers 13, and the central control server 11 collects flow information from all the schedulers 12 and all the video servers 13 and processes the collected flow information to determine whether an illegal access request occurs to the video server 13.
The following describes in detail the process of the central server detecting whether there is an illegal access request from the video server.
Referring to fig. 2, an embodiment of the present invention discloses a flowchart of a detection method for an illegal access request, where the detection method is applied to a central control server, and the detection method includes the steps of:
step S101, judging whether the actual total access flow of each video server in a preset time period is larger than the total distribution flow distributed by all schedulers in the preset time period, if not, executing step S102;
it should be noted that, in a normal situation, before a client needs to download a video file from a video server, a query request needs to be sent to the scheduler first, the scheduler allocates a video server to the client according to information such as policy configuration and user IP, and then the client sends an access request to the video server allocated by the scheduler to download the video file from the video server. And the access request sent by the client to the video server directly by bypassing the scheduler through a series of methods can be regarded as an illegal access request. When the video server has an illegal access request, the situation that the client bypasses the scheduler and directly sends the access request to the video server exists at the moment is indicated. When the access amount of the illegal access request is large, the actual total access flow of each video server in the preset time period is larger than the total distributed flow allocated by all the schedulers in the preset time period, so that for the situation, it is easy to determine that the illegal access request occurs to the video server.
However, due to the existence of the P2P (Peer-to-Peer) system, the actual total access traffic of the video server may be lower than the traffic allocated by the scheduler to the video server, when the access volume of the illegal access request is relatively small, the actual total access traffic of the video server in the preset time period may not be greater than the total allocated traffic allocated by all schedulers in the preset time period, in this case, it may not be easy to determine whether the illegal access request occurs to the video server, and this embodiment mainly provides a detection method for the illegal access request.
The specific value of the preset time in this step may be determined according to actual needs, for example, 1 minute, and the present invention is not limited herein.
Step S102, when a first video server with actual total access flow not greater than total distribution flow exists, acquiring the actual total access flow and training parameter data of the first video server within a preset time period;
for convenience of description, the definition of the video server with the actual total access traffic not greater than the total allocation traffic in this step is as follows: a first video server, which is one of the plurality of video servers 13 in the embodiment shown in fig. 1.
The training parameter data in this step refers to: and the data of the corresponding target variable can be obtained by waiting for a training model obtained by pre-training. The training parameter data may include: the total allocation flow allocated by all the schedulers to the first video server in the preset time period, and the actual total access flow of the first video server and the total allocation flow allocated by all the schedulers in each preset time period in k preset time periods before the preset time period, wherein k is a positive integer.
In the invention, the actual total access flow of each first video server in each preset time period is taken as a target variable, so that the function of the training model is as follows: the method for predicting the possible total access flow of the first video server in the preset time period according to the total allocated flow allocated by the scheduler to the first video server in the preset time period and the related information of k preset times before the preset time period can be called as follows: and predicting the total access flow, comparing the predicted total access flow with the actual total access flow, and determining whether the first video server has an illegal access request within a preset time period according to a comparison result.
Step S103, substituting training parameter data into a pre-obtained training model to obtain the predicted total access flow of the first video server in a preset time period;
it will be appreciated that the training model first needs to be built before the training parameter data is brought into the pre-derived training model.
Referring to fig. 3, a flowchart of a method for building a training model according to an embodiment of the present invention is disclosed, and the method includes the steps of:
step S201, acquiring training data required by building a training model;
specifically, the central control server obtains original training data required for establishing a training model from a plurality of schedulers and a plurality of video servers, and the process specifically includes:
(1) acquiring flow information of each scheduler, wherein the flow information comprises: and in a preset time period, the scheduler allocates the IP addresses of the video servers and the corresponding total allocation flow to the users.
(2) In practical application, the IP addresses of the video servers and the corresponding total allocated traffic may be represented in a form of a corresponding relationship, such as a list, where the list includes: the IP address of the video server and the corresponding total allocated traffic.
(3) And acquiring the actual total access flow fed back by each video server within a preset time period. When each video server serves the user, the access flow is recorded in real time, the access flows in the preset time period are added every other preset time period to obtain the total access flow, and the total access flow is sent to the central control server. It should be noted that, when recording the access traffic, the video server may use the form of recording the number of bytes sent to the user.
(4) And in a preset time period, the actual total access flow of each video server and the total distribution flow distributed by all the schedulers are correlated through the same IP address to obtain original training data. The actual total access traffic of the video server and the total allocated traffic allocated by all schedulers, which are associated by the same IP address, can be represented in the form of a table.
It should be noted that, in practical applications, the raw training data obtained in (4) may be used as the data required for building the training model.
Those skilled in the art will appreciate that the more accurate the training data used to build the training model, the more reliable the resulting training model.
In order to improve the reliability of the established training model, after the original training data are obtained, the original training data are firstly screened according to the screening condition for detecting the illegal access request, the data which are determined to have the illegal access request in the preset time period are filtered, and the data after the original training data are filtered are used as the training data. The preset screening condition for detecting the illegal access request in this embodiment refers to a condition that a person skilled in the art can directly and unambiguously determine that the illegal access request occurs to the video server in the preset time period from other channels according to practical experience, for example, if a link stealing behavior of a certain video server occurs in a certain preset time period through other channels except the channel of the present invention, the total access traffic data of the video server in the preset time period, the total distribution traffic data distributed by all schedulers in the preset time period, and related data thereof are filtered.
The preset screening condition for detecting the illegal access request may be determined according to actual needs, and the present invention is not limited herein.
Step S202, selecting actual total access flow of a first video server to be detected within a preset time period away from the moment t from training data as a target variable of a training model, wherein t is a positive integer;
in practical application, the actual total access flow of the first video server to be detected within a preset time period from the moment t can be selected from the training data as a target variable of the training model, wherein t is a positive integer.
And S203, training the target variable and the characteristic value to obtain a training model.
Specifically, the characteristic values include: and in the training data, all schedulers within a preset time period away from the time t are used for distributing the total distribution flow for the first video server, and the actual total access flow of the first video server and the total distribution flow distributed by all the schedulers are trained within each preset time period of k continuous preset time periods away from the preset time period before the time t.
It should be noted that, in the present invention, the preset time period from the time t specifically refers to a preset time period closest to the time t, for example, if the preset time period is 1 minute, and the time t is 3:01, then 1 minute from 3:00 to 3:01 is the preset time period from 3: 01.
Therefore, step S203 specifically includes:
and training the target variable, the total distributed flow distributed to the first video server by all the schedulers within a preset time period away from the t moment in the training data, and the actual total access flow of the first video server and the total distributed flow distributed by all the schedulers within each preset time period in k preset time periods before the preset time period away from the t moment to obtain a training model.
For ease of understanding, the selection process of the characteristic values is now described as follows:
if the actual total access flow of a certain first video server in a preset time period at the time of t is taken as a target variable, the target variable is CtExpressed that the characteristic value is (D)t-k,Ct-k,....Dt-1,Ct-1,Dt) Wherein D istRefers to the total distribution flow, D, distributed to the first video server by all schedulers within a preset time period from the time tt-kRefers to the total distribution flow rate distributed by all schedulers to the first video server in the (t-k) th time period before the preset time period of the time t, Ct-kThe actual total access flow of the first video server in the (t-k) th time period before the preset time period at the time t is referred to; dt-1Means the total distribution flow rate distributed by all the schedulers to the first video server in the (t-1) th time period before the preset time period of the time t, Ct-1Refers to the actual total access traffic of the first video server in the (t-1) th time period before the preset time period at the time point t.
For example, if the preset time period is 1 minute and k is 180, i.e. 3 hours, the characteristic value (D) is selectedt-k,Ct-k,....Dt-1,Ct-1,Dt) The total number of the access requests is 180 x 2+ 1-361, and the invention uses the data of the last three hours to preset the actual total access flow of the first video server in the preset time period closest to the current moment.
It should be noted that, in practical application, an existing and commonly used supervised learning method may be used, for example, svm (Support Vector Machine), naive bayes, random forests, and the like, and any one of them may be selected to train data acquired by the central control server to obtain a training model.
Step S104, comparing the actual total access flow of the first video server with the predicted total access flow, and when the actual total access flow of the first video server is larger than the predicted total access flow and the difference value between the actual total access flow and the predicted total access flow of the first video server exceeds a threshold value, judging that the first video server has an illegal access request within a preset time period.
Based on the above discussion, the predicted total access traffic in this step refers to traffic in which an illegal access request does not occur in the first video server within the preset time period, and when an illegal access request occurs in the first video server within the preset time period, the actual total access traffic of the first video server is greatly increased, so that when it is determined that the actual total access traffic of the first video server within the preset time period of the first video server is greater than the predicted total access traffic, and the difference between the actual total access traffic of the first video server and the predicted total access traffic exceeds the threshold, it may be determined that an illegal access request occurs in the first video server within the preset time period.
The specific value of the threshold depends on the actual requirement, such as 15%, and the invention is not limited herein. It should be noted that the access traffic in the present invention is expressed by a percentage, and therefore, the threshold in this embodiment may be expressed by a percentage.
For easy understanding, the method for detecting an illegal access request provided by the present invention further provides a specific embodiment, which is specifically set forth as follows:
assuming that the preset time period is 1 minute, k is 180, when the time t is 3:01, the central control server receives the IP address of each video server and the corresponding total allocation flow rate of each video server allocated by each scheduler for each video server within 1 minute, and the actual total access flow rate of each video server within 1 minute, and merges the flow rate information of all the schedulers to obtain the total allocation flow rate of the video server with the same IP address allocated by all the schedulers within 1 minute. The central control server substitutes the actual total access flow of the video server and the total distribution flow distributed by all the schedulers in each 1 minute from 0 point to 3 points and the total distribution flow distributed by all the schedulers for the video server in 1 minute from 3 points to 3:01 into the training model to obtain the predicted total access flow of the video server in 1 minute from 3 points to 3: 01; and then comparing the preset total access flow with the actual total access flow of the video server within 1 minute from 3 points to 3:01, wherein the actual total access flow of the first video server is greater than the predicted total access flow, and when the difference value between the actual total access flow and the predicted total access flow of the first video server exceeds a threshold value, it is determined that an illegal access request occurs in 1 minute from 3 points to 3:01 of the video server, and operation and maintenance personnel are required to process the illegal access request.
To sum up, in the method for detecting an illegal access request disclosed by the present invention, when it is determined that the first video server having the actual total access traffic not greater than the total distributed traffic exists within the preset time period, the actual total access traffic of the first video server and the training parameter data of the first video server within the preset time period are obtained, and the training parameter data include: the total distribution flow rate distributed by all the schedulers to the first video server in the preset time period, and in k preset time periods before the preset time period, the actual total access flow of the first video server and the total distribution flow distributed by all the schedulers in each preset time period bring the training parameter data into the training model to obtain the predicted total access flow of the first video server in the preset time period, determining whether the first video server has an illegal access request within a preset time period by comparing an actual total access traffic of the first video server with a predicted total access traffic, and when the actual total access flow of the first video server is larger than the predicted total access flow and the difference value between the actual total access flow and the predicted total access flow of the first video server exceeds a threshold value, judging that the first video server has an illegal access request within a preset time period. Therefore, the invention can determine whether the video server has the illegal access request when the illegal access request is not obvious, thereby improving the safety of the video server.
It should be noted that, in order to ensure the accuracy of the predicted total access flow obtained by using the training model, for a video server in which an illegal access request occurs, the access flow of the video server can be predicted again after k preset time periods after the operation and maintenance staff have processed the illegal access request.
To further optimize the above embodiment, the detection method may further include:
and when a second video server with actual total access flow larger than the total distribution flow exists, judging that an illegal access request occurs in the second video server within a preset time period, wherein the second video server is one of the video servers.
It should be noted that, in a normal situation, before a client needs to download a video file from a video server, a query request needs to be sent to the scheduler first, the scheduler allocates a video server to the client according to information such as policy configuration and user IP, and then the client sends an access request to the video server allocated by the scheduler to download the video file from the video server. And the access request sent by the client to the video server directly by bypassing the scheduler through a series of methods can be regarded as an illegal access request. When the video server has an illegal access request, the situation that the client bypasses the scheduler and directly sends the access request to the video server exists at the moment is indicated. When the access amount of the illegal access request is large, the actual total access flow of each video server in the preset time period is larger than the total distribution flow distributed by all the schedulers in the preset time period, so that for the situation, it can be determined that the video server has the illegal access request and needs to be processed by operation and maintenance personnel.
To further optimize the above embodiment, the detection method may further include:
and comparing the actual total access flow of the first video server with the predicted total access flow, and judging that the first video server has no illegal access request within a preset time period when the actual total access flow of the first video server is not more than the predicted total access flow or the difference value between the actual total access flow of the first video server and the predicted total access flow of the first video server does not exceed a threshold value.
As can be known from the above discussion, the predicted total access traffic refers to traffic in which an illegal access request does not occur in the first video server within a preset time period, and when an illegal access request does not occur in the first video server within the preset time period, the actual total access traffic of the first video server is not increased, so that when it is determined that the actual total access traffic of the first video server is not greater than the predicted total access traffic or that a difference between the actual total access traffic of the first video server and the predicted total access traffic does not exceed a threshold, it may be determined that an illegal access request does not occur in the first video server within the preset time period.
It should be noted that, when it is determined that the first video server does not have the illegal access request within the preset time period, the training model may be trained by using the actual total access traffic and the training parameter data of the first video server as training parameters to obtain an updated training model, where the training parameter data includes: the total allocation flow rate allocated by all the schedulers to the first video server in the preset time period, and the actual total access flow rate of the first video server and the total allocation flow rate allocated by all the schedulers in each preset time period in a plurality of preset time periods before the preset time period.
Corresponding to the embodiment of the method, the invention also discloses a device for detecting the illegal access request.
Referring to fig. 4, a schematic structural diagram of a detection apparatus for an illegal access request according to an embodiment of the present invention is disclosed, the detection apparatus is applied to a central control server, and the central control server is respectively connected to a plurality of schedulers and a plurality of video servers, and in particular, referring to fig. 1, the detection apparatus includes: a judgment unit 301, a first acquisition unit 302, a predicted total access flow calculation unit 303, and a first judgment unit 304;
specifically, the method comprises the following steps:
a determining unit 301, configured to determine whether an actual total access flow of each video server in a preset time period is greater than a total allocation flow allocated by all schedulers in the preset time period;
it should be noted that, in a normal situation, before a client needs to download a video file from a video server, a query request needs to be sent to the scheduler first, the scheduler allocates a video server to the client according to information such as policy configuration and user IP, and then the client sends an access request to the video server allocated by the scheduler to download the video file from the video server. And the access request sent by the client to the video server directly by bypassing the scheduler through a series of methods can be regarded as an illegal access request. When the video server has an illegal access request, the situation that the client bypasses the scheduler and directly sends the access request to the video server exists at the moment is indicated. When the access amount of the illegal access request is large, the actual total access flow of each video server in the preset time period is larger than the total distributed flow allocated by all the schedulers in the preset time period, so that for the situation, it is easy to determine that the illegal access request occurs to the video server.
However, due to the existence of the P2P (Peer-to-Peer) system, the actual total access traffic of the video server may be lower than the traffic allocated by the scheduler to the video server, when the access volume of the illegal access request is relatively small, the actual total access traffic of the video server in the preset time period may not be greater than the total allocated traffic allocated by all schedulers in the preset time period, in this case, it may not be easy to determine whether the illegal access request occurs to the video server, and the embodiment mainly provides a detection device for the illegal access request.
The specific value of the preset time may be determined according to actual needs, such as 1 minute, and the present invention is not limited herein.
A first obtaining unit 302, configured to obtain, when there is a first video server whose actual total access traffic is not greater than a total allocation traffic, the actual total access traffic and training parameter data of the first video server in the preset time period of the first video server;
for convenience of description, the definition of the video server with the actual total access traffic not greater than the total allocation traffic in this step is as follows: a first video server, which is one of the plurality of video servers 13 in the embodiment shown in fig. 1.
The training parameter data in this step refers to: and the data of the corresponding target variable can be obtained by waiting for a training model obtained by pre-training. The training parameter data may include: the total allocation flow allocated by all the schedulers to the first video server in the preset time period, and the actual total access flow of the first video server and the total allocation flow allocated by all the schedulers in each preset time period in k preset time periods before the preset time period, wherein k is a positive integer.
In the invention, the actual total access flow of each first video server in each preset time period is taken as a target variable, so that the function of the training model is as follows: the method for predicting the possible total access flow of the first video server in the preset time period according to the total allocated flow allocated by the scheduler to the first video server in the preset time period and the related information of k preset times before the preset time period can be called as follows: and predicting the total access flow, comparing the predicted total access flow with the actual total access flow, and determining whether the first video server has an illegal access request within a preset time period according to a comparison result.
A predicted total access traffic calculation unit 303, configured to substitute the training parameter data into a pre-obtained training model to obtain a predicted total access traffic of the first video server in the preset time period;
it will be appreciated that the training model first needs to be built before the training parameter data is brought into the pre-derived training model.
Referring to fig. 5, a schematic structural diagram of an apparatus for building a training model according to an embodiment of the present invention includes:
a second obtaining unit 401, configured to obtain training data required for establishing a training model before the predicted total access traffic of the first video server in the preset time period is obtained by substituting the training parameter data into a pre-obtained training model in the predicted total access traffic calculating unit 303;
the second obtaining unit 401 specifically includes: acquiring subunits and screening subunits;
the acquisition subunit is used for acquiring original training data required by establishing a training model from a plurality of schedulers and a plurality of video servers;
specifically, the obtaining subunit is configured to:
(1) acquiring flow information of each scheduler, wherein the flow information comprises: and in a preset time period, the scheduler allocates the IP addresses of the video servers and the corresponding total allocation flow to the users.
(2) In practical application, the IP addresses of the video servers and the corresponding total allocated traffic may be represented in a form of a corresponding relationship, such as a list, where the list includes: the IP address of the video server and the corresponding total allocated traffic.
(3) And acquiring the actual total access flow fed back by each video server within a preset time period. When each video server serves the user, the access flow is recorded in real time, the access flows in the preset time period are added every other preset time period to obtain the total access flow, and the total access flow is sent to the central control server. It should be noted that, when recording the access traffic, the video server may use the form of recording the number of bytes sent to the user.
(4) And in a preset time period, the actual total access flow of each video server and the total distribution flow distributed by all the schedulers are correlated through the same IP address to obtain original training data. The actual total access traffic of the video server and the total allocated traffic allocated by all schedulers, which are associated by the same IP address, can be represented in the form of a table.
It should be noted that, in practical applications, the raw training data obtained in (4) may be used as the data required for building the training model.
Those skilled in the art will appreciate that the more accurate the training data used to build the training model, the more reliable the resulting training model.
In order to improve the reliability of the established training model, after the original training data are obtained, the original training data are firstly screened according to the screening condition for detecting the illegal access request, the data which are determined to have the illegal access request in the preset time period are filtered, and the rest original training data are used as the training data. The preset condition for detecting an illegal access request refers to a condition that a person skilled in the art can directly and unambiguously determine that an illegal access request occurs to a video server in a preset time period from other channels according to practical experience, for example, if a link stealing behavior of a certain video server occurs in a certain preset time period through a mode other than the method disclosed by the invention, the total access traffic data of the video server in the preset time period, the total distribution traffic data distributed by all schedulers in the preset time period, and related data thereof are filtered.
The preset screening condition for detecting the illegal access request may be determined according to actual needs, and the present invention is not limited herein.
Therefore, the screening subunit is configured to screen the original training data according to a preset screening condition for detecting an illegal access request, filter all traffic-related data in which the illegal access request exists within the preset time period, and use the remaining original training data as the training data.
A target variable selection unit 402, configured to select, from the training data, an actual total access flow of the first video server to be detected within the preset time period from a time t as a target variable of the training model, where t is a positive integer;
a training model obtaining unit 403, configured to train the target variable and the feature value to obtain the training model, where the feature value includes: and in the training data, the total distributed flow rate distributed to the first video server by all the schedulers within the preset time period from the time t is, and the actual total access flow rate of the first video server and the total distributed flow rate distributed by all the schedulers within each preset time period in a plurality of continuous preset time periods before the preset time period from the time t.
For a specific process of obtaining the training model by the training model obtaining unit 403, please refer to the corresponding parts of the method embodiments, which are not described herein again.
A first determining unit 304, configured to compare an actual total access traffic of the first video server with the predicted total access traffic, and determine that an illegal access request occurs in the first video server within the preset time period when the actual total access traffic of the first video server is greater than the predicted total access traffic and a difference between the actual total access traffic of the first video server and the predicted total access traffic exceeds a threshold.
Based on the above discussion, the predicted total access traffic in this embodiment refers to traffic in which an illegal access request does not occur in the first video server within a preset time period, and when an illegal access request occurs in the first video server within the preset time period, the actual total access traffic of the first video server is greatly increased, so that when it is determined that the actual total access traffic of the first video server within the preset time period of the first video server is greater than the predicted total access traffic, and a difference value between the actual total access traffic and the predicted total access traffic of the first video server exceeds a threshold value, it may be determined that an illegal access request occurs in the first video server within the preset time period.
The specific value of the threshold depends on the actual requirement, such as 15%, and the invention is not limited herein.
To sum up, when it is determined that the first video server having the actual total access traffic not greater than the total distributed traffic exists within the preset time period, the apparatus for detecting an illegal access request according to the present invention obtains the actual total access traffic of the first video server and training parameter data of the first video server within the preset time period, where the training parameter data includes: the total distribution flow rate distributed by all the schedulers to the first video server in the preset time period, and in k preset time periods before the preset time period, the actual total access flow of the first video server and the total distribution flow distributed by all the schedulers in each preset time period bring the training parameter data into the training model to obtain the predicted total access flow of the first video server in the preset time period, determining whether the first video server has an illegal access request within a preset time period by comparing an actual total access traffic of the first video server with a predicted total access traffic, and when the actual total access flow of the first video server is larger than the predicted total access flow and the difference value between the actual total access flow and the predicted total access flow of the first video server exceeds a threshold value, judging that the first video server has an illegal access request within a preset time period. Therefore, the invention can determine whether the video server has the illegal access request when the illegal access request is not obvious, thereby improving the safety of the video server.
It should be noted that, in order to ensure the accuracy of the predicted total access flow obtained by using the training model, for a video server in which an illegal access request occurs, the access flow of the video server can be predicted again after k preset time periods after the operation and maintenance staff have processed the illegal access request.
To further optimize the above embodiment, the detecting device may further include:
and a second determining unit, configured to determine that an illegal access request occurs to a second video server within the preset time period when there is a second video server having an actual total access traffic that is greater than a total distributed traffic, where the second video server is one of the plurality of video servers.
It should be noted that, in a normal situation, before a client needs to download a video file from a video server, a query request needs to be sent to the scheduler first, the scheduler allocates a video server to the client according to information such as policy configuration and user IP, and then the client sends an access request to the video server allocated by the scheduler to download the video file from the video server. And the access request sent by the client to the video server directly by bypassing the scheduler through a series of methods can be regarded as an illegal access request. When the video server has an illegal access request, the situation that the client bypasses the scheduler and directly sends the access request to the video server exists at the moment is indicated. When the access amount of the illegal access request is large, the actual total access flow of each video server in the preset time period is larger than the total distribution flow distributed by all the schedulers in the preset time period, so that for the situation, it can be determined that the video server has the illegal access request and needs to be processed by operation and maintenance personnel.
To further optimize the above embodiment, the detecting device may further include:
a third determining unit, configured to determine that an illegal access request does not occur to the first video server within the preset time period when an actual total access traffic of the first video server is not greater than the predicted total access traffic, or a difference between the actual total access traffic of the first video server and the predicted total access traffic does not exceed a threshold.
As can be known from the above discussion, the predicted total access traffic refers to traffic in which an illegal access request does not occur in the first video server within a preset time period, and when an illegal access request does not occur in the first video server within the preset time period, the actual total access traffic of the first video server is not increased, so that when it is determined that the actual total access traffic of the first video server is not greater than the predicted total access traffic or that a difference between the actual total access traffic of the first video server and the predicted total access traffic does not exceed a threshold, it may be determined that an illegal access request does not occur in the first video server within the preset time period.
It should be noted that, when it is determined that the first video server does not have the illegal access request within the preset time period, the actual total access traffic of the first video server may also be used as a training parameter to train and perfect the training model.
Therefore, the detection device may further include:
a training perfecting unit, configured to train the training model using actual total access traffic and training parameter data of the first video server as training parameters to obtain an updated training model when it is determined that the first video server does not have an illegal access request within the preset time period, where the training parameter data includes: the total allocation flow rate allocated by all the schedulers to the first video server in the preset time period, and the actual total access flow rate of the first video server and the total allocation flow rate allocated by all the schedulers in each preset time period in a plurality of preset time periods before the preset time period.
To sum up, when it is determined that the first video server having the actual total access traffic not greater than the total distributed traffic exists within the preset time period, the apparatus for detecting an illegal access request according to the present invention obtains the actual total access traffic of the first video server and training parameter data of the first video server within the preset time period, where the training parameter data includes: the total distribution flow rate distributed by all the schedulers to the first video server in the preset time period, and in k preset time periods before the preset time period, the actual total access flow of the first video server and the total distribution flow distributed by all the schedulers in each preset time period bring the training parameter data into the training model to obtain the predicted total access flow of the first video server in the preset time period, determining whether the first video server has an illegal access request within a preset time period by comparing an actual total access traffic of the first video server with a predicted total access traffic, and when the actual total access flow of the first video server is larger than the predicted total access flow and the difference value between the actual total access flow and the predicted total access flow of the first video server exceeds a threshold value, judging that the first video server has an illegal access request within a preset time period. Therefore, the invention can determine whether the video server has the illegal access request when the illegal access request is not obvious, thereby improving the safety of the video server.
It should be noted that, for the working principle of each component in the device embodiment, please refer to the corresponding part of the method embodiment, which is not described herein again.
Corresponding to the embodiment of the detection device for the illegal access request, the invention also discloses a central control server which comprises the detection device for the illegal access request in the embodiment.
Correspondingly, the invention also discloses a video distribution system, the specific composition of the video distribution system is shown in fig. 1, wherein the central control server 11 in fig. 1 comprises a detection device for illegal access requests in the embodiment.
In summary, the present invention discloses a video distribution system, which includes: well accuse server, well accuse server includes: in the detection apparatus for an illegal access request, when the central control server determines that a first video server with actual total access traffic not greater than total distributed traffic exists in a preset time period, the central control server obtains the actual total access traffic of the first video server and training parameter data of the first video server in the preset time period, where the training parameter data includes: the total distribution flow rate distributed by all the schedulers to the first video server in the preset time period, and in k preset time periods before the preset time period, the actual total access flow of the first video server and the total distribution flow distributed by all the schedulers in each preset time period bring the training parameter data into the training model to obtain the predicted total access flow of the first video server in the preset time period, determining whether the first video server has an illegal access request within a preset time period by comparing an actual total access traffic of the first video server with a predicted total access traffic, and when the actual total access flow of the first video server is larger than the predicted total access flow and the difference value between the actual total access flow and the predicted total access flow of the first video server exceeds a threshold value, judging that the first video server has an illegal access request within a preset time period. Therefore, the invention can determine whether the video server has the illegal access request when the illegal access request is not obvious, thereby improving the safety of the video server.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (16)

1. A detection method for illegal access requests is applied to a central control server, and the central control server is respectively connected with a plurality of schedulers and a plurality of video servers, and the detection method comprises the following steps:
judging whether the actual total access flow of each video server in a preset time period is larger than the total distribution flow distributed by all schedulers in the preset time period;
when a first video server with actual total access flow not greater than total distribution flow exists, acquiring the actual total access flow and training parameter data of the first video server in the preset time period, wherein the training parameter data comprises: the total distributed flow quantity distributed to the first video server by all the schedulers in the preset time period, and the actual total access flow quantity of the first video server and the total distributed flow quantity distributed by all the schedulers in each preset time period in a plurality of preset time periods before the preset time period, wherein the first video server is one of the plurality of video servers;
substituting the training parameter data into a pre-obtained training model to obtain the predicted total access flow of the first video server in the preset time period;
comparing the actual total access flow of the first video server with the predicted total access flow, and when the actual total access flow of the first video server is greater than the predicted total access flow and the difference value between the actual total access flow of the first video server and the predicted total access flow exceeds a threshold value, determining that an illegal access request occurs in the first video server within the preset time period.
2. The detection method according to claim 1, further comprising:
and when a second video server with actual total access flow larger than total distribution flow exists, judging that an illegal access request occurs in the second video server within the preset time period, wherein the second video server is one of the video servers.
3. The detection method according to claim 1, before substituting the training parameter data into a pre-obtained training model to obtain the predicted total access traffic of the first video server in the preset time period, further comprising:
acquiring training data required for establishing the training model;
selecting the actual total access flow of the first video server to be detected within the preset time period at the moment of t from the training data as a target variable of the training model, wherein t is a positive integer;
training the target variable and the characteristic value to obtain the training model; the characteristic values include: and in the training data, all schedulers within the preset time period from the time t allocate total traffic to the first video server, and the actual total access traffic of the first video server and the total allocated traffic allocated by all the schedulers within each preset time period in a plurality of continuous preset time periods before the preset time period from the time t.
4. The detection method according to claim 3, wherein obtaining training data required to build the training model comprises:
acquiring original training data required for establishing the training model from a plurality of schedulers and a plurality of video servers;
and screening the original training data according to a preset screening condition for detecting the illegal access request, filtering data which is determined to have the illegal access request in the preset time period, and taking the data obtained after the original training data is filtered as the training data.
5. The detection method according to claim 4, wherein the process of obtaining the raw training data required for building the training model from the plurality of schedulers and the plurality of video servers comprises:
obtaining flow information of each scheduler, wherein the flow information comprises: in the preset time period, the scheduler allocates IP addresses of all video servers and corresponding total allocation flow to the users;
merging the flow information of all the schedulers to obtain the total distributed flow of the video server with the same IP address distributed by all the schedulers in the preset time period;
acquiring actual total access flow fed back by each video server within the preset time period;
and in the preset time period, the actual total access flow of each video server and the total distribution flow distributed by all the schedulers are correlated through the same IP address to obtain the original training data.
6. The detection method according to claim 1, further comprising:
when the actual total access flow of the first video server is not larger than the predicted total access flow, or when the actual total access flow of the first video server is larger than the predicted total access flow and the difference value between the actual total access flow of the first video server and the predicted total access flow does not exceed a threshold value, it is determined that the first video server has not generated an illegal access request within the preset time period.
7. The method according to claim 6, wherein when it is determined that the first video server has not received an illegal access request within the preset time period, the method further comprises:
and training the training model by taking the actual total access flow and the training parameter data of the first video server as training parameters to obtain an updated training model.
8. An illegal access request detection device, which is applied to a central control server, wherein the central control server is respectively connected with a plurality of schedulers and a plurality of video servers, the detection device comprises:
the judging unit is used for judging whether the actual total access flow of each video server in a preset time period is larger than the total distribution flow distributed by all the schedulers in the preset time period;
a first obtaining unit, configured to obtain, when there is a first video server whose actual total access traffic is not greater than a total allocation traffic, actual total access traffic of the first video server in the preset time period and training parameter data, where the training parameter data includes: the total distributed flow quantity distributed to the first video server by all the schedulers in the preset time period, and the actual total access flow quantity of the first video server and the total distributed flow quantity distributed by all the schedulers in each preset time period in a plurality of preset time periods before the preset time period, wherein the first video server is one of the plurality of video servers;
the predicted total access flow calculation unit is used for substituting the training parameter data into a pre-obtained training model to obtain the predicted total access flow of the first video server in the preset time period;
a first determining unit, configured to compare an actual total access traffic of the first video server with the predicted total access traffic, and determine that an illegal access request occurs in the first video server within the preset time period when the actual total access traffic of the first video server is greater than the predicted total access traffic and a difference between the actual total access traffic of the first video server and the predicted total access traffic exceeds a threshold.
9. The detection device according to claim 8, further comprising:
and a second determining unit, configured to determine that an illegal access request occurs to a second video server within the preset time period when there is a second video server having an actual total access traffic that is greater than a total distributed traffic, where the second video server is one of the plurality of video servers.
10. The detection device of claim 8, further comprising:
a second obtaining unit, configured to obtain training data required for establishing the training model before the predicted total access traffic of the first video server in the preset time period is obtained by substituting the training parameter data into a pre-obtained training model by the predicted total access traffic calculating unit;
a target variable selecting unit, configured to select, from the training data, an actual total access flow of a first video server to be detected within the preset time period from a time t as a target variable of the training model, where t is a positive integer;
a training model obtaining unit, configured to train the target variable and the feature value to obtain the training model, where the feature value includes: and in the training data, all schedulers within the preset time period from the time t allocate total traffic to the first video server, and the actual total access traffic of the first video server and the total allocated traffic allocated by all the schedulers within each preset time period in a plurality of continuous preset time periods before the preset time period from the time t.
11. The detection apparatus according to claim 10, wherein the second obtaining unit specifically includes:
the acquisition subunit is used for acquiring original training data required for establishing the training model from the schedulers and the video servers;
and the screening subunit is used for screening the original training data according to a preset screening condition for detecting the illegal access request, filtering data determined to have the illegal access request in the preset time period, and taking the data obtained by filtering the original training data as the training data.
12. The detection apparatus according to claim 11, wherein the obtaining subunit is specifically configured to:
obtaining flow information of each scheduler, wherein the flow information comprises: in the preset time period, the scheduler allocates IP addresses of all video servers and corresponding total allocation flow to the users;
merging the flow information of all the schedulers to obtain the total distributed flow of the video server with the same IP address distributed by all the schedulers in the preset time period;
acquiring actual total access flow fed back by each video server within the preset time period;
and in the preset time period, the actual total access flow of each video server and the total distribution flow distributed by all the schedulers are correlated through the same IP address to obtain the original training data.
13. The detection device of claim 8, further comprising:
a third determining unit, configured to determine that an illegal access request does not occur in the first video server within the preset time period when an actual total access traffic of the first video server is not greater than the predicted total access traffic, or when the actual total access traffic of the first video server is greater than the predicted total access traffic and a difference between the actual total access traffic of the first video server and the predicted total access traffic does not exceed a threshold.
14. The detection device of claim 13, further comprising:
and the training perfecting unit is used for training the training model by taking the actual total access flow and the training parameter data of the first video server as training parameters when the first video server is judged not to have the illegal access request in the preset time period, so as to obtain the updated training model.
15. A central control server, characterized in that the central control server comprises the detection device according to any one of claims 8 to 14.
16. A video distribution system, comprising: the central control server, the plurality of schedulers, and the plurality of video servers of claim 15, wherein the central control server is coupled to the plurality of schedulers and the plurality of video servers, respectively.
CN201810474713.XA 2018-05-17 2018-05-17 Detection method and device for illegal access request, central control server and system Active CN108777805B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810474713.XA CN108777805B (en) 2018-05-17 2018-05-17 Detection method and device for illegal access request, central control server and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810474713.XA CN108777805B (en) 2018-05-17 2018-05-17 Detection method and device for illegal access request, central control server and system

Publications (2)

Publication Number Publication Date
CN108777805A CN108777805A (en) 2018-11-09
CN108777805B true CN108777805B (en) 2021-01-22

Family

ID=64027240

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810474713.XA Active CN108777805B (en) 2018-05-17 2018-05-17 Detection method and device for illegal access request, central control server and system

Country Status (1)

Country Link
CN (1) CN108777805B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111585940B (en) * 2019-02-18 2021-12-17 华为技术有限公司 Resource management method and related equipment thereof
CN110011977B (en) * 2019-03-07 2021-07-27 北京华安普特网络科技有限公司 Website security defense method
CN113556372B (en) * 2020-04-26 2024-02-20 浙江宇视科技有限公司 Data transmission method, device, equipment and storage medium
CN113240486A (en) * 2021-05-10 2021-08-10 北京沃东天骏信息技术有限公司 Traffic distribution method and device in search scene

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850645A (en) * 2017-02-18 2017-06-13 许昌学院 A kind of system and method for detecting invalid access to computer network

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4295130B2 (en) * 2004-02-24 2009-07-15 株式会社日立製作所 Traffic information system
EP1691539A1 (en) * 2005-02-15 2006-08-16 European Central Bank Two-dimensional security pattern that can be authenticated with one-dimensional signal processing
CN101826996B (en) * 2010-03-19 2012-05-23 中国科学院计算机网络信息中心 Domain name system flow detection method and domain name server
CN103096415B (en) * 2013-01-15 2015-04-22 东北大学 Route optimizing device and method catering to perceive wireless mesh network
WO2015116047A1 (en) * 2014-01-29 2015-08-06 Hewlett-Packard Development Company, L.P. Predictive analytics utilizing real time events
CN105788249B (en) * 2014-12-16 2018-09-28 高德软件有限公司 A kind of traffic flow forecasting method, prediction model generation method and device
US9384645B1 (en) * 2015-01-20 2016-07-05 Elwha Llc System and method for impact prediction and proximity warning
CN107135125B (en) * 2017-05-17 2020-04-21 北京奇艺世纪科技有限公司 Video IDC bandwidth flow prediction method and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850645A (en) * 2017-02-18 2017-06-13 许昌学院 A kind of system and method for detecting invalid access to computer network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于动态闽值的网络流量异常检测方法研究与实现;李中魁;《中国优秀硕士学位论文全文数据库 信息科技辑》;20110315(第3期);全文 *

Also Published As

Publication number Publication date
CN108777805A (en) 2018-11-09

Similar Documents

Publication Publication Date Title
CN108777805B (en) Detection method and device for illegal access request, central control server and system
CN109005085B (en) Service availability monitoring system, method, device and equipment
CN110233860B (en) Load balancing method, device and system
CN108183950B (en) Method and device for establishing connection of network equipment
WO2009082278A1 (en) Method and apparatus for providing differentiated service levels in a communication network.
WO2021237826A1 (en) Traffic scheduling method, system and device
CN111614473B (en) Method, device and system for determining IDC (Internet data center) available at highest bandwidth and electronic equipment
CN105162875B (en) Big data group method for allocating tasks and device
CN107426241B (en) Network security protection method and device
CN108184149B (en) Video CDN scheduling optimization method and device
WO2016109916A1 (en) Quality of experience (qoe) prediction apparatus, network device and method
CN112015557A (en) Resource adjusting method and device and server
CN102883193A (en) Content distribution flow control method
US20080031148A1 (en) Prevention of protocol imitation in peer-to-peer systems
CN108322495B (en) Method, device and system for processing resource access request
KR101315177B1 (en) Method on Patent Information Processing for Producing Score of Convergence Index Elements
CN103955846B (en) The control method and device of multiple terminal intelligent feedbacks are controlled in information processing system
CN107733805B (en) Service load scheduling method and device
CN108600147B (en) Downloading speed prediction method and device
JP2018084986A (en) Server device, program, and communication system
CN106357445B (en) A kind of user experience monitoring method and monitoring server
CN108055596B (en) Method and system for guaranteeing specific user flow
CN110007940B (en) Gray scale release verification method, system, server and readable storage medium
CN116647505A (en) User traffic dynamic management method and system
CN107071014B (en) Resource adjusting method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant