CN114158080B - Monitoring method, device and computer readable storage medium - Google Patents
Monitoring method, device and computer readable storage medium Download PDFInfo
- Publication number
- CN114158080B CN114158080B CN202010825305.1A CN202010825305A CN114158080B CN 114158080 B CN114158080 B CN 114158080B CN 202010825305 A CN202010825305 A CN 202010825305A CN 114158080 B CN114158080 B CN 114158080B
- Authority
- CN
- China
- Prior art keywords
- monitoring
- data
- data packet
- nef
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 240
- 238000000034 method Methods 0.000 title claims abstract description 40
- 239000000523 sample Substances 0.000 claims abstract description 153
- 230000005856 abnormality Effects 0.000 claims abstract description 53
- 230000002159 abnormal effect Effects 0.000 claims abstract description 28
- 238000012806 monitoring device Methods 0.000 claims abstract description 9
- 230000006399 behavior Effects 0.000 claims description 38
- 238000004458 analytical method Methods 0.000 claims description 28
- 230000004044 response Effects 0.000 claims description 25
- 230000008859 change Effects 0.000 claims description 15
- 230000006870 function Effects 0.000 claims description 15
- 230000036541 health Effects 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 3
- 238000004891 communication Methods 0.000 abstract description 5
- 238000012545 processing Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 12
- 238000012098 association analyses Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 238000010295 mobile communication Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000003862 health status Effects 0.000 description 2
- 238000010223 real-time analysis Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013481 data capture Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000012938 design process Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/04—Arrangements for maintaining operational condition
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0817—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/08—Testing, supervising or monitoring using real traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a monitoring system, a monitoring method, a monitoring device and a computer readable storage medium, and relates to the technical field of communication. Wherein the monitoring system includes: intelligent probes deployed at respective interfaces of the network open function, NEF, gateway, each intelligent probe configured to: collecting data packets received and transmitted by the NEF gateway through a current interface; analyzing the data packet to generate a monitoring result of local abnormality; transmitting the data packet and the monitoring result of local abnormality to a monitoring server; a monitoring server in signal connection with each smart probe configured to: receiving data packets sent by all intelligent probes and monitoring results of local anomalies; analyzing the data packets sent by each intelligent probe to generate a global abnormal monitoring result; and sending alarm information to the NEF gateway according to the monitoring result of the global abnormality and the monitoring result of the local abnormality sent by each intelligent probe. The security monitoring method and the security monitoring system realize security monitoring of the NEF gateway on the premise of not increasing the workload of the NEF gateway.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a monitoring method, an apparatus, and a computer readable storage medium.
Background
The core network of the fifth generation mobile communication has a fundamental change from the core network of the previous fourth generation mobile communication. The core network of the fifth generation mobile communication can better realize the rich diversity of the service, better meet various requirements of three application scenes and meet the requirements of quick deployment and quick adjustment of the network. In addition, the core network of the fifth generation mobile communication adopts a service design concept, and the cloud design concept can effectively improve the utilization rate of network resources and reduce the cost.
In the service design process, the core network of the fifth generation mobile communication adds a NEF (Network Exposure Function, network opening function). The services provided by the network opening function meet more personalized demands of users, and the specifically provided open services comprise basic resources, value-added services, data information, operation supports and the like. The 5G network opening function performs capability adaptation, encapsulation and arrangement on basic resources, value-added services, data information, operation support, user data value-added services, infrastructure and the like of the core network, and finally provides network capability for a third party through a unified interface.
The service provided by the network opening function is oriented to a third party outside the network, so the security problem is particularly important, even all-weather monitoring and prevention are needed for the security, the caller of the network opening function is fully authenticated, and the network information is effectively protected. At present, in order to effectively isolate network resources from third party invokers, a NEF gateway is adopted to carry out information transfer processing, and the third party invokers must acquire the network resources through the NEF gateway. Based on the service architecture, providing network service to an external third party application through the NEF, and when the third party application sends a call request to the NEF gateway, authenticating the NEF gateway and providing data after the NEF gateway passes the call request; therefore, the NEF gateway can easily receive hacking or malicious call to the external interface, which causes interface service abnormality of the NEF gateway or performance degradation of the NEF gateway.
Disclosure of Invention
One technical problem solved by the present disclosure is how to implement security monitoring of a NEF gateway on the premise of not increasing the workload of the NEF gateway.
According to one aspect of the disclosed embodiments, there is provided a monitoring system comprising: intelligent probes deployed at respective interfaces of the network open function, NEF, gateway, each intelligent probe configured to: collecting data packets received and transmitted by the NEF gateway through a current interface; analyzing the data packet to generate a monitoring result of local abnormality; transmitting the data packet and the monitoring result of local abnormality to a monitoring server; a monitoring server in signal connection with each smart probe configured to: receiving data packets sent by all intelligent probes and monitoring results of local anomalies; analyzing the data packets sent by each intelligent probe to generate a global abnormal monitoring result; and sending alarm information to the NEF gateway according to the monitoring result of the global abnormality and the monitoring result of the local abnormality sent by each intelligent probe.
In some embodiments, analyzing the data packet to generate a monitoring result of the local anomaly includes: extracting a data value of a preset field in a data packet; when the data value falls into an abnormal data value range of a corresponding preset field in the data feature library, generating a monitoring result of local data abnormality; determining a characteristic value of a preset calling behavior characteristic in the same session according to the data packet and the time stamp of the data packet in the same session; and when the characteristic value falls into an abnormal characteristic value range of the corresponding preset calling behavior characteristic in the behavior characteristic library, generating a monitoring result of local behavior abnormality.
In some embodiments, analyzing the data packet sent by each intelligent probe, and generating the monitoring result of the global anomaly includes: analyzing the data packets sent by each intelligent probe to obtain access characteristics of the data packets sent by each intelligent probe, wherein the access characteristics comprise a source IP address, a source port, a destination IP address, a destination port, an access data type and an access operation code; counting the number of data packets sent by each intelligent probe with preset access characteristics; and when the number of data packets sent by each intelligent probe with the preset access characteristic is larger than the preset number, generating a monitoring result of global abnormality associated with the preset access characteristic.
In some embodiments, the monitoring server is further configured to: issuing a data feature library and a behavior feature library to each intelligent probe; extracting calling parameters from data packets sent by all intelligent probes; and when the call parameters are not matched with the call parameter requirements issued by the NEF gateway currently, adding the call parameters to the data feature library.
In some embodiments, the monitoring server is further configured to: monitoring operation state parameters of the NEF gateway, wherein the operation state parameters comprise CPU occupancy rate, memory occupancy rate, hard disk occupancy rate and CPU temperature; outputting health state indexes of the NEF gateway corresponding to the operation state parameters; receiving the time stamp of the data packet sent by each intelligent probe; determining average response time and average response time change rate of each interface of the NEF gateway according to the time stamp of the data packet; and outputting the stability index of the NEF gateway corresponding to the average response time and the average response time change rate.
In some embodiments, the monitoring server is further configured to: determining the flow of data packets sent by each intelligent probe in each historical time period; and predicting the flow of the data packet sent by each intelligent probe in a preset future time period by adopting a linear fitting or nonlinear fitting mode.
In some embodiments, each smart probe is further configured to: and performing time synchronization through a global positioning system or a Beidou satellite navigation system.
In some embodiments, the monitoring server is further configured to: issuing system firmware and configuration files to each intelligent probe; each smart probe is further configured to: and operating the system firmware and the configuration file, and executing the operations of data packet acquisition, data packet analysis and monitoring result transmission according to the configuration file.
According to another aspect of an embodiment of the present disclosure, there is provided a monitoring method including: the intelligent probe collects data packets which are received and transmitted by the NEF gateway through the current interface; the intelligent probe analyzes the data packet to generate a monitoring result of local abnormality; the intelligent probe sends the data packet and the monitoring result of local abnormality to the monitoring server; the monitoring server receives the data packet sent by each intelligent probe and the monitoring result of local abnormality; the monitoring server analyzes the data packets sent by each intelligent probe to generate a global abnormal monitoring result; and the monitoring server sends alarm information to the NEF gateway according to the monitoring result of the global abnormality and the monitoring result of the local abnormality sent by each intelligent probe.
In some embodiments, analyzing the data packet to generate a monitoring result of the local anomaly includes: extracting a data value of a preset field in a data packet; when the data value falls into an abnormal data value range of a corresponding preset field in the data feature library, generating a monitoring result of local data abnormality; determining a characteristic value of a preset calling behavior characteristic in the same session according to the data packet and the time stamp of the data packet in the same session; and when the characteristic value falls into an abnormal characteristic value range of the corresponding preset calling behavior characteristic in the behavior characteristic library, generating a monitoring result of local behavior abnormality.
In some embodiments, analyzing the data packet sent by each intelligent probe, and generating the monitoring result of the global anomaly includes: analyzing the data packets sent by each intelligent probe to obtain access characteristics of the data packets sent by each intelligent probe, wherein the access characteristics comprise a source IP address, a source port, a destination IP address, a destination port, an access data type and an access operation code; counting the number of data packets sent by each intelligent probe with preset access characteristics; and when the number of data packets sent by each intelligent probe with the preset access characteristic is larger than the preset number, generating a monitoring result of global abnormality associated with the preset access characteristic.
In some embodiments, the monitoring method further comprises: the monitoring server transmits a data feature library and a behavior feature library to each intelligent probe; the monitoring server extracts calling parameters from data packets sent by all intelligent probes; and when the call parameters are not matched with the call parameter requirements issued by the NEF gateway currently, the monitoring server adds the call parameters to the data feature library.
In some embodiments, the monitoring method further comprises: the monitoring server monitors the operation state parameters of the NEF gateway, wherein the operation state parameters comprise CPU occupancy rate, memory occupancy rate, hard disk occupancy rate and CPU temperature; the monitoring server outputs health state indexes of the NEF gateway corresponding to the running state parameters; the monitoring server receives the time stamp of the data packet sent by each intelligent probe; the monitoring server determines the average response time and the average response time change rate of each interface of the NEF gateway according to the time stamp of the data packet; the monitoring server outputs a stability index of the NEF gateway corresponding to the average response time and the average response time change rate.
In some embodiments, the monitoring method further comprises: the monitoring server determines the flow of data packets sent by each intelligent probe in each historical time period; the monitoring server predicts the flow of the data packet sent by each intelligent probe in a preset future time period in a linear fitting or nonlinear fitting mode.
In some embodiments, the monitoring method further comprises: each intelligent probe performs time synchronization through a global positioning system or a Beidou satellite navigation system.
In some embodiments, the monitoring method further comprises: the monitoring server issues system firmware and configuration files to each intelligent probe; each intelligent probe runs system firmware and configuration files, and performs data packet acquisition, data packet analysis and monitoring result sending operations according to the configuration files.
According to yet another aspect of the disclosed embodiments, there is provided a monitoring device comprising: a memory; and a processor coupled to the memory, the processor configured to perform the aforementioned monitoring method based on instructions stored in the memory.
According to yet another aspect of embodiments of the present disclosure, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores computer instructions that, when executed by a processor, implement the foregoing monitoring method.
The security monitoring method and the security monitoring device can realize security monitoring of the NEF gateway on the premise of not increasing the workload of the NEF gateway.
Other features of the present disclosure and its advantages will become apparent from the following detailed description of exemplary embodiments of the disclosure, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present disclosure, and that other drawings may be obtained according to these drawings without inventive faculty for a person skilled in the art.
Fig. 1 illustrates a schematic structural diagram of a monitoring system of some embodiments of the present disclosure.
Fig. 2 illustrates a schematic structural diagram of a monitoring method of some embodiments of the present disclosure.
Fig. 3 illustrates a schematic structural diagram of a monitoring device of some embodiments of the present disclosure.
Detailed Description
The following description of the technical solutions in the embodiments of the present disclosure will be made clearly and completely with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are only some embodiments of the present disclosure, not all embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments in this disclosure without inventive faculty, are intended to fall within the scope of this disclosure.
The inventor researches and discovers that in order to ensure the security of the communication network in the process of accessing or calling the network by a third party caller, monitoring software can be deployed on the NEF gateway, and equipment such as a firewall can be added on each of the northbound and southbound routes of the NEF gateway. However, these methods greatly increase the load of the NEF gateway, increase access delay and call complexity, and cannot realize effective analysis based on data depth, time dimension and access association.
In order to realize the security monitoring of the NEF gateway on the premise of not increasing the workload of the NEF gateway, the present disclosure provides a monitoring system based on a distributed intelligent probe, and is specifically described below.
Some embodiments of the monitoring system of the present disclosure are first described in connection with fig. 1.
Fig. 1 illustrates a schematic structural diagram of a monitoring system of some embodiments of the present disclosure. As shown in fig. 1, the monitoring system 10 in this embodiment includes intelligent probes 101 deployed at respective interfaces of the network open function NEF gateway, and a monitoring server 102 in signal connection with the respective intelligent probes.
The monitoring server 102 is deployed with monitoring analysis software, an initial firmware system of the intelligent probe, an operation configuration file of the intelligent probe, a data feature library and a behavior feature library. The monitoring server 102 may be connected to each intelligent probe 101 through a network and perform data interaction. The smart probe 101 may be deployed on each interface of the NEF gateway, and may specifically include a north interface and a south interface. For example, one intelligent probe is deployed at the northbound interface (for interfacing with the application interface invoker) of the NEF gateway, and one intelligent probe is deployed at each southbound interface (for interfacing with the network functions) of the NEF gateway and identifies the topology location.
In order to ensure the time synchronization of the data collected by the distributed intelligent probes, each intelligent probe 101 can realize high-precision time synchronization through a global positioning system or a Beidou satellite navigation system, and the precision of time synchronization in nanosecond or microsecond can meet the precision requirement of a data collection time stamp.
The monitoring server 102 is responsible for loading a firmware system, issuing an operation configuration file, issuing a data feature library and issuing a behavior feature library for each intelligent probe 101, and can receive preliminary processing conclusion data and original acquisition data reported by the intelligent probes. The monitoring server can also store, count, analyze and generate reports on the data of the preliminary processing conclusion, and output abnormal or safe early warning and trend prediction according to analysis conditions. In addition, the monitoring server 10 can perform data field feature extraction and behavior feature extraction on the acquired original acquired data, and enrich the data feature library and the behavior feature library.
The intelligent probe 101 is a high-speed data acquisition and analysis processing device, and can be realized by an FPGA (Field Programmable Gate Array ) and a multi-core CPU (Central Processing Unit, central processing unit). Realizing high-speed data acquisition by an FPGA, and analyzing and processing data oriented to bit data streams; high-speed data caching is carried out through a dynamic memory of 32GB, and high-speed solid state disk array data storage is carried out at a writing rate of 450 MB/s; and the multi-core CPU runs an operating system to realize flexible configuration and control, network protocol processing and overall management of bottom layer acquisition operation.
The firmware system of the intelligent probe 101 can be flexibly reloaded, and the operation configuration file thereof can be flexibly modified to adapt to different monitoring requirements. After the intelligent probe runs the system, the data flow on the interface is processed based on local acquisition, analysis, storage and the like according to the operation configuration file, meanwhile, the data packet can be matched and filtered according to the characteristic data field in the data characteristic library in the process of acquiring the data, and finally, the monitoring result required by the operation configuration file is reported to the monitoring server. In addition, the intelligent probe 101 can also collect original data of suspicious data which is not included in the data feature library, make a time mark and store a file for later analysis.
After the monitoring server 102 collects the original collected data reported by each intelligent probe 101, comprehensive analysis and association analysis are further performed by combining the topological position where the intelligent probe 101 is located and the sequence of the original collected data, so that effective whole process tracking of access data accessed by a third party is ensured, and malicious API (Application Programming Interface, application program interface) call, malicious access attack, DDoS (Distributed Denial of Service ) attack and the like of the third party are discovered at any time. Meanwhile, the monitoring server 102 can monitor the response situation of the NEF gateway and evaluate the working stability and health status of the NEF gateway.
On the monitoring server 102, a database for satisfying various monitoring needs, a behavior feature library, a system firmware file running on the smart probe, and an operation configuration file for guiding the smart probe 101 for monitoring and data processing are stored. When a change in the monitoring policy or monitoring requirements occurs, the monitoring server 102 may forward these files back to the respective smart probes 101.
Those skilled in the art will appreciate that a distributed intelligent probe-based monitoring system may be flexibly and quickly deployed, including specifically adding, deleting, altering detection interfaces, and the like.
In some embodiments, each smart probe 101 is configured to: collecting data packets received and transmitted by the NEF gateway through a current interface; analyzing the data packet to generate a monitoring result of local abnormality; and sending the data packet and the monitoring result of the local abnormality to a monitoring server. The monitoring server 102 is configured to: receiving data packets sent by all intelligent probes and monitoring results of local anomalies; analyzing the data packets sent by each intelligent probe to generate a global abnormal monitoring result; and sending alarm information to the NEF gateway according to the monitoring result of the global abnormality and the monitoring result of the local abnormality sent by each intelligent probe.
According to the embodiment, on the premise that the workload of the NEF gateway is not increased, the NEF interface based on the 5G communication network realizes the real-time safety monitoring of the access condition of the NEF gateway, objectively monitors the self-source characteristics of the data packet passing through the NEF interface, timely discovers abnormal access and attack and gives early warning, and therefore other timely guarantee measures are effectively intercepted or taken without affecting the data access time delay of the NEF interface.
In some embodiments, analyzing the data packet to generate a monitoring result of the local anomaly includes: extracting a data value of a preset field in a data packet; when the data value falls into an abnormal data value range of a corresponding preset field in the data feature library, generating a monitoring result of local data abnormality; determining a characteristic value of a preset calling behavior characteristic in the same session according to the data packet and the time stamp of the data packet in the same session; and when the characteristic value falls into an abnormal characteristic value range of the corresponding preset calling behavior characteristic in the behavior characteristic library, generating a monitoring result of local behavior abnormality.
In this embodiment, the intelligent probe can perform rapid real-time analysis processing and accurate time stamping processing on the data packet at the local end, and generate a monitoring result of local abnormality under the condition that the data packet meets a specific condition.
In some embodiments, analyzing the data packet sent by each intelligent probe, and generating the monitoring result of the global anomaly includes: analyzing the data packets sent by each intelligent probe to obtain access characteristics of the data packets sent by each intelligent probe, wherein the access characteristics comprise a source IP address, a source port, a destination IP address, a destination port, an access data type and an access operation code; counting the number of data packets sent by each intelligent probe with preset access characteristics; and when the number of data packets sent by each intelligent probe with the preset access characteristic is larger than the preset number, generating a monitoring result of global abnormality associated with the preset access characteristic.
According to the embodiment, the monitoring server performs overall comprehensive analysis, association analysis, multidimensional analysis and depth analysis on the data packets collected by all intelligent probes, so that alarming and prediction can be performed on third-party abnormal access abnormality from an overall layer.
In some embodiments, the monitoring server is further configured to: issuing a data feature library and a behavior feature library to each intelligent probe; extracting calling parameters from data packets sent by all intelligent probes; and when the call parameters are not matched with the call parameter requirements issued by the NEF gateway currently, adding the call parameters to the data feature library.
According to the embodiment, when the data packet meets a certain grabbing condition, the data packet can be deeply grabbed, so that later analysis is carried out on suspicious data which is not formed with the feature field in the early stage, and the data feature library is enriched.
In some embodiments, the monitoring server is further configured to: monitoring operation state parameters of the NEF gateway, wherein the operation state parameters comprise CPU occupancy rate, memory occupancy rate, hard disk occupancy rate and CPU temperature; outputting health state indexes of the NEF gateway corresponding to the operation state parameters; receiving the time stamp of the data packet sent by each intelligent probe; determining average response time and average response time change rate of each interface of the NEF gateway according to the time stamp of the data packet; and outputting the stability index of the NEF gateway corresponding to the average response time and the average response time change rate.
In some embodiments, the monitoring server is further configured to: determining the flow of data packets sent by each intelligent probe in each historical time period; and predicting the flow of the data packet sent by each intelligent probe in a preset future time period by adopting a linear fitting or nonlinear fitting mode.
In some embodiments, each smart probe is further configured to: and performing time synchronization through a global positioning system or a Beidou satellite navigation system.
In some embodiments, the monitoring server is further configured to: issuing system firmware and configuration files to each intelligent probe; each smart probe is further configured to: and operating the system firmware and the configuration file, and executing the operations of data packet acquisition, data packet analysis and monitoring result transmission according to the configuration file.
Some embodiments of the monitoring method of the present disclosure are described below in connection with fig. 2.
Fig. 2 illustrates a flow diagram of a monitoring method of some embodiments of the present disclosure. As shown in fig. 2, the monitoring method in the present embodiment includes steps S201 to S204.
In step S201, the intelligent probe collects a data packet that the NEF gateway receives and transmits through the current interface.
In step S202, the intelligent probe analyzes the data packet to generate a monitoring result of the local anomaly.
In step S203, the intelligent probes send the data packets and the monitoring results of the local anomalies to the monitoring server, and the monitoring server receives the data packets and the monitoring results of the local anomalies sent by the intelligent probes.
In step S204, the monitoring server analyzes the data packets sent by the intelligent probes, and generates a global abnormal monitoring result.
In step S205, the monitoring server sends alarm information to the NEF gateway according to the monitoring result of the global anomaly and the monitoring result of the local anomaly sent by each intelligent probe.
The monitoring server may send global anomaly alert information or local anomaly alert information to the NEF gateway. In addition, after analyzing the data packet reported by each intelligent probe, the monitoring server can judge the affected degree of the NEF gateway. If access of the third party application is only caused by abnormality, poisoning and the like of the program or the equipment of the third party application, and the network and the server of the NEF are not threatened or endangered, abnormal behaviors of the third party application can be presented in the monitoring server, but the abnormal behaviors are insufficient for triggering an alarm to the NEF gateway; if the severity is large enough, for example, the attack is definitely malicious and planned, and the service quality of other third party applications is obviously reduced, the performance of a server in a core network is obviously reduced, so that the server of the NEF can not normally respond to the call of the third party application and can not output safety data, and an alarm can be sent to the NEF gateway in time.
According to the embodiment, on the premise that the workload of the NEF gateway is not increased, the NEF interface based on the 5G communication network realizes the real-time safety monitoring of the access condition of the NEF gateway, objectively monitors the self-source characteristics of the data packet passing through the NEF interface, timely discovers abnormal access and attack and gives early warning, and therefore other timely guarantee measures are effectively intercepted or taken without affecting the data access time delay of the NEF interface.
In some embodiments, step S204 includes: step S2041, extracting a data value of a preset field in the data packet; step S2042, when the data value falls into the abnormal data value range of the corresponding preset field in the data feature library, generating a monitoring result of local data abnormality; step S2043, determining a characteristic value of a preset calling behavior characteristic in the same session according to the data packet and the time stamp of the data packet in the same session; step S2044, when the characteristic value falls into the abnormal characteristic value range of the corresponding preset calling behavior characteristic in the behavior characteristic library, generating a monitoring result of local behavior abnormality.
The data feature library may store data feature values of the NEF entering and exiting the core network, including sending a data packet when the third party application accesses the NEF and returning, to the third party application, a range to which the data values of the respective data segments in the data packet belong, which may specifically include a source IP address range, a source port number range, a destination IP address range, a destination port number, a data type, an operation/command code range, an operation/command parameter range, and so on.
For example, after the intelligent probe analyzes the source IP address, the source port number, the target IP address, the target port number, the data type, the operation/command code, the operation/command parameter, and the like, the intelligent probe compares the data value with the corresponding data value range of the feature library, determines whether the whole data packet has data in the feature library which belongs to the abnormal range, and if so, identifies an abnormal field (for example, when the source IP address falls into the abnormal source IP address range, a monitoring result of local data abnormality is generated).
The behavior feature library includes behavior features determined after statistical analysis of the plurality of data packets, and may specifically include: normal or abnormal operation, fixed cycle call, high frequency call, malicious call, distributed call, denial of server call, port increment scan, port decrement scan, pseudo random scan, out of parameter attack, etc. For example, in the case where the third party application is found to call the NEF at a fixed period, or the third party application calls the NEF at an excessively high frequency, a monitoring result of the local behavior abnormality is generated.
In this embodiment, the intelligent probe can perform rapid real-time analysis processing and accurate time stamping processing on the data packet at the local end, and generate a monitoring result of local abnormality under the condition that the data packet meets a specific condition.
In some embodiments, step S205 includes: step S2051, analyzing the data packets sent by each intelligent probe to obtain access characteristics of the data packets sent by each intelligent probe, wherein the access characteristics comprise a source IP address, a source port, a destination IP address, a destination port, an access data type and an access operation code; step S2052, counting the number of data packets sent by each intelligent probe with preset access characteristics; in step S2053, when the number of data packets sent by each intelligent probe having the preset access characteristic is greater than the preset number, a global anomaly monitoring result associated with the preset access characteristic is generated.
The monitoring server can carry out comprehensive analysis and association analysis on the data packets reported by all the intelligent probes, and statistics is carried out on analysis results to form global monitoring results. During comprehensive analysis, all data packets reported by all intelligent probes are converged on one side; and on the other hand, collecting monitoring results of local anomalies reported by each probe, wherein the monitoring results comprise analysis results of data packets, analysis results of a complete session and analysis results of a plurality of sessions. The monitoring server forms a global analysis of the specified access directions (e.g., source IP address, source port number, destination IP address, destination port number, data type, operation/command code, operation/command parameters) over a time frame based on the time stamps. During association analysis, the access track, the access logic and the access rule of different data packets on different network paths can be tracked.
According to the embodiment, the monitoring server performs overall comprehensive analysis, association analysis, multidimensional analysis and depth analysis on the data packets collected by all intelligent probes, so that alarming and prediction can be performed on third-party abnormal access abnormality from an overall layer.
In some embodiments, the monitoring method further comprises step S200.
In step S200, the monitoring server and each intelligent probe perform an initialization operation.
The monitoring server issues system firmware and configuration files to each intelligent probe so that each intelligent probe runs the system firmware and the configuration files, starts monitoring work according to the configuration files, and executes the operations of data packet collection, data packet analysis and monitoring result transmission. In addition, the monitoring server also transmits a data feature library and a behavior feature library to each intelligent probe. Each intelligent probe performs time synchronization through a global positioning system or a Beidou satellite navigation system.
In some embodiments, the monitoring method further comprises steps S206-S207.
In step S206, the monitoring server extracts call parameters from the data packets sent by the respective intelligent probes.
In step S207, the monitoring server adds the call parameters to the data feature library when the call parameters do not match the call parameter requirements currently issued by the NEF gateway.
For example, when there is a call parameter requirement (for example, the number of call parameters) which is not in compliance with the external publication of the network opening function by the operator in the data packet sent by the third party application to the NEF or the data packet sent by the NEF to the third party application, the intelligent probe can perform triggered data capture and data storage for the suspicious data. In addition, the monitoring server may further determine whether the order of the call parameters employed when the third party application accesses the NEF meets normative.
According to the embodiment, when the data packet meets a certain grabbing condition, the data packet can be deeply grabbed, so that later analysis is carried out on suspicious data which is not formed with the feature field in the early stage, and the data feature library is enriched.
In some embodiments, the monitoring method further comprises steps S208 to S209.
In step S208, the monitoring server monitors the operation state parameters of the NEF gateway, where the operation state parameters include CPU occupancy rate, memory occupancy rate, hard disk occupancy rate, and CPU temperature. The monitoring server outputs health status indexes of the NEF gateway corresponding to the operation status parameters.
In step S209, the monitoring server receives a timestamp of a data packet sent by each intelligent probe; the monitoring server determines the average response time and the average response time change rate of each interface of the NEF gateway according to the time stamp of the data packet; the monitoring server outputs a stability index of the NEF gateway corresponding to the average response time and the average response time change rate.
The stability and health indicators of the NEF gateway may be determined by packet analysis of the ingress and egress data interfaces surrounding the NEF gateway. According to the time length and the time length fluctuation of the NEF gateway responding to different amounts of third party application accesses, the statistics condition and the history change condition of the abnormality of the external output data, and the time length and the fluctuation of the NEF gateway forwarding data, the NEF gateway can be determined to be in high stability, medium stability or low stability. Based on the operational status parameters, the workload of the NEF gateway may be determined, thereby determining whether the NEF gateway is in a healthy or unhealthy state.
In some embodiments, the monitoring method further comprises step S210.
In step S210, the monitoring server determines the flow rate of the data packet sent by each intelligent probe in each historical period; the monitoring server predicts the flow of the data packet sent by each intelligent probe in a preset future time period in a linear fitting or nonlinear fitting mode.
The monitoring server performs deep data mining and analysis on historical data of the interface monitored by the intelligent probe, analyzes different dimensions such as data in and out flow of the interface, single caller oriented, multiple caller oriented, single server oriented, multiple server oriented, single service oriented, multiple service oriented and the like, and analyzes according to days, weeks, months, seasons, half a year and years, so that trend and fluctuation of an analyzed object are predicted in a certain time in the future.
It should be understood by those skilled in the art that steps S201 to S209 may be performed cyclically to implement continuous monitoring of the NEF gateway.
Some embodiments of the monitoring device of the present disclosure are described below in connection with fig. 3.
Fig. 3 illustrates a schematic structural diagram of a monitoring device of some embodiments of the present disclosure. As shown in fig. 3, the monitoring device 30 of this embodiment includes: a memory 310 and a processor 320 coupled to the memory 310, the processor 320 being configured to perform the monitoring method of any of the embodiments described above based on instructions stored in the memory 310.
The memory 310 may include, for example, system memory, fixed nonvolatile storage media, and the like. The system memory stores, for example, an operating system, application programs, boot Loader (Boot Loader), and other programs.
The monitoring device 30 may also include an input-output interface 330, a network interface 340, a storage interface 350, and the like. These interfaces 330, 340, 350 and the memory 310 and the processor 320 may be connected, for example, by a bus 360. The input/output interface 330 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, a touch screen, and the like. Network interface 340 provides a connection interface for various networking devices. Storage interface 350 provides a connection interface for external storage devices such as SD cards, U-discs, and the like.
The present disclosure also includes a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the monitoring method of any of the previous embodiments.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing description of the preferred embodiments of the present disclosure is not intended to limit the disclosure, but rather to enable any modification, equivalent replacement, improvement or the like, which fall within the spirit and principles of the present disclosure.
Claims (18)
1. A monitoring system, comprising:
intelligent probes deployed at respective interfaces of the network open function, NEF, gateway, each intelligent probe configured to: collecting data packets received and transmitted by the NEF gateway through a current interface; analyzing the data packet to generate a monitoring result of local abnormality; the data packet and the monitoring result of the local abnormality are sent to a monitoring server;
a monitoring server in signal connection with each smart probe configured to: receiving the data packet and the monitoring result of the local abnormality sent by each intelligent probe; analyzing the data packet sent by each intelligent probe to generate a global abnormal monitoring result; and sending alarm information to the NEF gateway according to the monitoring result of the global abnormality and the monitoring result of the local abnormality sent by each intelligent probe.
2. The monitoring system of claim 1, wherein the analyzing the data packet to generate a monitoring result of a local anomaly comprises:
extracting a data value of a preset field in the data packet;
when the data value falls into an abnormal data value range of a corresponding preset field in the data feature library, generating a monitoring result of local data abnormality;
determining a characteristic value of a preset calling behavior characteristic in the same session according to the data packet and the time stamp of the data packet in the same session;
and when the characteristic value falls into an abnormal characteristic value range of the corresponding preset calling behavior characteristic in the behavior characteristic library, generating a monitoring result of local behavior abnormality.
3. The monitoring system of claim 1, wherein the analyzing the data packets sent by each smart probe to generate a global anomaly monitoring result comprises:
analyzing the data packets sent by each intelligent probe to obtain access characteristics of the data packets sent by each intelligent probe, wherein the access characteristics comprise a source IP address, a source port, a destination IP address, a destination port, an access data type and an access operation code;
counting the number of the data packets sent by each intelligent probe with preset access characteristics;
and when the number of the data packets sent by each intelligent probe with the preset access characteristic is larger than the preset number, generating a monitoring result of the global abnormality associated with the preset access characteristic.
4. The monitoring system of claim 2, wherein the monitoring server is further configured to:
issuing a data feature library and a behavior feature library to each intelligent probe;
extracting calling parameters from the data packets sent by each intelligent probe;
and when the call parameter is not matched with the call parameter requirement issued by the NEF gateway currently, adding the call parameter to the data feature library.
5. The monitoring system of claim 1, wherein the monitoring server is further configured to:
monitoring operation state parameters of the NEF gateway, wherein the operation state parameters comprise CPU occupancy rate, memory occupancy rate, hard disk occupancy rate and CPU temperature;
outputting health state indexes of the NEF gateway corresponding to the operation state parameters;
receiving the time stamp of the data packet sent by each intelligent probe;
determining average response time and average response time change rate of each interface of the NEF gateway according to the time stamp of the data packet;
and outputting a stability index of the NEF gateway corresponding to the average response time and the average response time change rate.
6. The monitoring system of claim 1, wherein the monitoring server is further configured to:
determining the flow of the data packet sent by each intelligent probe in each historical time period;
and predicting the flow of the data packet sent by each intelligent probe in a preset future time period by adopting a linear fitting or nonlinear fitting mode.
7. The monitoring system of claim 6, wherein each smart probe is further configured to: and performing time synchronization through a global positioning system or a Beidou satellite navigation system.
8. The monitoring system of claim 1, wherein,
the monitoring server is further configured to: issuing system firmware and configuration files to each intelligent probe;
each smart probe is further configured to: and operating the system firmware and the configuration file, and executing the operations of data packet acquisition, data packet analysis and monitoring result transmission according to the configuration file.
9. A method of monitoring, comprising:
the intelligent probe collects data packets which are received and transmitted by the NEF gateway through the current interface;
the intelligent probe analyzes the data packet and generates a monitoring result of local abnormality;
the intelligent probe sends the data packet and the monitoring result of the local abnormality to a monitoring server;
the monitoring server receives the data packet and the monitoring result of the local abnormality sent by each intelligent probe;
the monitoring server analyzes the data packets sent by each intelligent probe to generate a global abnormal monitoring result;
and the monitoring server sends alarm information to the NEF gateway according to the monitoring result of the global abnormality and the monitoring result of the local abnormality sent by each intelligent probe.
10. The monitoring method according to claim 9, wherein the analyzing the data packet to generate the monitoring result of the local anomaly includes:
extracting a data value of a preset field in the data packet;
when the data value falls into an abnormal data value range of a corresponding preset field in the data feature library, generating a monitoring result of local data abnormality;
determining a characteristic value of a preset calling behavior characteristic in the same session according to the data packet and the time stamp of the data packet in the same session;
and when the characteristic value falls into an abnormal characteristic value range of the corresponding preset calling behavior characteristic in the behavior characteristic library, generating a monitoring result of local behavior abnormality.
11. The monitoring method according to claim 9, wherein the analyzing the data packets sent by the intelligent probes, and generating a global anomaly monitoring result includes:
analyzing the data packets sent by each intelligent probe to obtain access characteristics of the data packets sent by each intelligent probe, wherein the access characteristics comprise a source IP address, a source port, a destination IP address, a destination port, an access data type and an access operation code;
counting the number of the data packets sent by each intelligent probe with preset access characteristics;
and when the number of the data packets sent by each intelligent probe with the preset access characteristic is larger than the preset number, generating a monitoring result of the global abnormality associated with the preset access characteristic.
12. The monitoring method of claim 10, further comprising:
the monitoring server transmits a data feature library and a behavior feature library to each intelligent probe;
the monitoring server extracts calling parameters from the data packets sent by each intelligent probe;
and when the call parameters are not matched with the call parameter requirements issued by the NEF gateway currently, the monitoring server adds the call parameters to the data feature library.
13. The monitoring method of claim 9, further comprising:
the monitoring server monitors operation state parameters of the NEF gateway, wherein the operation state parameters comprise CPU occupancy rate, memory occupancy rate, hard disk occupancy rate and CPU temperature;
the monitoring server outputs the health state index of the NEF gateway corresponding to the running state parameter;
the monitoring server receives the time stamp of the data packet sent by each intelligent probe;
the monitoring server determines the average response time and the average response time change rate of each interface of the NEF gateway according to the time stamp of the data packet;
the monitoring server outputs a stability index of the NEF gateway corresponding to the average response time and the average response time change rate.
14. The monitoring method of claim 9, further comprising:
the monitoring server determines the flow of the data packet sent by each intelligent probe in each historical time period;
and the monitoring server predicts the flow of the data packet sent by each intelligent probe in a preset future time period by adopting a linear fitting or nonlinear fitting mode.
15. The monitoring method of claim 14, further comprising:
each intelligent probe performs time synchronization through a global positioning system or a Beidou satellite navigation system.
16. The monitoring method of claim 9, further comprising:
the monitoring server issues system firmware and configuration files to each intelligent probe;
each intelligent probe runs system firmware and configuration files, and performs data packet acquisition, data packet analysis and monitoring result sending operations according to the configuration files.
17. A monitoring device, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the monitoring method of any of claims 10 to 16 based on instructions stored in the memory.
18. A computer readable storage medium storing computer instructions which, when executed by a processor, implement the monitoring method of any one of claims 10 to 16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010825305.1A CN114158080B (en) | 2020-08-17 | 2020-08-17 | Monitoring method, device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010825305.1A CN114158080B (en) | 2020-08-17 | 2020-08-17 | Monitoring method, device and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114158080A CN114158080A (en) | 2022-03-08 |
| CN114158080B true CN114158080B (en) | 2024-03-01 |
Family
ID=80460447
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010825305.1A Active CN114158080B (en) | 2020-08-17 | 2020-08-17 | Monitoring method, device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114158080B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116709364B (en) * | 2023-08-09 | 2023-10-13 | 广州天奕技术股份有限公司 | Chamber division network detection device, optimization method thereof and related equipment |
| CN116886453B (en) * | 2023-09-08 | 2023-11-24 | 湖北华中电力科技开发有限责任公司 | Network flow big data analysis method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102033741A (en) * | 2009-09-30 | 2011-04-27 | 华为技术有限公司 | North interface system and realization method thereof |
| CN107147535A (en) * | 2017-06-02 | 2017-09-08 | 中国人民解放军理工大学 | A kind of distributed network measurement data statistical analysis technique |
| CN109275145A (en) * | 2018-09-21 | 2019-01-25 | 腾讯科技(深圳)有限公司 | Equipment behavior detection and barrier processing method, medium and electronic equipment |
| CN111131335A (en) * | 2020-03-30 | 2020-05-08 | 腾讯科技(深圳)有限公司 | Network security protection method and device based on artificial intelligence and electronic equipment |
| CN111212069A (en) * | 2019-12-31 | 2020-05-29 | 重庆邮电大学 | Vulnerability assessment method for 5G function open equipment interface |
| CN111314296A (en) * | 2020-01-15 | 2020-06-19 | 福建奇点时空数字科技有限公司 | Network traffic analysis security service system based on bypass technology |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107637101B (en) * | 2015-05-14 | 2021-07-06 | 瑞典爱立信有限公司 | System and method for providing monitoring service |
| US10505793B2 (en) * | 2016-03-29 | 2019-12-10 | Fortinet, Inc. | Network appliance health monitor |
| US11323884B2 (en) * | 2017-06-27 | 2022-05-03 | Allot Ltd. | System, device, and method of detecting, mitigating and isolating a signaling storm |
| US11695648B2 (en) * | 2017-08-23 | 2023-07-04 | Nec Corporation | Method for supporting service level agreement monitoring in a software defined network and corresponding software defined network |
| CN109547221B (en) * | 2017-09-22 | 2022-04-29 | 中兴通讯股份有限公司 | Big data analysis service providing method and device, and computer-readable storage medium |
| US11115327B2 (en) * | 2018-08-24 | 2021-09-07 | Oracle International Corporation | Methods, systems, and computer readable media for providing mobile device connectivity |
-
2020
- 2020-08-17 CN CN202010825305.1A patent/CN114158080B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102033741A (en) * | 2009-09-30 | 2011-04-27 | 华为技术有限公司 | North interface system and realization method thereof |
| CN107147535A (en) * | 2017-06-02 | 2017-09-08 | 中国人民解放军理工大学 | A kind of distributed network measurement data statistical analysis technique |
| CN109275145A (en) * | 2018-09-21 | 2019-01-25 | 腾讯科技(深圳)有限公司 | Equipment behavior detection and barrier processing method, medium and electronic equipment |
| CN111212069A (en) * | 2019-12-31 | 2020-05-29 | 重庆邮电大学 | Vulnerability assessment method for 5G function open equipment interface |
| CN111314296A (en) * | 2020-01-15 | 2020-06-19 | 福建奇点时空数字科技有限公司 | Network traffic analysis security service system based on bypass technology |
| CN111131335A (en) * | 2020-03-30 | 2020-05-08 | 腾讯科技(深圳)有限公司 | Network security protection method and device based on artificial intelligence and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| Huawei等.Solution for Data Collection Framework.3GPP.2018,第6.1节. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114158080A (en) | 2022-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11848951B2 (en) | Vector-based anomaly detection | |
| US10355949B2 (en) | Behavioral network intelligence system and method thereof | |
| CA2868054C (en) | Path scanning for the detection of anomalous subgraphs and use of dns requests and host agents for anomaly/change detection and network situational awareness | |
| US20170325113A1 (en) | Antmonitor: a system for mobile network monitoring and its applications | |
| CN114158080B (en) | Monitoring method, device and computer readable storage medium | |
| US20140075557A1 (en) | Streaming Method and System for Processing Network Metadata | |
| CN106612199A (en) | Network monitoring data collection and analysis system and method | |
| CN105051696A (en) | An improved streaming method and system for processing network metadata | |
| CN108259269A (en) | The monitoring method and system of the network equipment | |
| CN107315952A (en) | Method and apparatus for determining application program suspicious actions | |
| CN108259268A (en) | Network monitoring data processing method, device, computer equipment and storage medium | |
| CN102929773A (en) | Information collection method and device | |
| CN113507691B (en) | Information pushing system and method based on power distribution network cross-region service | |
| CN110620690A (en) | Network attack event processing method and electronic equipment thereof | |
| CN112333020B (en) | Network security monitoring and data message analysis system based on quintuple | |
| CN116723136B (en) | Network data detection method applying FCM clustering algorithm | |
| CN110049015B (en) | Network security situation awareness system | |
| CN117520096A (en) | Intelligent server safety monitoring system | |
| Yao et al. | Research on computer network technology system based on artificial intelligence technology | |
| CN114422232A (en) | Illegal traffic monitoring method and device, electronic equipment, system and medium | |
| CN111147664A (en) | Mobile terminal big data processing method and device, big data architecture and storage medium | |
| CN114338110B (en) | Method, device and system for predicting and defending threat information in situation awareness | |
| CN103248630A (en) | Network safety situation analyzing methods based on data excavating | |
| US12021725B1 (en) | Anomaly driven telemetry sampling using intelligent tracers and parent spans | |
| CN116827698B (en) | Network gateway flow security situation awareness system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |