CN110099051B - Detection method and device for stuck risk and electronic equipment - Google Patents

Detection method and device for stuck risk and electronic equipment Download PDF

Info

Publication number
CN110099051B
CN110099051B CN201910337506.4A CN201910337506A CN110099051B CN 110099051 B CN110099051 B CN 110099051B CN 201910337506 A CN201910337506 A CN 201910337506A CN 110099051 B CN110099051 B CN 110099051B
Authority
CN
China
Prior art keywords
protocol data
user
data packet
risk
data packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910337506.4A
Other languages
Chinese (zh)
Other versions
CN110099051A (en
Inventor
曹飞
殷赵辉
盛子骁
谢能淳
宋青原
卢正军
彭青白
胡和君
何小龙
许云清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tencent Domain Computer Network Co Ltd
Original Assignee
Shenzhen Tencent Domain Computer Network Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Tencent Domain Computer Network Co Ltd filed Critical Shenzhen Tencent Domain Computer Network Co Ltd
Priority to CN201910337506.4A priority Critical patent/CN110099051B/en
Publication of CN110099051A publication Critical patent/CN110099051A/en
Application granted granted Critical
Publication of CN110099051B publication Critical patent/CN110099051B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0882Utilisation of link capacity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The invention provides a stuck risk detection method, a stuck risk detection device and electronic equipment. The method comprises the following steps: acquiring a preset number of protocol data packets according to a time sequence; determining target time information according to the initial time point and the termination time point of the protocol data packets with the preset number; and detecting whether the jamming risk exists or not according to the target time information. On one hand, the method has wide adaptability to the detection of the stuck risk according to the total number of all operation protocols, and avoids incomplete detection coverage and detection lag caused by the detection of stuck according to the frequency of single operation; on the other hand, the problem that the anti-attack is invalid when the stuck risk is checked according to the time unit can be avoided, and the accuracy of the detection result is improved.

Description

Detection method and device for stuck risk and electronic equipment
Technical Field
The invention relates to the technical field of computers, in particular to a stuck risk detection method, a stuck risk detection device and electronic equipment.
Background
With the rapid development of mobile terminals, more and more users use mobile terminals such as smart phones, tablet computers, and the like to perform various operations, such as browsing information, watching videos, playing games, and the like. When a user uses a mobile terminal, the fluency of the picture is an important performance index
Taking game operation as an example, some malicious users usually cause game clients of all players in the same virtual room, the same game server or the same game channel to be stuck or dead through a certain technical means, so that the normal game process of other people is influenced, and the user experience is reduced.
In view of the above, there is a need in the art to develop a new method for detecting katon risk.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present application and therefore may include information that does not constitute prior art known to a person of ordinary skill in the art.
Disclosure of Invention
The embodiment of the invention provides a stuck risk detection method, a stuck risk detection device and electronic equipment, so that stuck risks can be detected timely and comprehensively at least to a certain extent, the occurrence of a stuck phenomenon is avoided, and user experience is improved.
Additional features and advantages of the invention will be set forth in the detailed description which follows, or may be learned by practice of the invention.
According to an aspect of the embodiments of the present invention, there is provided a method for detecting a stuck risk, including: acquiring a preset number of protocol data packets according to a time sequence; determining target time information according to the initial time point and the termination time point of the protocol data packets with the preset number; and detecting whether the jamming risk exists or not according to the target time information.
According to an aspect of an embodiment of the present invention, there is provided a detection apparatus for a stuck risk, including: the data packet acquisition module is used for acquiring a preset number of protocol data packets according to a time sequence; the time information determining module is used for determining target time information according to the starting time point and the ending time point of the protocol data packets with the preset number; and the risk detection module is used for detecting whether the blockage risk exists or not according to the target time information.
In some embodiments of the present invention, based on the foregoing scheme, the preset number is determined according to the number of received protocol packets in a unit time and the number of network fluctuation blocking received protocol packets in the unit time.
In some embodiments of the present invention, based on the foregoing solution, the risk detection module is configured to: comparing the target time information with a unit time; when the target time information is smaller than the unit time, judging that the jamming risk exists; and when the target time information is equal to or larger than the unit time, judging that the seizure risk does not exist.
In some embodiments of the present invention, based on the foregoing solution, the packet obtaining module includes: an identification information obtaining unit, configured to obtain user identification information after obtaining each protocol data packet; a login state judgment unit for judging the user login state according to the user identification information; and the numbering unit is used for numbering each acquired protocol data packet according to the user login state so as to acquire the preset number of protocol data packets.
In some embodiments of the present invention, based on the foregoing solution, the login status determination unit is configured to: acquiring a final user login state corresponding to the user identification information and stored in a database according to the user identification information; if the final user login state is offline, judging that the current user login state is a new login user; and if the final user login state is online, judging that the current user login state is an online user.
In some embodiments of the present invention, based on the foregoing scheme, the numbering unit comprises: the first numbering subunit is used for taking the currently acquired protocol data packet as a first protocol data packet and numbering the first protocol data packet when the user login state is a new login user; and the second numbering subunit is used for updating the number of the currently acquired protocol data packet based on the number of the adjacent protocol data packet when the user login state is the online user until the preset number of protocol data packets are acquired.
In some embodiments of the invention, the first protocol packet has a start number value; based on the foregoing scheme, the second numbering subunit is configured to: adding one to the number of the adjacent protocol data packet to determine the number of the currently acquired protocol data packet; subtracting the number of the protocol data packet obtained currently from the initial number value and adding one to obtain a target value; and if the target value is the same as the preset number, judging that the protocol data packets with the preset number are acquired.
In some embodiments of the present invention, based on the foregoing solution, the apparatus for detecting a stuck risk further includes: and the resetting module is used for resetting the number of the last protocol data packet corresponding to the termination time point to the initial number value after the protocol data packets with the preset number are obtained, so that the last protocol data packet is used as a first protocol data packet for next detection, and the termination time point is used as a starting time point for next detection.
According to an aspect of an embodiment of the present invention, there is provided an electronic apparatus including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method of detecting a stuck risk as described in the embodiments above.
In the technical solutions provided in some embodiments of the present invention, a preset number of protocol data packets are obtained according to a time sequence, target time information is determined according to a start time point and an end time point corresponding to the obtained preset number of protocol data packets, and then whether a stuck risk exists is determined according to the target time information. According to the technical scheme of the embodiment of the invention, on one hand, the stuck risk can be detected according to the total number of all protocol data packets, the method has wide adaptability, and incomplete detection coverage and detection lag caused by stuck detection according to the frequency of single operation are avoided; on the other hand, the problem that the anti-attack is invalid when the stuck risk is checked according to the time unit can be avoided, and the accuracy of the detection result is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
FIG. 1 shows a schematic diagram of an exemplary system architecture to which aspects of embodiments of the invention may be applied;
fig. 2 is a schematic view showing a structure of flow rate purging in the related art;
FIG. 3 schematically shows an interaction flow diagram of game operations in the related art;
FIG. 4 schematically shows a flow diagram of a method of detection of a stuck risk according to an embodiment of the invention;
FIG. 5 schematically illustrates a flow diagram for detection of stuck risk according to one embodiment of the invention;
fig. 6 is a schematic diagram illustrating a flow of acquiring a preset number of protocol packets by a server according to an embodiment of the present invention;
FIG. 7 schematically illustrates a flow diagram for numbering protocol packets according to an embodiment of the invention;
FIG. 8 is a schematic diagram illustrating a process flow for sending protocol packets to an online user according to one embodiment of the invention;
FIG. 9 schematically shows a block diagram of a detection arrangement of a stuck risk according to an embodiment of the invention;
FIG. 10 schematically shows a block diagram of a detection arrangement of a stuck risk according to an embodiment of the invention;
FIG. 11 illustrates a schematic structural diagram of a computer system suitable for use with the electronic device to implement an embodiment of the invention.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations or operations have not been shown or described in detail to avoid obscuring aspects of the invention.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
Fig. 1 shows a schematic diagram of an exemplary system architecture to which the technical solution of the embodiments of the present invention can be applied.
As shown in fig. 1, the system architecture 100 may include a terminal device (e.g., one or more of the smart phone 101, the tablet computer 102, and the portable computer 103 shown in fig. 1, but may also be a terminal device having a display screen such as a desktop computer), a network 104, and a server 105. The network 104 serves as a medium for providing communication links between terminal devices and the server 105. Network 104 may include various connection types, such as wired communication links, wireless communication links, and so forth.
It should be understood that the number of terminals, networks, and servers in fig. 1 are merely illustrative. There may be any number of terminals, networks, and servers, as desired for an implementation. For example, server 105 may be a server cluster comprised of multiple servers, or the like.
In an embodiment of the present invention, a user may utilize the terminal device 101 (also may be the terminal device 102 or 103) to send a protocol data packet to the server 105, where the protocol data packet may be a data packet that the user performs an interactive operation with the terminal device 101 to trigger the terminal device 101 to send to the server 105, for example, the user performs a game operation through the terminal device 101, specifically, a shooting operation, a horse-boarding operation, a jumping operation, and the like, and when the user triggers a specific operation, the server 105 may receive a corresponding protocol data packet sent by the terminal device 101. After the server 105 receives the preset number of protocol data packets, a target time message may be determined according to the start time point and the end time point of receiving the preset number of protocol data packets, and then it may be detected whether the system has a stuck risk according to the target time message, specifically, the target time message may be compared with a unit time, the unit time is the same as a theoretical time used for receiving the preset number of protocol data packets, if the target time message is less than the unit time, it may be determined that the stuck risk exists, and if the target time message is greater than or equal to the unit time, it may be determined that the stuck risk does not exist. According to the technical scheme of the embodiment of the invention, on one hand, whether the stuck risk exists can be verified according to the total number of all protocol data packets, so that whether the stuck risk exists is verified according to the frequency of single operation is avoided, and the universality and timeliness of stuck risk detection are improved; on the other hand, the problem that the counterattack is invalid based on time unit verification is avoided, and the user experience is further improved.
It should be noted that the method for detecting the stuck risk provided by the embodiment of the present invention is generally executed by the server 105, and accordingly, the device for detecting the stuck risk is generally disposed in the server 105. However, in other embodiments of the present invention, the terminal may also have a similar function as the server, so as to execute the detection scheme of the katton risk provided by the embodiments of the present invention.
In the related art in the field, taking game katton as an example, game developers generally pay attention to game playing in the development process, and do not pay much attention to security, so most games have more or less security problems. The card house and the card clothing are an embodiment form of denial of service attack (DDOS attack), the card house enables all game clients of players in the same virtual room to be stuck or dead through a certain technical means, so that the aim of influencing normal games of other people is achieved, and the card clothing enables game clients of all players in the same game server or the same game channel to be stuck or dead through a certain technical means, so that the aim of influencing normal games of other people is achieved. The conventional DDOS attack generally adopts a flow attack mode, and an attack target cannot serve normal users due to the fact that the flow attack occupies a broadband. The DDOS of the flow attack type has the typical characteristic of rapid rise of network flow, and a professional security product is generally used for solving the problem of the flow type DDOS attack.
For a DDOS of a traffic attack type, traffic analysis and traffic cleaning may be performed on a core router layer, and fig. 2 shows a schematic structural diagram of traffic cleaning, where, as shown in fig. 2, normal traffic and attack traffic enter a cleaning center through a backbone network of an operator at the same time, a cleaning server of the cleaning center may analyze traffic data, distinguish normal traffic from abnormal traffic, filter the abnormal traffic, send the normal traffic to a core router according to a border gateway protocol, and forward the normal traffic to an attacked client network, thereby ensuring that a client is not affected by congestion.
However, in the game industry, there is a new DDOS attack mode, which is generally implemented by a high performance consumption protocol, and the traffic change is not obvious, specifically, some operations in the game have a large consumption on the performance of the game server or the client, and such operations will not harm the game if they are evenly distributed over a long period of time, but will cause the game client or the server to be stuck if they are received thousands of times in a short time, so as to achieve the purpose of making other people unable to play the game normally. Because the protocol sent by the attack mode is not obviously different from the normal operation, the abnormity of the flow data can not be analyzed at the core router layer, and all traditional anti-DDOS products can not do nothing to the special attack. At present, numerous games such as DNF, runaway and dance are disturbed by malicious tools such as card suits, and a great deal of complaints of players are caused.
In addition, in the game process, the situation that the client is stuck due to the fact that the player frequently sends operation behavior data packets with large performance consumption occurs. Fig. 3 shows an interaction flowchart of the game operation, as shown in fig. 3, the Client of player a is Client a, the Client of player B is Client B, the operation behavior of player a is the upper ride, the operation behavior of player B is the lower ride, and the operation behavior of player a precedes the operation behavior of player B. Firstly, a player A sends an operation request protocol of riding to a server through a Client A, the server can synchronize the operation request protocol to the Client A, the Client B and clients of all other people around after receiving the operation request protocol, rendering response is carried out after other clients receive synchronization information of the server, and all players can see that the player A sits on the respective game Client after the riding operation is rendered; and then, the player B sends an operation request protocol for next ride to the server through the Client B, the server can synchronize the operation request protocol to the Client A, the Client B and the clients of all other people around after receiving the operation request protocol, rendering response is carried out after the other clients receive the synchronization information of the server, and all players can see that the player B rides on the respective game clients after the next ride operation is rendered. In the game, each operation of the player involves loading and unloading of a lot of resources and file input and output operations, so that a lot of system resources are consumed, the player does not experience obviously if the operation is not frequent, and the player experiences obviously if the operation is too frequent, even the client is stuck. When a certain player wants to damage, the player may want to bypass the limitation of the client, select some of the operations with the largest resource consumption, and frequently send operation behavior data packets with large performance consumption at the package sending point of the game bottom layer, so that surrounding players receive a large amount of operation requests in a short time, system resources are exhausted in the process of processing the requests by the game client, and the client is stuck.
In order to avoid the above-mentioned seizure risk, the operation frequency is usually limited by the server, but if the strategy for limiting the operation frequency is not reasonable, there may be cases of attack misjudgment, attack missing judgment and ineffective defense. The attack misjudgment refers to the situation that a network is blocked in the normal game process, partial game data packets can be blocked when the network fluctuates, the data packets blocked in the early stage can be simultaneously sent when the network is unblocked, interference is brought to an attack detection scheme, and the interference brought by the network fluctuation state can be detected as the attack if the detection logic is unreasonable; attack missing judgment means that dozens of operations are possible to cause higher performance consumption in numerous operations, and card room and card service attack can be easily realized by utilizing any operation request protocol; the defense invalidation means that when the number of the received protocols is detected according to the unit time, the unit time is too short, and misjudgment is easy to occur, so that the minimum statistical time interval for detecting according to the unit time is 3 s. However, a new problem is brought about by too long time, the attacker sends hundreds of thousands of attack operations in 3s, the attack operations sent in unit time have enough influence on an attack target, and the detection logic has not yet been executed to cause the attacker client to be blocked.
In view of the problems in the related art, the embodiments of the present invention first provide a method for detecting a stuck risk, which can be used for detecting any game stuck risk, device stuck risk, program stuck risk, and the like, and the details of implementation of the technical solution of the embodiments of the present invention are described in detail below by taking the detection of the stuck risk in a game as an example:
fig. 4 schematically shows a flow chart of a detection method of a stuck risk according to an embodiment of the present invention, which may be performed by a server, which may be the server shown in fig. 1. Referring to fig. 4, the method for detecting the stuck risk at least includes steps S410 to S430, which are described in detail as follows:
in step S410, a preset number of protocol packets are acquired in time order.
In an embodiment of the present invention, a user logs in a game platform through a terminal device 101 (or terminal devices 102 and 103), and enters a game homepage by inputting information such as a user name and a password in a login interface, and after entering the game homepage, the user can start a game according to an actual situation, for example, for a chess and card game, the user can select to enter a game room with an empty position to play the game; for a shooting type game, the users may first form a team and then start the game, or may start the game directly without forming a team, and so on.
In one embodiment of the invention, when a user plays a game, the user can click the function key to realize a corresponding game effect. When a user performs game operation, all client operations are basically transferred through a game server, the terminal device 101 receives and responds to the trigger operation of the user, and can send a corresponding protocol data packet to the server 105 according to the trigger operation, and after receiving the protocol data packet, the server 105 can synchronize the protocol data packet to the client of the owner, so that the client of the owner performs rendering according to the protocol data packet, and a corresponding game effect is presented in a display interface. In the game process, the server 105 may receive the protocol data packets sent by each user according to a time sequence, in the embodiment of the present invention, the server 105 may obtain a preset number of protocol data packets according to the time sequence, and the preset number of protocol data packets may be used as a protocol data packet unit.
In an embodiment of the present invention, the preset number corresponding to a unit of the protocol data packets may be set according to the minimum statistical time interval, the number of protocol data packets received per second, and the number of protocol data packets received per second of network fluctuation blocking, that is, the preset number is determined according to the number of received protocol data packets in unit time and the number of network fluctuation blocking received protocol data packets in unit time. For example, the minimum statistical time interval is set to 3s, and the number of protocol data packets received per second is 60, then 180 protocol data packets are received in average in 3s, and then, in consideration of the influence caused by network fluctuation blocking 3s, 360 protocol data packets are received at most in 3s, that is, the preset number of protocol data packets is 360 protocol data packets.
In step S420, target time information is determined according to the starting time point and the ending time point of the protocol data packets with the preset number.
In an embodiment of the present invention, after a preset number of protocol data packets are obtained, whether there is a katon risk in the game may be determined according to the time consumed for receiving the preset number of protocol data packets. Specifically, the target time information may be determined according to a start time point and an end time point at which a preset number of protocol data packets are acquired. For example, the starting time point of the obtained protocol data packets in the preset number is time T1, the ending time point is time T2, and the target time information Δ T is obtained by subtracting the ending time point T2 from the starting time point T1, where Δ T is T2-T1.
In step S430, whether there is a stuck risk is detected according to the target time information.
In an embodiment of the present invention, after determining the target time information, the katton risk detection may be performed according to the target time information, fig. 5 shows a flowchart of the katton risk detection, as shown in fig. 5, in step S501, the target time information is compared with the unit time; the unit time is a theoretical time corresponding to receiving a predetermined number of protocol packets, and is, for example, 3 s. In step S502, when the target time information is less than the unit time, it is determined that there is a katon risk in the game; under the condition that the number of the protocol data packets is constant, the time spent for acquiring the preset number of the protocol data packets is less than unit time, which indicates that the attacker frequently performs game operation and sends game instructions, namely the game process has a stuck risk. In step S503, when the target time information is equal to or greater than the unit time, it is determined that there is no stuck risk; contrary to the case of step S502, when the time taken to acquire the preset number of protocol data packets is equal to or greater than the unit time taken to theoretically acquire the preset number of protocol data packets, it indicates that there is no frequent game operation by the user, i.e., there is no katon risk in the game.
In an embodiment of the present invention, in the game process, the server 105 can receive a plurality of sets of protocol data packets with a preset number, and target time information corresponding to each set of protocol data packets with the preset number may be the same or different, so that multiple rounds of stuck risks can be detected according to the obtained plurality of sets of protocol data packets with the preset number, and timely feedback or processing is performed according to the detection result, thereby avoiding occurrence of stuck.
Fig. 6 is a schematic flowchart illustrating a process of acquiring a preset number of protocol packets by the server, as shown in fig. 6, in step S601, a protocol packet is received; in step S602, user identification information is acquired; in the game process, the server 105 may obtain the protocol data packets sent by the multiple game clients, so as to facilitate identification and processing of an attacking user performing malicious operation, after receiving the protocol data packets, user identification information corresponding to the game client sending the protocol data packets may be obtained, where the user identification information may be information uniquely associated with a user account, such as a user ID and a user name. In step S603, determining a user login state according to the user identification information; specifically, the login state of the end user corresponding to the user identification information stored in the database can be acquired according to the user identification information, the login state of the user can be judged according to the acquired login state of the end user, and when the login state of the end user is offline, the current login state of the user is judged to be a new login user; and when the login state of the final user is online, judging that the current user login state is an online user. In step S604, the obtained protocol packets are numbered according to the user login status to obtain a preset number of protocol packets.
In an embodiment of the present invention, in step S604, each received protocol data packet may be numbered according to the flowchart illustrating numbering protocol data packets shown in fig. 7, as shown in fig. 7, in step S701, when the user login status is a new login user, the currently obtained protocol data packet is used as a first protocol data packet, and the first protocol data packet is numbered; in step S702, when the user login status is an online user, the number of the currently acquired protocol data packet is updated based on the numbers of the adjacent protocol data packets until a preset number of protocol data packets are acquired. In step S701, when numbering the first protocol data packet, an arabic number sequence number may be used, an english alphabet sequence number may also be used, and certainly, a number in a form of a combination of numbers, letters, and characters may also be used. Of course, during numbering, the data packets may be numbered at intervals of preset numbers or letters, for example, the number of the first protocol data packet is 1, the number of the second protocol data packet is 3, the number of the third protocol data packet is 5, and so on.
In an embodiment of the present invention, fig. 8 is a schematic diagram illustrating a processing flow of a protocol data packet sent by an online user, as shown in fig. 8, in step S801, the protocol data packet is numbered; when the user login status is determined to be an online user, the server 105 may sequentially number the received protocol packets. In step S802, it is determined whether the number of received protocol packets reaches a preset number; after each pair of protocol data packets are numbered, the number of the protocol data packets can be judged according to the number of the protocol data packets, and whether the number of the obtained protocol data packets reaches the preset number is judged. For example, the preset number is 360, if the number of the first protocol packet is 0, and the numbers between two adjacent protocol packets are sequentially incremented by one, when the server receives the protocol packet with the number 359, it is determined that the preset number of protocol packets are received. In step S803, when the preset number of protocol packets are not received, the protocol packets are normally processed. In step S804, when a preset number of protocol data packets are received, the current time is obtained, and the target time information is determined according to the current time and the starting time point corresponding to the first protocol data packet. In step S805, the number of the currently acquired protocol data packet is replaced with the start number value of the first protocol data packet, so as to use the currently acquired protocol data packet as the first protocol data packet of the next round of detection, and use the current time point as the start time point of the next round of detection. In step S806, the relationship between the target time information and the unit time is determined, and a corresponding operation is performed according to the determination result; the method for determining the relationship between the target time information and the unit time is the same as the detection process of the stuck risk shown in fig. 5, and is not repeated herein, when the target time information is less than the unit time, it is determined that the stuck risk exists in the game, and then the server 105 can remind each user system of the stuck risk in a notification manner through a display interface of the game client, and stop processing the relevant protocol data packet, and further, can take the attacking user who initiates frequent operations off-line, and avoid the occurrence of more serious stuck situations as much as possible; and when the target time information is greater than or equal to the unit time, judging that the jamming risk does not exist in the game, and normally processing the received protocol data packet.
The above embodiment describes that the katton risk in the game is detected according to the relationship between the time consumed for acquiring the preset number of protocol data packets and the unit time, and of course, the method for detecting the katton risk in the embodiment of the present invention may also be applied to other scenarios, such as program katton, device katton, and the like, and can perform detection by the method for detecting the katton risk in the embodiment of the present invention, so as to improve the coverage of detection and the timeliness of detection, effectively combat attacks, and further improve the user experience.
Taking the detection of the stuck risk of the terminal device as an example, the server 105 may receive an operation behavior data packet sent by the terminal device 101 according to the operation behavior of the user, and obtain user identification information input by the user in the terminal device, for example, the terminal device is a detection and analysis instrument, and the user can use the detection and analysis instrument to perform detection and analysis only by inputting his job number and password; then, the server 105 judges whether the user is a new login user according to the user identification information of the user, if the user is the new login user, the number of the currently acquired operation behavior data packet is set to be the initial number values of 0, 1 and the like, and the time for acquiring the operation behavior data packet is determined as the initial time point; if the user login state is an online user, numbering currently acquired operation behavior data packets according to the numbers of adjacent operation behavior data packets, judging whether the number of the received operation behavior data packets reaches a preset number, and when the number of the acquired operation behavior data packets does not reach the preset number, normally executing the received operation behavior data packets by the server 105; when the number of the acquired operation behavior data packets reaches a preset number, taking the current time point as a termination time point, determining whether the operation of the user is an attack operation according to the relation between the time difference between the termination time point and the starting time point and the unit time, and if the operation of the user is determined to be the attack operation, starting a closing program and forbidding any operation of the user; and if the user operation is judged not to be the attack operation, the received operation behavior data packet is normally executed. Furthermore, the ending time point can be used as the starting time point of the next round of detection, and the number of the currently acquired operation behavior data packet is updated to the starting number value, so as to detect the seizure risk of the next round.
The technical scheme of the embodiment of the invention avoids the problems of incomplete detection coverage and detection lag caused by the limitation of single operating frequency, and improves the coverage and timeliness of the blockage risk detection; in addition, the problem that attack resistance is invalid when verification is carried out based on time units is avoided, various attacks can be responded in time, the blocking risk is reduced, and the user experience is further improved.
Embodiments of the apparatus of the present invention are described below, which can be used to perform the detection method of stuck risk in the above embodiments of the present invention. For details that are not disclosed in the embodiments of the apparatus of the present invention, please refer to the embodiments of the method for detecting katton risk of the present invention.
Fig. 9 schematically shows a block diagram of a detection arrangement of a katon risk according to an embodiment of the invention.
Referring to fig. 9, a detection apparatus 900 for a katon risk according to an embodiment of the present invention includes: a data packet obtaining module 901, a time information determining module 902 and a risk detecting module 903.
The data packet obtaining module 901 is configured to obtain a preset number of protocol data packets according to a time sequence; a time information determining module 902, configured to determine target time information according to the start time point and the end time point of obtaining the preset number of protocol data packets; and a risk detection module 903, configured to detect whether a stuck risk exists according to the target time information.
In one embodiment of the present invention, the preset number is determined according to the number of received protocol packets in a unit time and the number of network fluctuation blocking received protocol packets in the unit time.
In one embodiment of the invention, the risk detection module 903 is configured to: comparing the target time information with a unit time; when the target time information is smaller than the unit time, judging that the jamming risk exists; and when the target time information is equal to or larger than the unit time, judging that the seizure risk does not exist.
In an embodiment of the present invention, the data packet obtaining module 901 includes: an identification information obtaining unit, configured to obtain user identification information after obtaining each protocol data packet; a login state judgment unit for judging the user login state according to the user identification information; and the numbering unit is used for numbering each acquired protocol data packet according to the user login state so as to acquire the preset number of protocol data packets.
In an embodiment of the present invention, the login status determining unit is configured to: acquiring a final user login state corresponding to the user identification information and stored in a database according to the user identification information; if the final user login state is offline, judging that the current user login state is a new login user; and if the final user login state is online, judging that the current user login state is an online user.
In one embodiment of the present invention, the numbering unit comprises: the first numbering subunit is used for taking the currently acquired protocol data packet as a first protocol data packet and numbering the first protocol data packet when the user login state is a new login user; a second numbering subunit, configured to, when the user login status is an online user, update the number of the currently acquired protocol data packet based on the number of the adjacent protocol data packet until the preset number of protocol data packets are acquired
In one embodiment of the invention, the first protocol data packet has a start number value; the second numbered sub-unit is configured to: adding one to the number of the adjacent protocol data packet to determine the number of the currently acquired protocol data packet; subtracting the number of the protocol data packet obtained currently from the initial number value and adding one to obtain a target value; and if the target value is the same as the preset number, judging that the protocol data packets with the preset number are acquired.
Fig. 10 schematically shows a block diagram of a detection arrangement of a katon risk according to an embodiment of the invention.
Referring to fig. 10, the detection apparatus 900 for katon risk according to an embodiment of the present invention further includes: a resetting module 904, configured to reset, after the preset number of protocol data packets is obtained, the number of the last protocol data packet corresponding to the termination time point to the initial number value, so as to use the last protocol data packet as a first protocol data packet for a next round of detection.
FIG. 11 illustrates a schematic structural diagram of a computer system suitable for use with the electronic device to implement an embodiment of the invention.
It should be noted that the computer system 1100 of the electronic device shown in fig. 11 is only an example, and should not bring any limitation to the functions and the scope of the application of the embodiment of the present invention.
As shown in fig. 11, a computer system 1100 includes a Central Processing Unit (CPU)1101, which can perform various appropriate actions and processes in accordance with a program stored in a Read-Only Memory (ROM) 1102 or a program loaded from a storage section 1108 into a Random Access Memory (RAM) 1103. In the RAM 1103, various programs and data necessary for system operation are also stored. The CPU 1101, ROM 1102, and RAM 1103 are connected to each other by a bus 1104. An Input/Output (I/O) interface 1105 is also connected to bus 1104.
The following components are connected to the I/O interface 1105: an input portion 1106 including a keyboard, mouse, and the like; an output section 1107 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 1108 including a hard disk and the like; and a communication section 1109 including a Network interface card such as a LAN (Local Area Network) card, a modem, or the like. The communication section 1109 performs communication processing via a network such as the internet. A driver 1110 is also connected to the I/O interface 1105 as necessary. A removable medium 1111 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1110 as necessary, so that a computer program read out therefrom is mounted into the storage section 1108 as necessary.
In particular, according to an embodiment of the present invention, the processes described below with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 1109 and/or installed from the removable medium 1111. When the computer program is executed by a Central Processing Unit (CPU)1101, various functions defined in the system of the present application are executed.
It should be noted that the computer readable medium shown in the embodiment of the present invention may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method described in the above embodiments.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the invention. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiment of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which can be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiment of the present invention.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

Claims (9)

1. A method for detecting a stuck-at risk, comprising:
acquiring a preset number of protocol data packets according to a time sequence;
determining target time information according to the initial time point and the termination time point of the protocol data packets with the preset number;
comparing the target time information with unit time, and judging that the jamming risk exists when the target time information is smaller than the unit time; when the target time information is equal to or greater than the unit time, judging that the jamming risk does not exist;
and the unit time is theoretical time corresponding to the receiving of the preset number of protocol data packets.
2. The method of claim 1, wherein the predetermined number is determined according to the number of protocol packets received in the unit of time and the number of protocol packets received in a network fluctuation blocking mode in the unit of time.
3. The method of claim 1, wherein the step of obtaining a predetermined number of protocol packets in time sequence comprises:
after each protocol data packet is obtained, user identification information is obtained;
judging the user login state according to the user identification information;
and numbering each acquired protocol data packet according to the user login state to acquire the preset number of protocol data packets.
4. The method for detecting the katon risk of claim 3, wherein the step of judging the login state of the user according to the user identification information comprises the steps of:
acquiring a final user login state corresponding to the user identification information and stored in a database according to the user identification information;
if the final user login state is offline, judging that the current user login state is a new login user;
and if the final user login state is online, judging that the current user login state is an online user.
5. The method of claim 4, wherein numbering each of the obtained protocol packets according to the login status of the user to obtain the predetermined number of protocol packets comprises:
when the user login state is a new login user, taking a currently acquired protocol data packet as a first protocol data packet, and numbering the first protocol data packet to form an initial number value;
and when the user login state is an online user, updating the number of the currently acquired protocol data packet based on the number of the adjacent protocol data packets until the preset number of protocol data packets are acquired.
6. The method of claim 5, wherein the header protocol packet has a start number value;
when the user login state is an online user, updating the number of the currently acquired protocol data packet based on the number of the adjacent protocol data packets until the preset number of protocol data packets are acquired, wherein the method comprises the following steps:
adding one to the number of the adjacent protocol data packet to determine the number of the currently acquired protocol data packet;
subtracting the number of the protocol data packet obtained currently from the initial number value and adding one to obtain a target value;
and if the target value is the same as the preset number, judging that the protocol data packets with the preset number are acquired.
7. The method of detecting a katon risk according to claim 5 or 6, further comprising:
after the protocol data packets with the preset number are obtained, the number of the last protocol data packet corresponding to the termination time point is reset to the initial number value, so that the last protocol data packet is used as the first protocol data packet of the next round of detection, and the termination time point is used as the initial time point of the next round of detection.
8. A device for detecting a stuck risk, comprising:
the data packet acquisition module is used for acquiring a preset number of protocol data packets according to a time sequence;
the time information determining module is used for determining target time information according to the starting time point and the ending time point of the protocol data packets with the preset number;
the risk detection module is used for comparing the target time information with unit time and judging that the jamming risk exists when the target time information is smaller than the unit time; when the target time information is equal to or greater than the unit time, judging that the jamming risk does not exist;
and the unit time is theoretical time corresponding to the receiving of the preset number of protocol data packets.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a method of detecting a stuck risk as claimed in any one of claims 1 to 7.
CN201910337506.4A 2019-04-25 2019-04-25 Detection method and device for stuck risk and electronic equipment Active CN110099051B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910337506.4A CN110099051B (en) 2019-04-25 2019-04-25 Detection method and device for stuck risk and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910337506.4A CN110099051B (en) 2019-04-25 2019-04-25 Detection method and device for stuck risk and electronic equipment

Publications (2)

Publication Number Publication Date
CN110099051A CN110099051A (en) 2019-08-06
CN110099051B true CN110099051B (en) 2021-05-11

Family

ID=67445684

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910337506.4A Active CN110099051B (en) 2019-04-25 2019-04-25 Detection method and device for stuck risk and electronic equipment

Country Status (1)

Country Link
CN (1) CN110099051B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131756B (en) * 2019-12-26 2022-11-01 视联动力信息技术股份有限公司 Anomaly detection method, device, equipment and medium based on video network

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811751A (en) * 2015-04-28 2015-07-29 深圳市优网科技有限公司 Streaming media playing blockage pause recognition method and streaming media playing blockage pause recognition device
CN105553939A (en) * 2015-12-07 2016-05-04 中国联合网络通信集团有限公司 Method and device for determining blockage of streaming media
CN105872576A (en) * 2016-04-25 2016-08-17 乐视控股(北京)有限公司 Video playing method and device
CN105913088A (en) * 2016-04-13 2016-08-31 厦门美图移动科技有限公司 Lag identification method, lag identification device and computing equipment
CN108600790A (en) * 2018-05-17 2018-09-28 北京奇艺世纪科技有限公司 A kind of detection method and device of interim card failure
CN109587521A (en) * 2017-09-29 2019-04-05 北京国双科技有限公司 The determination method and device of video cardton
CN109587551A (en) * 2017-09-29 2019-04-05 北京金山云网络技术有限公司 A kind of judgment method, device, equipment and the storage medium of live streaming media Caton

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811751A (en) * 2015-04-28 2015-07-29 深圳市优网科技有限公司 Streaming media playing blockage pause recognition method and streaming media playing blockage pause recognition device
CN105553939A (en) * 2015-12-07 2016-05-04 中国联合网络通信集团有限公司 Method and device for determining blockage of streaming media
CN105913088A (en) * 2016-04-13 2016-08-31 厦门美图移动科技有限公司 Lag identification method, lag identification device and computing equipment
CN105872576A (en) * 2016-04-25 2016-08-17 乐视控股(北京)有限公司 Video playing method and device
CN109587521A (en) * 2017-09-29 2019-04-05 北京国双科技有限公司 The determination method and device of video cardton
CN109587551A (en) * 2017-09-29 2019-04-05 北京金山云网络技术有限公司 A kind of judgment method, device, equipment and the storage medium of live streaming media Caton
CN108600790A (en) * 2018-05-17 2018-09-28 北京奇艺世纪科技有限公司 A kind of detection method and device of interim card failure

Also Published As

Publication number Publication date
CN110099051A (en) 2019-08-06

Similar Documents

Publication Publication Date Title
US8370389B1 (en) Techniques for authenticating users of massive multiplayer online role playing games using adaptive authentication
WO2021036014A1 (en) Federated learning credit management method, apparatus and device, and readable storage medium
CN104426885B (en) Abnormal account providing method and device
US9413721B2 (en) Methods and apparatus for dealing with malware
US11212281B2 (en) Attacker detection via fingerprinting cookie mechanism
US20140157415A1 (en) Information security analysis using game theory and simulation
JP6528448B2 (en) Network attack monitoring device, network attack monitoring method, and program
JP2019175478A (en) Session security partitioning and application profiler
US10728279B2 (en) Detection of remote fraudulent activity in a client-server-system
CN108479061B (en) Application running data verification method and device, storage medium and server
CN109698809B (en) Method and device for identifying abnormal login of account
EP3270317A1 (en) Dynamic security module server device and operating method thereof
CN108092970B (en) Wireless network maintenance method and equipment, storage medium and terminal thereof
CN109495378B (en) Method, device, server and storage medium for detecting abnormal account
CN104753944A (en) Account security verifying method and system
CN105024885A (en) Anti-plug-in online game system
CN111371813A (en) Big data network data protection method and system based on edge calculation
CN109246178B (en) Online title distribution method and device, server and storage medium
CN106789837A (en) Network anomalous behaviors detection method and detection means
CN110365712A (en) A kind of defence method and system of distributed denial of service attack
CN110099051B (en) Detection method and device for stuck risk and electronic equipment
CN109688099B (en) Server-side database collision identification method, device, equipment and readable storage medium
CN107872491B (en) Data processing method and device
CN113872928A (en) Method, client and system for obtaining benefits through network security defense
CN107528859B (en) Defense method and device for DDoS attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant