CN112333163A - Inter-container flow monitoring method and flow monitoring management system - Google Patents

Inter-container flow monitoring method and flow monitoring management system Download PDF

Info

Publication number
CN112333163A
CN112333163A CN202011149615.2A CN202011149615A CN112333163A CN 112333163 A CN112333163 A CN 112333163A CN 202011149615 A CN202011149615 A CN 202011149615A CN 112333163 A CN112333163 A CN 112333163A
Authority
CN
China
Prior art keywords
container
target container
flow
target
acquisition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011149615.2A
Other languages
Chinese (zh)
Other versions
CN112333163B (en
Inventor
程筱彪
徐雷
贾宝军
杨双仕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202011149615.2A priority Critical patent/CN112333163B/en
Publication of CN112333163A publication Critical patent/CN112333163A/en
Application granted granted Critical
Publication of CN112333163B publication Critical patent/CN112333163B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for monitoring flow among containers and a flow monitoring management system, wherein the method for monitoring the flow among the containers comprises the following steps: acquiring flow data sent by an SDN controller, wherein the flow data comprises flow data between each target container acquired by an SDN switch and a downstream container corresponding to the target container; for each target container, judging whether flow abnormity exists between the target container and a corresponding downstream container according to flow data corresponding to the target container; and temporarily blocking the target container and the corresponding downstream container from subsequent data interaction under the condition that the flow rate between the target container and the corresponding downstream container is abnormal.

Description

Inter-container flow monitoring method and flow monitoring management system
Technical Field
The invention relates to the technical field of cloud computing, in particular to a method for monitoring flow among containers and a flow monitoring management system.
Background
In recent years, the container technology is considered as the future development direction of cloud computing, and the security problem is gradually emphasized, but at present, the security problem is considered to be the security detection of the container cluster to the outside, and the security protection between containers is not emphasized enough. Specifically, in the conventional container traffic safety inspection, safety inspection devices are generally disposed at an entrance and an exit of the entire container cluster, and abnormal traffic is periodically identified for the entire traffic.
However, in the conventional detection method, on one hand, the flow between the containers in the container cluster is lack of management, and on the other hand, only the flow of the whole container cluster is detected, so that the instantaneous large flow is easily generated when the detection is performed at the same time, and the safety detection software and the bandwidth are influenced by overload.
Disclosure of Invention
The present invention at least solves one of the technical problems in the prior art, and provides a method for monitoring inter-container traffic and a traffic monitoring management system.
In order to achieve the above object, the present invention provides a method for monitoring inter-container flow, including:
acquiring flow data sent by an SDN controller, wherein the flow data comprises flow data between each target container acquired by an SDN switch and a downstream container corresponding to the target container;
for each target container, judging whether flow abnormity exists between the target container and a corresponding downstream container according to flow data corresponding to the target container;
and temporarily blocking the target container and the corresponding downstream container from subsequent data interaction under the condition that the flow rate between the target container and the corresponding downstream container is abnormal.
Optionally, data interaction is performed between the target container and a corresponding downstream container through the SDN switch;
the step of temporarily blocking the target container and the corresponding downstream container from subsequent interactive operation includes:
and issuing flow table information to the corresponding SDN switch through the SDN controller so that the SDN switch temporarily blocks the target container and the corresponding downstream container from subsequent data interaction according to the flow table information.
Optionally, the traffic data includes a source IP address, a destination IP address, a source port number, a destination port number, a protocol number;
the step of judging whether the flow rate between the target container and the corresponding downstream container is abnormal or not according to the flow rate data corresponding to the target container comprises the following steps:
comparing each item of information in the flow data between the target container and the corresponding downstream container with each item of information in the corresponding historical flow data;
and if the comparison result of at least one item of information is inconsistent, judging that the flow rate between the target container and the corresponding downstream container is abnormal.
Optionally, before the step of acquiring the traffic data sent by the SDN controller, the method further includes:
for each target container, counting the flow between the target container and the corresponding downstream container within a preset initial acquisition time period;
generating a current acquisition cycle corresponding to the target container according to the flow in a preset initial acquisition time period corresponding to the target container, the preset acquisition time length of each acquisition and a corresponding random number;
and sending the current acquisition cycle corresponding to each target container to the SDN switch, so that the SDN switch can respectively acquire the traffic data of each target container according to the current acquisition cycle corresponding to each target container.
Optionally, the step of generating a current acquisition cycle corresponding to the target container according to the flow size in the preset initial acquisition time period corresponding to the target container, the preset acquisition duration of each acquisition, and the corresponding random number includes:
generating a current acquisition cycle corresponding to the target container by using a preset algorithm according to the flow in a preset initial acquisition time period corresponding to the target container, the preset acquisition time for each acquisition and a corresponding random number;
the preset algorithm comprises the formula: di=(Bi/Ti) S + R; wherein D isiRepresents the current acquisition period, T, corresponding to the ith target containeriRepresents a preset initial acquisition time period corresponding to the ith target container, BiThe flow rate of the ith target container in the preset initial acquisition time period is represented, S represents the preset acquisition time length of each acquisition, R represents a random number, R is 1, 2, 3, … … and S, and the random numbers corresponding to different target containers are different.
In order to achieve the above object, the present invention further provides a traffic monitoring and management system, including:
the flow data acquisition module is used for acquiring flow data sent by an SDN controller, wherein the flow data comprises flow data between each target container acquired by an SDN switch and a downstream container corresponding to the target container;
the judging module is used for judging whether flow abnormity exists between each target container and the corresponding downstream container or not according to the flow data corresponding to the target container;
and the control module is used for temporarily blocking the target container and the corresponding downstream container from carrying out subsequent data interaction under the condition that the judging module judges that the flow rate between the target container and the corresponding downstream container is abnormal.
Optionally, the control module is specifically configured to issue, by the SDN controller, flow table information to the corresponding SDN switch, so that the SDN switch temporarily blocks the target container and the corresponding downstream container from subsequent data interaction according to the flow table information.
Optionally, the traffic data includes a source IP address, a destination IP address, a source port number, a destination port number, a protocol number;
the judgment module is specifically configured to: comparing each item of information in the flow data between the target container and the corresponding downstream container with each item of information in the corresponding historical flow data; and if the comparison result of at least one item of information is inconsistent, judging that the flow rate between the target container and the corresponding downstream container is abnormal.
Optionally, the system further comprises: the device comprises a counting module, a calculating module and a sending module;
the statistical module is used for counting the flow between each target container and the corresponding downstream container within a preset initial acquisition time period;
the calculation module is used for generating a current acquisition cycle corresponding to the target container according to the flow in a preset initial acquisition time period corresponding to the target container, the preset acquisition time length of each acquisition and the corresponding random number;
the sending module is configured to send the current acquisition period corresponding to each target container to the SDN switch, so that the SDN switch collects the traffic data for each target container according to the current acquisition period corresponding to each target container.
Optionally, the calculation module is specifically configured to generate a current acquisition cycle corresponding to the target container by using a preset algorithm according to a flow size in a preset initial acquisition time period corresponding to the target container, a preset acquisition duration of each acquisition, and a corresponding random number;
the preset algorithm comprises the formula: di=(Bi/Ti) S + R; wherein D isiRepresents the current acquisition period, T, corresponding to the ith target containeriRepresents a preset initial acquisition time period corresponding to the ith target container, BiThe flow rate of the ith target container in the preset initial acquisition time period is represented, S represents the preset acquisition time length of each acquisition, R represents a random number, R is 1, 2, 3, … … and S, and the random numbers corresponding to different target containers are different.
The invention has at least the following beneficial effects:
according to the inter-container traffic monitoring method and the traffic monitoring management system, the SDN switch is used for collecting inter-container traffic data and monitoring the inter-container traffic data collected by the SDN switch, and under the condition that traffic abnormality occurs between containers is monitored based on the traffic data, the target container and the corresponding downstream container are temporarily blocked from performing subsequent data interaction, so that the safety monitoring of the traffic between the containers is realized.
Drawings
Fig. 1 is a flowchart of a method for monitoring inter-container traffic according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for monitoring inter-container traffic according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a traffic monitoring and management system according to a third embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the following describes in detail the inter-container flow monitoring method and the flow monitoring management system provided by the present invention with reference to the accompanying drawings.
Example one
Fig. 1 is a flowchart of a method for monitoring inter-container traffic according to an embodiment of the present invention, and as shown in fig. 1, the method for monitoring inter-container traffic includes:
step 11, obtaining flow data sent by the SDN controller, where the flow data includes flow data between each target container acquired by the SDN switch and a downstream container corresponding to the target container.
And 12, judging whether the flow between the target container and the corresponding downstream container is abnormal or not according to the flow data corresponding to the target container for each target container, if so, executing the step 13, and otherwise, not performing further processing.
And step 13, temporarily blocking the target container and the corresponding downstream container from subsequent interactive operation under the condition that the flow rate between the target container and the corresponding downstream container is abnormal.
In the inter-container traffic monitoring method provided by this embodiment, traffic data between containers is collected by the SDN switch, and the traffic data between containers collected by the SDN switch is monitored, and when traffic abnormality occurs between containers based on traffic data monitoring, subsequent data interaction between the target container and a corresponding downstream container is temporarily blocked, so that security monitoring of traffic between containers is achieved.
Example two
Fig. 2 is a flowchart of a method for monitoring inter-container traffic according to a second embodiment of the present invention, which is implemented based on a traffic monitoring management system as shown in fig. 2, and includes:
and 21, counting the flow between each target container and the corresponding downstream container within a preset initial acquisition time period.
In this embodiment, before the method for monitoring traffic between containers is implemented, target containers with external interaction are screened out first, so as to determine each target container and a corresponding downstream container, and then a communication mechanism between the target container and the corresponding downstream container is adjusted, so that the target container and the corresponding downstream container are not transferred in a direct transfer manner, but are transferred through an SDN (Software Defined Network) switch.
After the communication mechanism between the containers is modified and the containers are stably operated for a certain time, in step S21, for each target container, the preset initial collection time period T between the target container and the corresponding downstream container is countediInner flow size Bi
Specifically, in the operation process of the containers according to the modified communication mechanism, the SDN switch sets the initial acquisition time period T according to the preset initial acquisition time period T corresponding to the target containeriCarrying out flow acquisition on a target container to acquire a preset initial acquisition time period T between the target container and a corresponding downstream containeriTraffic data in. Before step 21, obtaining flow data reported by the SDN switch through the SDN controller, and in step 21, counting, for each target container, a preset initial acquisition time period T between the target container and a corresponding downstream container according to the flow data reported by the SDN switchiInner flow size Bi
And step 22, generating a current acquisition cycle corresponding to the target container according to the flow in the preset initial acquisition time period corresponding to the target container, the preset acquisition time length of each acquisition and the corresponding random number.
The collection period refers to a time interval between two adjacent collection time points, for example, 1 hour, 2 hours, 5 hours, and 1 day.
Specifically, according to the corresponding preset initial acquisition time period T of the target containeriInner flow size BiGenerating a current acquisition period D corresponding to the target container by utilizing a preset algorithm according to a preset acquisition time length S acquired each time and a corresponding random number Ri
Wherein, the preset algorithm comprises the formula: di=(Bi/Ti) S + R; wherein D isiRepresents the current acquisition period, T, corresponding to the ith target containeriRepresents a preset initial acquisition period corresponding to the ith target container, BiRepresents the flow size in the preset initial acquisition time period corresponding to the ith target container, Bi/TiIs represented by BiAnd TiS represents a preset acquisition time per acquisition, (B)i/Ti) S represents Bi/TiAnd the product of the value and the value of the adjustment factor is R, wherein R is 1, 2, 3, … …, and S is a random value, namely R takes a random value in a preset value range (1, 2, 3, … …, S), and the adjustment factors corresponding to different target containers are different.
In this embodiment, the initial acquisition time period T is not preset because the R corresponding to different target containers is differentiInner flow size BiThe same target containers are all collected in the same collection period.
In this embodiment, the initial acquisition time period T is presetiA preset initial acquisition time period T corresponding to each target container is an initial default acquisition time periodiMay be the same.
In this embodiment, the preset acquisition duration S for each acquisition may be configured according to actual needs. For example, if the flow rate data is acquired 1 time every 1 hour and only the past 5 minutes are acquired each time, the acquisition period D is 1 hour and the acquisition time S for each acquisition is 5 minutes.
And step 23, sending the current acquisition period corresponding to each target container to the SDN switch, so that the SDN switch can respectively acquire the traffic data of each target container according to the current acquisition period corresponding to each target container.
Specifically, in the above steps 21 and 22, the current acquisition cycle corresponding to each target container is obtained, and the current acquisition cycle list D ═ D is obtained from the current acquisition cycle corresponding to each target container1,D2,……,DiIn which D isiRepresenting the current acquisition period corresponding to the ith target container; and configuring the SDN switch acquisition parameters corresponding to each target container according to the current acquisition period list, where the SDN switch acquisition parameters include a current acquisition period, and in step 23, sending the SDN switch acquisition parameters corresponding to each target container to the SDN switch, so that the SDN switch acquires traffic data for each target container according to the current acquisition period corresponding to each target container.
And for each target container, the SDN switch acquires the flow between the target container and a corresponding downstream container according to the current acquisition period corresponding to the target container. Taking the current acquisition period D corresponding to the target container as 1 hour, and the acquisition time S for each acquisition as 5 minutes as an example, assuming that the flow of the target container is acquired for the first time at time point 08:00, the flow data corresponding to the target container in the time period of 07: 55-08: 00 is acquired, the time point of the next acquisition is 09:00, and when the time point of the next acquisition 09:00 comes, the flow data corresponding to the target container in the time period of 08: 55-09: 00 is acquired, and so on.
After the SDN switch acquires the flow data corresponding to the target container according to the current acquisition cycle, the SDN switch packages the flow data and sends the flow data to the SDN controller, then the SDN controller analyzes the flow data reported by the SDN switch to obtain information such as a source IP address, a destination IP address, a source port number, a destination port number, a protocol number and the like in each flow data, and the SDN controller sends the analyzed flow data to a flow monitoring management system together with the container number of the corresponding target container and the container number of a downstream container.
And 24, acquiring traffic data sent by the SDN controller, where the traffic data includes traffic data between each target container acquired by the SDN switch and a downstream container corresponding to the target container.
Wherein the traffic data includes but is not limited to: source IP address, destination IP address, source port number, destination port number, protocol number, container number of the destination container, and container number of the corresponding downstream container.
It is understood that, in the traffic data, the source IP address and the source port number refer to the IP address and the port number of the target container, and the destination IP address and the destination port number refer to the IP address and the port number of the corresponding downstream container.
And 25, judging whether the flow between the target container and the corresponding downstream container is abnormal or not according to the flow data corresponding to the target container for each target container, if so, executing the step 26, and otherwise, not performing further processing.
Specifically, comparing each item of information in the traffic data between the target container and the corresponding downstream container with each item of information in the corresponding historical traffic data, for example, determining whether source IP addresses of the target container and the corresponding downstream container are consistent, whether destination IP addresses of the target container and the corresponding downstream container are consistent, whether source port numbers of the target container and the corresponding downstream container are consistent, whether destination port numbers of the target container and the corresponding downstream container are consistent, and whether protocol numbers of the target container and the corresponding downstream container are consistent.
If the comparison result of the one-to-one correspondence comparison between each item of information in the flow data and each item of information in the historical flow data is consistent, the flow data is indicated to be normal flow data, that is, it is determined that no flow abnormality exists between the target container and the corresponding downstream container, and therefore no further processing is performed.
If the comparison result of at least one item of information is inconsistent, the flow data is abnormal flow data, that is, the flow abnormality between the target container and the corresponding downstream container is determined, so that further processing is required.
And 26, temporarily blocking the target container and the corresponding downstream container from subsequent data interaction under the condition that the flow rate between the target container and the corresponding downstream container is abnormal.
Specifically, the flow table information is issued to the corresponding SDN switch through the SDN controller, so that the SDN switch temporarily blocks the target container and the corresponding downstream container from subsequent data interaction according to the flow table information. Specifically, the SDN switch modifies a timeout parameter (hard _ timeout) of a link from the target container to the corresponding downstream container according to the flow table information to temporarily block interaction between the target container and the corresponding downstream container, that is, temporarily block subsequent data transfer between the target container and the corresponding downstream container. Wherein, the time length of the blocking can be preset time length.
In this embodiment, after determining that there is a flow anomaly between the target container and the corresponding downstream container, the flow monitoring and management system further imports the anomalous flow data into a preset anomalous flow detection safety system for detailed detection, so as to further analyze the anomalous flow data. And after the abnormity is analyzed and repaired, opening a communication channel of the link from the target container to the corresponding downstream container.
In this embodiment, the traffic monitoring management system may periodically update and adjust a current acquisition cycle of each target container according to an actual traffic condition of each target container (that is, a traffic size within a preset initial acquisition time period), and correspondingly update and adjust an SDN switch acquisition parameter corresponding to each target container, and acquisition cycles corresponding to different target containers are different, thereby implementing dynamic acquisition of traffic of the target container.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a traffic monitoring and managing system according to a third embodiment of the present invention, and as shown in fig. 3, in this embodiment, a traffic monitoring and managing system 300 includes: an acquisition module 301, a judgment module 302 and a control module 303.
The obtaining module 301 is configured to obtain traffic data sent by the SDN controller, where the traffic data includes traffic data between each target container acquired by the SDN switch and a downstream container corresponding to the target container; the judging module 302 is configured to, for each target container, judge whether a flow anomaly exists between the target container and a corresponding downstream container according to flow data corresponding to the target container; the control module 303 is configured to temporarily block the target container and the corresponding downstream container from subsequent data interaction when the determining module 302 determines that there is a traffic anomaly between the target container and the corresponding downstream container.
Optionally, the control module 303 is specifically configured to issue, by using the SDN controller, flow table information to a corresponding SDN switch, so that the SDN switch temporarily blocks the target container and a corresponding downstream container from performing subsequent data interaction according to the flow table information.
Optionally, the traffic data includes a source IP address, a destination IP address, a source port number, a destination port number, a protocol number; the determining module 302 is specifically configured to: comparing various items of information in the flow data between the target container and the corresponding downstream container with various items of information in the corresponding historical flow data; and if the comparison result of at least one item of information is inconsistent, judging that the flow rate between the target container and the corresponding downstream container is abnormal.
Optionally, as shown in fig. 3, the system 300 further includes: a statistics module 304, a calculation module 305 and a sending module 306; the statistical module 304 is configured to, for each target container, perform statistics on a flow rate between the target container and a corresponding downstream container within a preset initial acquisition time period; the calculating module 305 is configured to generate a current acquisition cycle corresponding to the target container according to the flow size in the preset initial acquisition time period corresponding to the target container, the preset acquisition duration of each acquisition, and the corresponding random number; the sending module 306 is configured to send the current acquisition period corresponding to each target container to the SDN switch, so that the SDN switch collects the traffic data for each target container according to the current acquisition period corresponding to each target container.
Optionally, the calculating module 305 is specifically configured to generate a current acquisition cycle corresponding to the target container by using a preset algorithm according to the flow size in the preset initial acquisition time period corresponding to the target container, the preset acquisition duration of each acquisition, and the corresponding random number.
Wherein, the preset algorithm comprises the formula: di=(Bi/Ti) S + R; wherein D isiRepresents the current acquisition period, T, corresponding to the ith target containeriRepresents a preset initial acquisition time period corresponding to the ith target container, BiThe flow rate of the ith target container in the preset initial acquisition time period is represented, S represents the preset acquisition time length of each acquisition, R represents a random number, R is 1, 2, 3, … … and S, and the random numbers corresponding to different target containers are different.
In addition, the traffic monitoring management system 300 provided in this embodiment is used to implement the inter-container traffic monitoring method provided in any of the foregoing embodiments, and specific relevant descriptions may refer to the descriptions in any of the foregoing embodiments, and are not described herein again.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (10)

1. A method for monitoring flow between containers, comprising:
acquiring flow data sent by an SDN controller, wherein the flow data comprises flow data between each target container acquired by an SDN switch and a downstream container corresponding to the target container;
for each target container, judging whether flow abnormity exists between the target container and a corresponding downstream container according to flow data corresponding to the target container;
and temporarily blocking the target container and the corresponding downstream container from subsequent data interaction under the condition that the flow rate between the target container and the corresponding downstream container is abnormal.
2. The inter-container traffic monitoring method according to claim 1, wherein data interaction between the target container and a corresponding downstream container is performed through the SDN switch;
the step of temporarily blocking the target container and the corresponding downstream container from subsequent interactive operation includes:
and issuing flow table information to the corresponding SDN switch through the SDN controller so that the SDN switch temporarily blocks the target container and the corresponding downstream container from subsequent data interaction according to the flow table information.
3. The inter-container traffic monitoring method according to claim 1, wherein the traffic data includes a source IP address, a destination IP address, a source port number, a destination port number, a protocol number;
the step of judging whether the flow rate between the target container and the corresponding downstream container is abnormal or not according to the flow rate data corresponding to the target container comprises the following steps:
comparing each item of information in the flow data between the target container and the corresponding downstream container with each item of information in the corresponding historical flow data;
and if the comparison result of at least one item of information is inconsistent, judging that the flow rate between the target container and the corresponding downstream container is abnormal.
4. The inter-container traffic monitoring method according to claim 1, wherein the step of obtaining traffic data sent by an SDN controller is preceded by:
for each target container, counting the flow between the target container and the corresponding downstream container within a preset initial acquisition time period;
generating a current acquisition cycle corresponding to the target container according to the flow in a preset initial acquisition time period corresponding to the target container, the preset acquisition time length of each acquisition and a corresponding random number;
and sending the current acquisition cycle corresponding to each target container to the SDN switch, so that the SDN switch can respectively acquire the traffic data of each target container according to the current acquisition cycle corresponding to each target container.
5. The method for monitoring the flow rate between the containers according to claim 4, wherein the step of generating the current collection period corresponding to the target container according to the flow rate in the preset initial collection time period corresponding to the target container, the preset collection time period for each collection and the corresponding random number includes:
generating a current acquisition cycle corresponding to the target container by using a preset algorithm according to the flow in a preset initial acquisition time period corresponding to the target container, the preset acquisition time for each acquisition and a corresponding random number;
the preset algorithm comprises the formula: di=(Bi/Ti) S + R; wherein D isiRepresents the current acquisition period, T, corresponding to the ith target containeriRepresents a preset initial acquisition time period corresponding to the ith target container, BiThe flow rate of the ith target container in the preset initial acquisition time period is represented, S represents the preset acquisition time length of each acquisition, R represents a random number, R is 1, 2, 3, … … and S, and the random numbers corresponding to different target containers are different.
6. A traffic monitoring and management system, comprising:
the flow data acquisition module is used for acquiring flow data sent by an SDN controller, wherein the flow data comprises flow data between each target container acquired by an SDN switch and a downstream container corresponding to the target container;
the judging module is used for judging whether flow abnormity exists between each target container and the corresponding downstream container or not according to the flow data corresponding to the target container;
and the control module is used for temporarily blocking the target container and the corresponding downstream container from carrying out subsequent data interaction under the condition that the judging module judges that the flow rate between the target container and the corresponding downstream container is abnormal.
7. The traffic monitoring and management system according to claim 6, wherein the control module is specifically configured to issue, through the SDN controller, flow table information to the corresponding SDN switch, so that the SDN switch temporarily blocks the target container and the corresponding downstream container from subsequent data interaction according to the flow table information.
8. The traffic monitoring and management system of claim 6, wherein the traffic data includes a source IP address, a destination IP address, a source port number, a destination port number, a protocol number;
the judgment module is specifically configured to: comparing each item of information in the flow data between the target container and the corresponding downstream container with each item of information in the corresponding historical flow data; and if the comparison result of at least one item of information is inconsistent, judging that the flow rate between the target container and the corresponding downstream container is abnormal.
9. The traffic monitoring and management system according to claim 6, further comprising: the device comprises a counting module, a calculating module and a sending module;
the statistical module is used for counting the flow between each target container and the corresponding downstream container within a preset initial acquisition time period;
the calculation module is used for generating a current acquisition cycle corresponding to the target container according to the flow in a preset initial acquisition time period corresponding to the target container, the preset acquisition time length of each acquisition and the corresponding random number;
the sending module is configured to send the current acquisition period corresponding to each target container to the SDN switch, so that the SDN switch collects the traffic data for each target container according to the current acquisition period corresponding to each target container.
10. The flow monitoring and management system according to claim 9, wherein the calculation module is specifically configured to generate, according to a flow size in a preset initial acquisition time period corresponding to the target container, a preset acquisition duration for each acquisition, and a corresponding random number, a current acquisition cycle corresponding to the target container by using a preset algorithm;
the preset algorithm comprises the formula: di=(Bi/Ti) S + R; wherein D isiRepresents the current acquisition period, T, corresponding to the ith target containeriRepresents a preset initial acquisition time period corresponding to the ith target container, BiThe flow rate of the ith target container in the preset initial acquisition time period is represented, S represents the preset acquisition time length of each acquisition, R represents a random number, R is 1, 2, 3, … … and S, and the random numbers corresponding to different target containers are different.
CN202011149615.2A 2020-10-23 2020-10-23 Inter-container flow monitoring method and flow monitoring management system Active CN112333163B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011149615.2A CN112333163B (en) 2020-10-23 2020-10-23 Inter-container flow monitoring method and flow monitoring management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011149615.2A CN112333163B (en) 2020-10-23 2020-10-23 Inter-container flow monitoring method and flow monitoring management system

Publications (2)

Publication Number Publication Date
CN112333163A true CN112333163A (en) 2021-02-05
CN112333163B CN112333163B (en) 2022-08-02

Family

ID=74310842

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011149615.2A Active CN112333163B (en) 2020-10-23 2020-10-23 Inter-container flow monitoring method and flow monitoring management system

Country Status (1)

Country Link
CN (1) CN112333163B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113872954A (en) * 2021-09-23 2021-12-31 绿盟科技集团股份有限公司 Data flow detection method
CN114741377A (en) * 2022-04-01 2022-07-12 深圳市爱路恩济能源技术有限公司 Method and device for identifying and processing natural gas abnormal data

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196816A (en) * 2016-03-14 2017-09-22 中国移动通信集团江西有限公司 Anomalous traffic detection method, system and Network analyzing equipment
US20180103061A1 (en) * 2016-10-10 2018-04-12 The Johns Hopkins University Apparatus and method for implementing network deception
CN107947974A (en) * 2017-11-17 2018-04-20 国云科技股份有限公司 A kind of network key chain circuit detecting method of cloud platform business
CN108881246A (en) * 2018-06-27 2018-11-23 中国联合网络通信集团有限公司 A kind of method and device of vessel safety protection
CN108989147A (en) * 2018-07-16 2018-12-11 西安电子科技大学 SDN network Flow Measuring System and method based on FPGA
CN111049747A (en) * 2019-12-18 2020-04-21 北京计算机技术及应用研究所 Intelligent virtual network path planning method for large-scale container cluster
CN111277609A (en) * 2020-02-24 2020-06-12 深圳供电局有限公司 SDN network monitoring method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196816A (en) * 2016-03-14 2017-09-22 中国移动通信集团江西有限公司 Anomalous traffic detection method, system and Network analyzing equipment
US20180103061A1 (en) * 2016-10-10 2018-04-12 The Johns Hopkins University Apparatus and method for implementing network deception
CN107947974A (en) * 2017-11-17 2018-04-20 国云科技股份有限公司 A kind of network key chain circuit detecting method of cloud platform business
CN108881246A (en) * 2018-06-27 2018-11-23 中国联合网络通信集团有限公司 A kind of method and device of vessel safety protection
CN108989147A (en) * 2018-07-16 2018-12-11 西安电子科技大学 SDN network Flow Measuring System and method based on FPGA
CN111049747A (en) * 2019-12-18 2020-04-21 北京计算机技术及应用研究所 Intelligent virtual network path planning method for large-scale container cluster
CN111277609A (en) * 2020-02-24 2020-06-12 深圳供电局有限公司 SDN network monitoring method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘智峰等: "层次化跨区域SDN验证示范系统的设计与建设", 《电信科学》 *
张家兴: "传统网络向SDN网络过渡技术研究", 《CNKI优秀硕士学位论文全文库》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113872954A (en) * 2021-09-23 2021-12-31 绿盟科技集团股份有限公司 Data flow detection method
CN113872954B (en) * 2021-09-23 2024-02-20 绿盟科技集团股份有限公司 Method for detecting data flow
CN114741377A (en) * 2022-04-01 2022-07-12 深圳市爱路恩济能源技术有限公司 Method and device for identifying and processing natural gas abnormal data
CN114741377B (en) * 2022-04-01 2023-07-21 深圳市爱路恩济能源技术有限公司 Method and device for identifying and processing natural gas abnormal data

Also Published As

Publication number Publication date
CN112333163B (en) 2022-08-02

Similar Documents

Publication Publication Date Title
CN112333163B (en) Inter-container flow monitoring method and flow monitoring management system
US10148540B2 (en) System and method for anomaly detection in information technology operations
TWI495970B (en) Method and arrangement for detecting in-situ fast transient event
CN103081407B (en) Fail analysis device, trouble analysis system and failure analysis methods
KR20180120558A (en) System and method for predicting communication apparatuses failure based on deep learning
CN101091354A (en) Binary class based analysis and monitoring
JP2001057555A (en) Network fault detection method and device
CN101686235A (en) Device and method for analyzing abnormal network flow
CN111181971B (en) System for automatically detecting industrial network attack
CN106130786A (en) The detection method of a kind of network failure and device
CN105763387A (en) Network traffic monitoring method and device
CN111181751B (en) Stroboscopic alarm dispatch control method and system
CN103378981B (en) The processing method and processing device of oscillating alarm in network management system
CN110929896A (en) Security analysis method and device for system equipment
CN106452941A (en) Network anomaly detection method and device
CN113364624A (en) Mixed cloud flow acquisition method and system based on edge computing
US20240056463A1 (en) Method and system to detect abnormal message transactions on a network
WO2019006018A1 (en) Apparatus and method for establishing baseline network behavior and producing reports therefrom
JPH11177549A (en) Traffic supervisory system and traffic supervisory method
CN108353005B (en) Method and device for monitoring a control system
CN102195791A (en) Alarm analysis method, device and system
US8983631B2 (en) Arrangement for identifying uncontrolled events at the process module level and methods thereof
CN107241359A (en) A kind of software-oriented defines the lightweight network flow abnormal detecting method of network
US20150227126A1 (en) Communication configuration analysis in process control systems
CN111614630A (en) Network security monitoring method and device and cloud WEB application firewall

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant