CN114422232B - Method, device, electronic equipment, system and medium for monitoring illegal flow - Google Patents

Method, device, electronic equipment, system and medium for monitoring illegal flow Download PDF

Info

Publication number
CN114422232B
CN114422232B CN202210048641.9A CN202210048641A CN114422232B CN 114422232 B CN114422232 B CN 114422232B CN 202210048641 A CN202210048641 A CN 202210048641A CN 114422232 B CN114422232 B CN 114422232B
Authority
CN
China
Prior art keywords
illegal
suspected
log
access
inner layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210048641.9A
Other languages
Chinese (zh)
Other versions
CN114422232A (en
Inventor
黄晶
黄敏
黄晓青
高华
傅强
梁彧
蔡琳
杨满智
王杰
田野
金红
陈晓光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN202210048641.9A priority Critical patent/CN114422232B/en
Publication of CN114422232A publication Critical patent/CN114422232A/en
Application granted granted Critical
Publication of CN114422232B publication Critical patent/CN114422232B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The embodiment of the invention discloses a method, a device, electronic equipment, a system and a medium for monitoring illegal traffic. The method comprises the following steps: acquiring an IP flow log and an access log reported by DPI equipment; determining access records corresponding to the behaviors of the illegal users in the access log, and determining an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal according to the access records and the IP flow log; and acquiring target log data in the ticket log according to the suspected illegal outer layer IP, and determining the illegal flow based on the target log data and the suspected illegal inner layer IP by adopting a preset judging strategy to analyze whether the flow corresponding to the suspected illegal inner layer IP is illegal or not based on the target log data. The invention solves the problem that the behavior of occupying bandwidth resources in a VPN+NAT mode cannot be monitored in the related technology, and the problem that illegal traffic transmitted in a VPN encrypted tunnel cannot be monitored.

Description

Method, device, electronic equipment, system and medium for monitoring illegal flow
Technical Field
Embodiments of the present invention relate to communications technologies, and in particular, to a method, an apparatus, an electronic device, a system, and a medium for monitoring an offending flow.
Background
The internet data center (Internet Data Center) is abbreviated as IDC, which is the omnibearing service of telecommunication departments in aspects of server hosting, renting, relevant increment and the like, by utilizing the existing internet communication line and bandwidth resources to establish a standardized telecom professional machine room environment for enterprises and governments.
In the related art, supervision of IDC traffic has a drawback in that: first, the behavior of occupying bandwidth resources in a vpn+nat mode cannot be monitored. The bandwidth resources of telecom operators have long been illegally stolen by small operators or competitors through vpn+nat. The form of illegal theft mainly comprises: proximal violations and distal violations. The IDC of the province is used for interconnection access, and the IDC of the province is separated from the IDC of the province in a VPN packaging mode to be transmitted to other provinces, which is called a near-end violation. The IDC in this province is in VPN termination and out-of-network form, called far-end violations. Second, the traffic violations transmitted in VPN encrypted tunnels cannot be monitored.
Disclosure of Invention
The embodiment of the invention provides a method, a device, electronic equipment, a system and a medium for monitoring illegal traffic, which can solve the problem that the behavior of occupying bandwidth resources in a VPN+NAT mode cannot be monitored in the related technology, and solve the problem that the illegal traffic transmitted in a VPN encrypted tunnel cannot be monitored.
In a first aspect, an embodiment of the present invention provides a method for monitoring an offending traffic, including:
acquiring an IP flow log and an access log reported by DPI equipment, wherein the IP flow log is determined based on an inner layer IP and an outer layer IP obtained by the DPI equipment analyzing a data packet in a VPN encryption tunnel, and the access log is determined based on user behavior data obtained by the DPI equipment analyzing the data packet in the VPN encryption tunnel;
determining access records corresponding to the behaviors of the illegal users in the access log, and determining an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal according to the access records and the IP flow log;
and acquiring target log data in a ticket log according to the suspected illegal outer layer IP, and determining the illegal flow based on the target log data and the suspected illegal inner layer IP by adopting a preset judging strategy.
In a second aspect, an embodiment of the present invention further provides a device for monitoring an offending flow, including:
the system comprises a log acquisition module, a VPN encryption tunnel, a DPI device, a VPN encryption module and a user behavior data acquisition module, wherein the log acquisition module is used for acquiring an IP flow log and an access log reported by the DPI device, the IP flow log is determined based on an inner layer IP and an outer layer IP obtained by analyzing a data packet in the VPN encryption tunnel by the DPI device, and the access log is determined based on the user behavior data obtained by analyzing the data packet in the VPN encryption tunnel by the DPI device;
The IP determining module is used for determining an access record corresponding to the behavior of the illegal user in the access log, and determining an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal according to the access record and the IP flow log;
and the violation flow determining module is used for acquiring target log data in the ticket log according to the outer layer IP of the suspected violation, and determining the violation flow based on the target log data and the inner layer IP of the suspected violation by adopting a preset judging strategy.
In a third aspect, an embodiment of the present invention further provides an electronic device, including:
one or more processors;
a memory for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of monitoring offending traffic as described in any of the embodiments of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a monitoring system for illegal traffic, including: DPI device and electronic device;
the DPI equipment is connected to the IDC network equipment in a bypass mode, and is used for collecting data packets transmitted by the IDC network equipment through a VPN encrypted tunnel in a beam-splitting or mirror mode, analyzing the data packets to obtain inner-layer IP, outer-layer IP and user behavior data, generating an IP flow log based on the inner-layer IP and the outer-layer IP, generating an access log based on the user behavior data, and transmitting the IP flow log and the access log to the server;
The server is used for executing the monitoring method of the illegal traffic according to any embodiment of the invention.
In a fifth aspect, embodiments of the present invention further provide a computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements a method for monitoring offending traffic according to any of the embodiments of the present invention.
In a sixth aspect, embodiments of the present invention further provide a computer program product comprising a computer program which, when executed by a processor, implements the method for monitoring offending traffic according to any of the embodiments of the present invention.
The embodiment of the invention provides a method, a device, electronic equipment, a system and a medium for monitoring illegal traffic, which are used for analyzing inner layer IP, outer layer IP and user behavior data obtained by data packets in a VPN encrypted tunnel through DPI equipment, determining illegal user behavior according to the user behavior data, determining suspected illegal inner layer IP and suspected illegal outer layer IP according to access records corresponding to the illegal user behavior, acquiring target log data in ticket journals according to the suspected illegal outer layer IP, determining illegal traffic based on the target log data and the suspected illegal inner layer IP, and realizing screening the target log data corresponding to the illegal user behavior from mass ticket journals based on the user behavior, and analyzing whether the traffic corresponding to the suspected illegal inner layer IP is illegal traffic or not based on the target log data. The invention solves the problem that the behavior of occupying bandwidth resources in a VPN+NAT mode cannot be monitored in the related technology, and the problem that illegal traffic transmitted in a VPN encrypted tunnel cannot be monitored.
Drawings
FIG. 1 is a flow chart of a method for monitoring offending flow provided by an embodiment of the present invention;
FIG. 2 is a schematic flow analysis diagram in a method for monitoring offending flow according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an external access traffic ranking according to an IDC machine room in the method for monitoring offending traffic provided by the embodiment of the present invention;
fig. 4 is a schematic diagram of ranking according to the number of http get accessed outwards by an IDC machine room in the method for monitoring offending traffic provided by the embodiment of the present invention;
fig. 5 is a schematic diagram of ranking according to the VPN suspected traffic duty ratio in the method for monitoring offending traffic provided by the embodiment of the present invention;
fig. 6a is a schematic diagram of ranking according to a single visit traffic in a method for monitoring offending traffic provided by an embodiment of the present invention;
FIG. 6b is a schematic diagram of ranking according to single visit traffic in another method for monitoring offending traffic according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of statistical ranking according to abnormal applications in a method for monitoring offending traffic according to an embodiment of the present invention;
FIG. 8 is a flow chart of another method for monitoring offending traffic provided by an embodiment of the present invention;
FIG. 9 is a flow chart of another method for monitoring offending traffic provided by an embodiment of the present invention;
FIG. 10 is a block diagram of a monitoring device for illegal traffic provided by an embodiment of the present invention;
fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of a monitoring system for illegal traffic provided in an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Fig. 1 is a flowchart of a method for monitoring an offending traffic, which is provided in an embodiment of the present invention, and the method may be performed by an apparatus for monitoring an offending traffic, where the apparatus may be implemented by hardware and/or software, and is typically configured in an electronic device. For example, the electronic device may be a server or a cluster of servers implementing a big data engine. As shown in fig. 1, the method includes:
step 110, obtaining an IP traffic log and an access log reported by DPI equipment.
Specifically, the IP traffic log is determined based on an inner layer IP and an outer layer IP obtained by the DPI device analyzing the data packet in the VPN encrypted tunnel, and the access log is determined based on user behavior data obtained by the DPI device analyzing the data packet in the VPN encrypted tunnel.
The DPI (Deep packet inspection ) device is a network device with service data flow identification and service data flow control capabilities, which works from an OSI model transmission layer to an application layer, has high data processing capability, can identify and manage traffic carried by a network, and can be deployed in a network backbone layer, a metropolitan area network and an enterprise.
Depth detection is performed by DPI technology, an inner layer IP and an outer layer IP are determined by analyzing an IP header of a packet, and information such as an application type and application content is identified by interpreting a Payload (Payload) of the packet.
A VPN encryption tunnel is a communication link that transports messages encrypted based on VPN protocols. Wherein the virtual private network (Virtual Private Network, VPN) creates an encrypted, virtual point-to-point connection between the VPN client and the VPN gateway, guaranteeing the security of the data when it passes through the internet. Network tunneling (VPN) technology is a key technology for constructing VPNs. Network tunneling is the use of one network protocol to transport another network protocol, and network tunneling is primarily used to achieve this function.
The IP flow logs are logs for recording the inner layer IP and the outer layer IP corresponding to the flow in each VPN encryption tunnel.
The access log is a log for recording user behavior data corresponding to the traffic in each VPN encryption tunnel. The user behavior data are application layer data of a cell internet user. In a cellular mobile communication system, a cell is also called a cell, and refers to an area covered by one base station or a part of a base station (sector antenna), in which a mobile station can reliably communicate with the base station through a radio channel. Specifically, the user behavior data is determined based on information such as the application type and the application content obtained by parsing the data packet. For example, the user behavior data includes data such as a start time, an end time, a URL, and a traffic of a main service such as web browsing, video service, VR/AR, video monitoring, cloud disk, instant messaging, game, voLTE, and the like of a mobile network user. It should be noted that, the accuracy of collecting the user behavior data may be granularity of single access of a single user, so as to accurately screen out the user corresponding to the abnormal flow.
The abnormal traffic may be traffic with abnormal user behavior, or traffic of traffic offending traffic of a small ISP operator, or the like.
Fig. 2 is a schematic flow analysis diagram in a method for monitoring offending flow according to an embodiment of the present invention. As shown in fig. 2, the DPI device is used to collect the outlet traffic of the IDC network by spectroscopic or mirror mode based on the traffic analysis of the cloud-tube-edge. The cloud-pipe-edge is a transmission architecture of traffic in a network, and the traffic is accessed through an edge and transmitted to the cloud through a pipeline. Specifically, the DPI device may be used to collect cloud data for analysis based on the tubing. Specific analytical dimensions include: the method comprises the steps of outward traffic ranking of an IDC machine room, outward http get number ranking of the IDC machine room, VPN suspected traffic duty ratio ranking, pure outward traffic ranking, abnormal application statistical ranking, inner and outer layer IP address analysis and the like.
Illustratively, the DPI device parses the data packet in the VPN encrypted tunnel to obtain an outer layer IP of the data packet and an inner layer IP encapsulated in the data packet. Specifically, the DPI device identifies an IP layer message (including IPv4 and IPv6 messages), and extracts source IP, destination IP and protocol number information in the message.
And analyzing the data packet in the VPN encrypted tunnel through the DPI equipment to obtain user behavior data. Specifically, the DPI device analyzes the deep message of the user interface, and identifies the data such as the starting time, the ending time, the URL, the flow and the like of the services such as web browsing, video service, VR/AR, video monitoring, cloud disk, instant messaging, game, voLTE and the like of the mobile network user according to the granularity of single access of the single user.
The DPI equipment generates an IP flow log based on the inner layer IP and the outer layer IP, and reports the IP flow log to the electronic equipment so that a big data engine deployed on the electronic equipment can acquire the IP flow log. The DPI equipment generates an access log based on the user behavior data, and reports the access log to the electronic equipment so that a big data engine deployed on the electronic equipment can acquire the access log.
And 120, determining access records corresponding to the behaviors of the illegal users in the access log, and determining an inner layer IP suspected of being illegal and an outer layer IP suspected of being illegal according to the access records and the IP flow log.
Wherein, the illegal user behavior is the behavior which violates the normal IDC service regulation. The method comprises the steps of carrying out a first treatment on the surface of the For example, the offending user behavior includes the behavior of a small ISP operator to provide services other than IDC authorized traffic by way of vpn+nat. Or, the offending user behavior is behavior that does not meet regulatory requirements, etc.
The access record is log data corresponding to the illegal user behavior in the access log. And the access records can be used for determining the corresponding suspected illegal inner layer IP and the suspected illegal outer layer IP in the IP traffic log.
Illustratively, according to behavior data of a single user single access application program in the access log, an access record corresponding to the behavior of the illegal user is screened from the access log. Wherein the application is computer code that provides services to the user. The application may be a Web application or a client application, etc.
Specifically, according to behavior data of a single user accessing an application program in the access log, corresponding access behavior information is determined. For example, a big data engine is adopted, and based on behavior data of a single user accessing an application program, user behaviors in an access log are analyzed horizontally and longitudinally, so that access behavior information of the single user is obtained.
And if the access behavior information accords with the preset illegal behavior characteristics, taking the behavior data as an access record corresponding to the illegal user behavior, wherein the preset illegal behavior characteristics are determined based on the type of the application program, the starting time, the ending time, the URL and the flow.
And if the access behavior information does not accord with the preset illegal behavior characteristics, taking the behavior data as data which accord with the normal IDC service regulation.
And inquiring the IP flow log according to the user identification contained in the access record to obtain an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal. Because the user identification in the IP flow log is associated with the user identification in the access log, the IP flow log can be queried through the user identification of the access record corresponding to the offending user behavior, thereby determining the suspected offending inner layer IP and the suspected offending outer layer IP corresponding to the offending user behavior.
And 130, acquiring target log data in a ticket log according to the outer layer IP of the suspected violation, and determining the violation flow based on the target log data and the inner layer IP of the suspected violation by adopting a preset judging strategy.
The preset judging strategy comprises a strategy combination of dimensions such as IDC machine room outward access traffic ranking, IDC machine room outward access http get number ranking, VPN suspected traffic proportion ranking, pure outward access traffic ranking, abnormal application statistics ranking, terminal number proportion ranking and the like. It should be noted that the terminal number ratio refers to determining that the terminal is a mobile terminal or a fixed terminal (e.g., a set-top box) based on a device number (e.g., IMEI of a mobile phone).
And the ticket log is queried according to the outer layer IP of the suspected violation to obtain corresponding target log data in the ticket log. And carrying out multidimensional analysis on the suspected illegal inner layer IP according to the target log data, and determining whether the flow corresponding to the suspected illegal inner layer IP is illegal flow or not.
In one case, performing multidimensional analysis on the suspected illegal inner layer IP according to the target log data, and determining whether the traffic corresponding to the suspected illegal inner layer IP is illegal traffic includes: and determining the offensiveness of the suspected offensive inner layer IP in each dimension according to the target log data. And sequencing the target inner layer IP with the violation suspected degree meeting the set condition according to the violation suspected degree, and determining whether the flow corresponding to the inner layer IP with the violation suspected degree is the violation flow or not according to the sequencing result.
Under the condition that cross occurrence exists among a plurality of dimensions of the suspected illegal inner layer IP, multidimensional analysis is carried out on the suspected illegal inner layer IP according to the target log data, and whether the flow corresponding to the suspected illegal inner layer IP is illegal flow or not is determined, comprising the following steps: and determining the offensiveness of the suspected offensive inner layer IP in each dimension according to the target log data. Judging whether the suspected illegal inner layer IP is crossed among a plurality of dimensions; if yes, adjusting the illegal suspicion of the suspected illegal inner layer IP according to the cross occurrence times. And sequencing the target inner layer IP with the violation suspected degree meeting the set condition according to the violation suspected degree, and determining whether the flow corresponding to the inner layer IP with the violation suspected degree is the violation flow or not according to the sequencing result.
In the embodiment of the invention, a screening threshold value with the condition of illegal suspicion is set. Specifically, it is specified that an inner layer IP with a violation plausibility exceeding 60% in each dimension is a target inner layer IP that satisfies a set condition. It should be noted that, the setting condition may be dynamically adjusted according to the actual application scenario, and the specific value of the setting condition is not specifically limited in the present application.
In the embodiment of the present invention, the adjustment of the offensiveness of the inner layer IP suspected of offensiveness according to the number of cross occurrences may specifically be: when each intersection appears once, comparing the offensiveness of the inner layer IP appearing in the intersection, increasing the highest offensiveness by 5% to obtain a new offensiveness as the offensiveness of the inner layer IP.
Specifically, determining whether the traffic corresponding to the suspected illegal inner layer IP is illegal traffic according to the sorting result includes: and ordering the inner layer IPs in a descending order based on the offence suspected degree, determining the inner layer IPs with the set number ranked at the front as an offence IP list according to the ordering result, and determining the flow corresponding to the inner layer IPs in the offence IP list as offence flow.
According to the technical scheme, the DPI equipment analyzes inner layer IP, outer layer IP and user behavior data obtained by data packets in the VPN encrypted tunnel, determines illegal user behavior according to the user behavior data, determines suspected illegal inner layer IP and suspected illegal outer layer IP according to access records corresponding to the illegal user behavior, obtains target log data in a ticket log according to the suspected illegal outer layer IP, determines illegal traffic based on the target log data and the suspected illegal inner layer IP, and achieves screening of the target log data corresponding to the illegal user behavior from a mass ticket log based on the user behavior, and analyzes whether the traffic corresponding to the suspected illegal inner layer IP is illegal traffic or not based on the target log data. The invention solves the problem that the behavior of occupying bandwidth resources in a VPN+NAT mode cannot be monitored in the related technology, and the problem that illegal traffic transmitted in a VPN encrypted tunnel cannot be monitored.
On the basis of the technical scheme, inquiring the ticket log according to the suspected illegal outer layer IP to obtain corresponding target log data in the ticket log; and carrying out multidimensional analysis on the suspected illegal inner layer IP according to the target log data, and determining whether the flow corresponding to the suspected illegal inner layer IP is specifically limited as illegal flow.
Specifically, the ticket journal of the IDC machine room is processed through a big data architecture and a big data engine, and the ticket journal is queried based on the suspected illegal outer layer IP to obtain corresponding target journal data. The big data engine comprises a persistence engine, a distributed storage, a resource scheduling management module, an offline computing engine, a data query engine and other modules.
The persistence engine is used for automatically recording the updated data of the business object, so as to achieve the purpose of mark retention.
And the distributed storage module adopts Hadoop DFS to perform distributed storage on current network log data.
And the offline calculation engine adopts a Spark engine to perform offline calculation on the Internet log. Because the log data volume is huge and the preservation time is long, complex batch operation is carried out on a large amount of data, and the calculation result can be conveniently inquired.
The data query engine employs an impala query engine. Impala is an open-source, high-concurrency MPP query engine which is constructed on Hadoop, can provide SQL semantics based on Hadoop, and can provide fast and interactive SQL query for PB-level big data stored in Hadoop's HDFS and Hbase.
Specifically, the analyzed dimension specifically comprises an IDC machine room outward access traffic ranking, an IDC machine room outward access http get number ranking, a VPN suspected traffic duty ranking, a pure outward access traffic ranking, an abnormal application statistics ranking, an inner and outer layer IP address analysis and the like.
Fig. 3 is a schematic diagram of an external access traffic ranking according to an IDC machine room in the method for monitoring offending traffic according to the embodiment of the present invention. If 3, the cell Internet surfing user initiates access to a site outside the machine room (or public network) through a server in the IDC machine room, and the inner layer IP is ranked and displayed based on the external access traffic.
The external access flow is flow used by a server in the IDC machine room to actively initiate access to a site outside the machine room (or a public network).
Specifically, ranking the inner layer IPs based on the outbound traffic includes: and (3) sorting the IP (i.e. service IP) in the servers in the IDC machine room by 100 according to the out-call traffic, wherein the first 30 IP are assigned with 60% of offence suspicion, and the last 70 IP are assigned with 40% of offence suspicion.
And inquiring IP record library information of the IDC machine room based on the IP of each service, and determining the IP of the non-self operator according to the inquiring result. If the IP of the non-self operator exists, the illegal suspected degree of the IP is directly increased to 80 percent, and specific attribution information of the IP is listed.
Fig. 4 is a schematic diagram of ranking according to the number of http get accessed outwards by an IDC machine room in the method for monitoring offending traffic provided by the embodiment of the present invention. As shown in fig. 4, the cell internet users initiate access to sites outside the machine room (or public network) through the server in the IDC machine room, and rank and display the inner layer IP based on the number of the outer access http get.
The number of the external access http gets is the number of accesses initiated by a server in the IDC machine room actively to a site outside the machine room (or a public network).
Specifically, ranking the inner layer IPs based on the number of outer-access http gets includes: and (3) sorting the IP (i.e. service IP) in the servers in the IDC machine room by 100 according to the number of the outer access http get, wherein the first 30 IP are assigned with 60% of offending suspected degree, and the last 70 IP are assigned with 40% of offending suspected degree.
And inquiring IP record library information of the IDC machine room based on the IP of each service, and determining the IP of the non-self operator according to the inquiring result. If the IP of the non-self operator exists, the illegal suspected degree of the IP is directly increased to 80 percent, and specific attribution information of the IP is listed.
Fig. 5 is a schematic diagram of ranking according to the VPN suspected traffic duty ratio in the method for monitoring offending traffic provided by the embodiment of the present invention. As shown in fig. 5, the data packet of the cell internet surfing user performs VPN encapsulation at the private access convergence point to obtain VPN traffic, the cell internet surfing user performs VPN traffic interaction with a server in the IDC machine room, and initiates access to a site outside the machine room (or a public network) through the server in the IDC machine room, and ranks and displays the inner layer IP based on the VPN suspected traffic ratio.
The VPN suspected traffic duty ratio is that a server IP in the IDC machine room contains a VPN protocol type, and based on the IP, the duty ratio of the VPN traffic in the total traffic (including the total inflow traffic and the total outflow traffic) is calculated. If the duty cycle is higher than 96%, the VPN traffic duty cycle is determined to be the VPN suspected traffic duty cycle.
Specifically, ranking the inner layer IPs based on VPN suspected traffic duty cycles includes: the first 100 ranks the IPs determined to be the VPN suspected traffic duty cycle, and assigns 75% to the IPs.
And inquiring IP record library information of the IDC machine room based on each IP, and determining the IP of the non-self operator according to the inquiring result. If the IP of the non-self operator exists, the illegal suspected degree of the IP is directly increased to 85 percent, and specific attribution information of the IP is listed.
It should be noted that, because VPN involves an inner layer IP and an outer layer IP, when determining the home information of the operator, the VPN queries the information of the IP record base of the IDC machine room according to the inner layer IP, so as to determine the home information of other operators, and queries the information of the IP record base of the IDC machine room according to the outer layer IP, so as to determine the legal IP of the operator. And the attribution information of operators of the inner layer IP and the outer layer IP are displayed.
Fig. 6a is a schematic diagram of ranking according to pure visit traffic in a method for monitoring offending traffic according to an embodiment of the present invention. The pure external access traffic comprises external access VPN traffic and external access traffic. As shown in fig. 6a, the data packet of the cell internet surfing user performs VPN encapsulation at the private access convergence point to obtain VPN traffic, the cell internet surfing user performs VPN traffic interaction with a server in the IDC machine room, and performs external access VPN traffic interaction with a site outside the machine room (or a public network) through the server in the IDC machine room, and ranks and displays the inner layer IP based on the pure external access traffic. Fig. 6b is a schematic diagram of ranking according to the pure visit traffic in another method for monitoring offending traffic according to an embodiment of the present invention. As shown in fig. 6b, the data packet of the cell internet surfing user performs VPN encapsulation at the private access convergence point to obtain VPN traffic, the cell internet surfing user performs VPN traffic interaction with a server in the IDC machine room, and performs ranking and displaying on the inner layer IP based on the pure external access traffic through the external access traffic interacted with a site outside the machine room (or a public network) by the server in the IDC machine room.
The simple external access flow is uplink and downlink flow which is simply initiated by a server IP in the IDC machine room to a network site outside the machine room, and the total access flow initiated by an Internet surfing user to the server IP is zero. This is typically the case when two or more IP addresses are used by servers in the IDC room, especially when VPN traffic ends on one IP address, after which the traffic is forwarded from another IP address of the same server.
Specifically, ranking the inner layer IP based on the pure outer visit traffic includes: and (3) sorting the first 100 names of the IPs in the servers in the IDC machine room according to the simple external visit flow, wherein the first 30 IPs are assigned with 60% of offending suspected degree, and the last 70 IPs are assigned with 40% of offending suspected degree.
And inquiring IP record library information of the IDC machine room based on the IP of each service, and determining the IP of the non-self operator according to the inquiring result. If the IP of the non-self operator exists, the illegal suspected degree of the IP is directly increased to 80 percent, and specific attribution information of the IP is listed.
It should be noted that, because the CDN service has a similarity with the broadband private service, it is also necessary to query the local CDN service IP address library information based on each service IP, determine the CDN service IP according to the query result, and filter the IP belonging to the CDN service from the service IP.
Fig. 7 is a schematic diagram of statistical ranking according to abnormal applications in a method for monitoring offending traffic according to an embodiment of the present invention. As shown in fig. 7, when accessing applications such as QQ, mail or game, a cell internet user initiates application access such as QQ, mail or game to a site agent outside (or on the public network) the machine room through a server in the IDC machine room, carries an IP of a plurality of application account identifiers for one IP, and ranks and displays the IP based on the number of the application account identifiers.
The abnormal application number is that server IP in IDC machine room is identified and analyzed, and the bearing number of QQ account, mail account and game account in the flow is counted to obtain IP information bearing multiple application account identifications.
Specifically, ranking based on the number of application account identifications includes: and sorting the top 100 names of the IPs in the server in the IDC machine room according to the number of the application account identifiers carried by the IPs carrying the plurality of application account identifiers. And assigning a violation plausibility of 75% to the IP bearing the plurality of application account identifiers.
And inquiring IP record library information of the IDC machine room based on the IP of each service, and determining the IP of the non-self operator according to the inquiring result. If the IP of the non-self operator exists, the illegal suspected degree of the IP is directly increased to 85 percent, and specific attribution information of the IP is listed.
It should be noted that, because VPN involves an inner layer IP and an outer layer IP, when determining the home information of the operator, the VPN queries the information of the IP record base of the IDC machine room according to the inner layer IP, so as to determine the home information of other operators, and queries the information of the IP record base of the IDC machine room according to the outer layer IP, so as to determine the legal IP of the operator. And the attribution information of operators of the inner layer IP and the outer layer IP are displayed.
It should be noted that, because some data packets are encrypted by using a GRE tunnel, the data packets include an inner layer IP and an outer layer IP, and IP record library information of the IDC machine room is queried according to the inner layer IP, so as to perform IP attribution judgment of other operators, and IP record library information of the IDC machine room is queried according to the outer layer IP, so as to perform legal IP judgment of the operators. And the attribution information of operators of the inner layer IP and the outer layer IP are displayed.
And storing more than 60% of the IP into a suspected IP table for the violation plausibility of the plurality of dimensions, and arranging the IP in a descending order according to the violation plausibility. If the IP appears across multiple dimensions, the highest offence plausibility is increased by 5% as a cumulative value every time the IP appears across multiple dimensions.
Fig. 8 is a flowchart of another method for monitoring offending traffic according to an embodiment of the present invention, as shown in fig. 8, the method includes:
Step 810, obtaining an IP traffic log and an access log reported by DPI equipment.
Step 820, determining an access record corresponding to the behavior of the offending user in the access log, and determining an inner layer IP suspected of the offending and an outer layer IP suspected of the offending according to the access record and the IP traffic log.
And 830, acquiring target log data in a ticket log according to the outer layer IP of the suspected violation, and determining the violation flow based on the target log data and the inner layer IP of the suspected violation by adopting a preset judging strategy.
Step 840, determining suspected illegal ISP according to the inner layer IP and the outer layer IP corresponding to the illegal flow.
And 850, performing traceability analysis on the access point of the suspected illegal ISP according to the target log data.
The traceability analysis is used for carrying out access address Trace (Trace), dial-up probe data matching, mobile terminal data matching and the like based on the content of the ticket log.
And step 860, generating treatment suggestions of the inner layer IP and/or the outer layer IP corresponding to the illegal traffic according to the traceability analysis result.
Fig. 9 is a flowchart of another method for monitoring offending traffic according to an embodiment of the present invention. In a specific implementation manner, the big data engine acquires IDC basic data (e.g. ticket log), and based on analysis for illegal bandwidth, 5 dimensions such as traffic ranking from machine room outward access, httpset number ranking from machine room outward access, VPN suspected traffic duty ranking, pure traffic ranking outward access, abnormal application statistics ranking and the like can be performed, and then respective analysis and statistics are performed, weighted scoring is performed respectively, and policy combination is formed. Wherein the coarse combination comprises: machine room outward visit traffic ranking, machine room outward visit httpset number ranking, VPN suspected traffic duty ranking, pure outward visit traffic ranking, inside-out application duty ranking, terminal number duty ranking, and CDN traffic exclusion.
And for each policy combination, determining the illegal plausibility of the service IP under the corresponding policy combination. And according to the suspected violations, summarizing, ranking and auditing the suspected violations of the IPs as a whole to form a suspected IP list. And determining the suspected illegal ISP based on the inner layer IP and the outer layer IP contained in the suspected IP list, performing traceability analysis on the suspected illegal ISP access point, and determining the illegal IP with illegal behaviors. And evidence is obtained by adopting an original data packet mode of grabbing illegal IP. And handling the illegal IP, for example, marking a set mark for the illegal IP, and plugging the illegal IP by adopting a flow reinjection mode.
Fig. 10 is a block diagram of a monitoring device for illegal flow according to an embodiment of the present invention. The apparatus may be implemented in hardware and/or software and is typically deployed in an electronic device. The device realizes the detection of the transparent transmission of the illegal traffic by executing the mode of any embodiment of the invention. As shown in fig. 10, the apparatus includes: a log acquisition module 1010, an IP determination module 1020, and an offending traffic determination module 1030.
The log obtaining module 1010 is configured to obtain an IP traffic log and an access log reported by a DPI device, where the IP traffic log is determined based on an inner layer IP and an outer layer IP obtained by the DPI device analyzing a data packet in a VPN encrypted tunnel, and the access log is determined based on user behavior data obtained by the DPI device analyzing the data packet in the VPN encrypted tunnel;
The IP determining module 1020 is configured to determine an access record corresponding to the behavior of the offending user in the access log, and determine an inner IP suspected of being offending and an outer IP suspected of being offending according to the access record and the IP traffic log;
and the violation flow determining module 1030 is configured to obtain target log data in a ticket log according to the outer layer IP suspected of violating, and determine the violation flow based on the target log data and the inner layer IP suspected of violating by adopting a preset determination policy.
Optionally, the IP determination module 1020 is specifically configured to:
and screening access records corresponding to the behaviors of the illegal users from the access log according to the behavior data of the single-time access application program of the single user in the access log.
Optionally, the IP determination module 1020 is specifically further configured to:
determining corresponding access behavior information according to behavior data of a single user in the access log for accessing the application program once;
and if the access behavior information accords with the preset illegal behavior characteristics, taking the behavior data as an access record corresponding to the illegal user behavior, wherein the preset illegal behavior characteristics are determined based on the type of the application program, the starting time, the ending time, the URL and the flow.
Optionally, the IP determination module 1020 is specifically further configured to:
and inquiring the IP flow log according to the user identification contained in the access record to obtain an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal.
Optionally, the offending flow determination module 1030 is specifically configured to:
inquiring the ticket log according to the suspected illegal outer layer IP to obtain corresponding target log data in the ticket log;
and carrying out multidimensional analysis on the suspected illegal inner layer IP according to the target log data, and determining whether the flow corresponding to the suspected illegal inner layer IP is illegal flow or not.
Optionally, the offending flow determination module 1030 is specifically further configured to:
determining the offensiveness of the suspected offensive inner layer IP in each dimension according to the target log data;
and sequencing the target inner layer IP with the violation suspected degree meeting the set condition according to the violation suspected degree, and determining whether the flow corresponding to the inner layer IP with the violation suspected degree is the violation flow or not according to the sequencing result.
Optionally, the apparatus further comprises:
the violation suspected degree adjusting module is used for judging whether the suspected violation inner layer IP has cross appearance among a plurality of dimensions after determining the violation suspected degree of the suspected violation inner layer IP under each dimension according to the target log data;
If yes, adjusting the illegal suspicion of the suspected illegal inner layer IP according to the cross occurrence times.
Optionally, the apparatus further comprises:
the suspected illegal ISP determining module is used for determining the suspected illegal ISP according to the inner layer IP and the outer layer IP corresponding to the illegal flow after determining the illegal flow based on the target log data and the suspected illegal inner layer IP by adopting a preset judging strategy;
the tracing module is used for tracing and analyzing the access points of the suspected illegal ISPs according to the target log data;
and the disposal module is used for generating disposal suggestions of the inner layer IP and/or the outer layer IP corresponding to the illegal traffic according to the traceability analysis result.
The device for monitoring the illegal flow provided by the embodiment of the invention can execute the method for monitoring the illegal flow provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. Electronic devices are intended to represent various forms of digital computers, such as servers, blade servers, server clusters, mainframes, and other suitable computers. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 11, the electronic device 1100 includes a processor 1110 and a memory 1120; the number of processors 1110 in the electronic device 1100 may be one or more, one processor 1110 being illustrated in fig. 11; the processor 1110 and the memory 1120 in the electronic device 1100 may be connected by a bus or other means, for example in fig. 11.
The memory 1120 is used as a computer readable storage medium, and may be used to store software programs, computer executable programs, and modules, such as program instructions/modules corresponding to the method for monitoring offending traffic in the embodiment of the present invention (e.g., the log acquisition module 1010, the IP determination module 1020, and the offending traffic determination module 1030 in the device for monitoring offending traffic). The processor 1110 executes various functional applications of the electronic device and data processing by running software programs, instructions and modules stored in the memory 1120, i.e., implements the above-described method of monitoring offending traffic.
The memory 1120 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for functions; the storage data area may store data created according to the use of the terminal, etc. In addition, memory 1120 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, memory 1120 may further include memory remotely located relative to processor 1110, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Fig. 12 is a schematic structural diagram of a monitoring system for illegal traffic provided in an embodiment of the present invention. As shown in fig. 12, the monitoring system 1200 for offending traffic includes a DPI device 1210 and a server 1220.
The DPI device 1210 is bypass-connected to an IDC network device, and is configured to collect, by means of light splitting or mirroring, a data packet transmitted by the IDC network device through a VPN encrypted tunnel, parse the data packet to obtain inner-layer IP, outer-layer IP and user behavior data, generate an IP traffic log based on the inner-layer IP and the outer-layer IP, generate an access log based on the user behavior data, and transmit the IP traffic log and the access log to the server 1220;
the server 1220 is configured to perform obtaining an IP traffic log and an access log reported by a DPI device, where the IP traffic log is determined based on an inner layer IP and an outer layer IP obtained by the DPI device analyzing a data packet in a VPN encrypted tunnel, and the access log is determined based on user behavior data obtained by the DPI device analyzing the data packet in the VPN encrypted tunnel;
determining access records corresponding to the behaviors of the illegal users in the access log, and determining an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal according to the access records and the IP flow log;
And acquiring target log data in a ticket log according to the suspected illegal outer layer IP, and determining the illegal flow based on the target log data and the suspected illegal inner layer IP by adopting a preset judging strategy.
It should be noted that, the server may execute the method for monitoring the offending traffic according to any embodiment of the present invention, and has the corresponding beneficial effects of the execution method.
Embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are for performing a method of monitoring offending traffic, the method comprising:
acquiring an IP flow log and an access log reported by DPI equipment, wherein the IP flow log is determined based on an inner layer IP and an outer layer IP obtained by the DPI equipment analyzing a data packet in a VPN encryption tunnel, and the access log is determined based on user behavior data obtained by the DPI equipment analyzing the data packet in the VPN encryption tunnel;
determining access records corresponding to the behaviors of the illegal users in the access log, and determining an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal according to the access records and the IP flow log;
and acquiring target log data in a ticket log according to the suspected illegal outer layer IP, and determining the illegal flow based on the target log data and the suspected illegal inner layer IP by adopting a preset judging strategy.
Of course, the storage medium containing the computer executable instructions provided in the embodiments of the present invention is not limited to the method operations described above, and may also perform the related operations in the method for monitoring the offending traffic provided in any embodiment of the present invention.
Embodiments of the present invention also provide a computer program product comprising a computer program which, when executed by a processor, performs the following operations:
acquiring an IP flow log and an access log reported by DPI equipment, wherein the IP flow log is determined based on an inner layer IP and an outer layer IP obtained by the DPI equipment analyzing a data packet in a VPN encryption tunnel, and the access log is determined based on user behavior data obtained by the DPI equipment analyzing the data packet in the VPN encryption tunnel;
determining access records corresponding to the behaviors of the illegal users in the access log, and determining an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal according to the access records and the IP flow log;
and acquiring target log data in a ticket log according to the suspected illegal outer layer IP, and determining the illegal flow based on the target log data and the suspected illegal inner layer IP by adopting a preset judging strategy.
Of course, the computer program product provided by the embodiments of the present invention, the computer executable instructions of which are not limited to the method operations described above, may also perform the related operations in the method for monitoring offending traffic provided by any of the embodiments of the present invention.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, etc., and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
It should be noted that, in the embodiment of the device for monitoring the offending flow, each unit and module included are only divided according to the functional logic, but not limited to the above-mentioned division, so long as the corresponding function can be realized; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (10)

1. A method for monitoring offending traffic, comprising:
acquiring an IP flow log and an access log reported by DPI equipment, wherein the IP flow log is determined based on an inner layer IP and an outer layer IP obtained by the DPI equipment analyzing a data packet in a VPN encryption tunnel, and the access log is determined based on user behavior data obtained by the DPI equipment analyzing the data packet in the VPN encryption tunnel; the DPI equipment is deep data packet detection equipment;
determining access records corresponding to the behaviors of the illegal users in the access log, and determining an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal according to the access records and the IP flow log; wherein, the illegal user behavior is the behavior violating the normal IDC service regulation;
Acquiring target log data in a ticket log according to the suspected illegal outer layer IP, and determining illegal flow based on the target log data and the suspected illegal inner layer IP by adopting a preset judging strategy; the preset judgment policy is a policy combination comprising an IDC machine room outward access traffic ranking, an IDC machine room outward access http get number ranking, a VPN suspected traffic ratio ranking, a pure outward access traffic ranking, an abnormal application statistics ranking and a terminal number ratio dimension;
the determining the inner layer IP suspected of violating and the outer layer IP suspected of violating according to the access record and the IP traffic log includes: inquiring the IP flow log according to a user identifier contained in the access record to obtain an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal;
the step of obtaining target log data in a ticket log according to the suspected offending outer layer IP, and determining offending traffic based on the target log data and the suspected offending inner layer IP by adopting a preset judging strategy comprises the following steps: inquiring the ticket log according to the suspected illegal outer layer IP to obtain corresponding target log data in the ticket log; and carrying out multidimensional analysis on the suspected illegal inner layer IP according to the target log data, and determining whether the flow corresponding to the suspected illegal inner layer IP is illegal flow or not.
2. The method of claim 1, wherein the determining an access record corresponding to the offending user behavior in the access log comprises:
and screening access records corresponding to the behaviors of the illegal users from the access log according to the behavior data of the single-time access application program of the single user in the access log.
3. The method according to claim 2, wherein the screening access records corresponding to the behavior of the offending user from the access log according to the behavior data of the single-access application of the single user in the access log comprises:
determining corresponding access behavior information according to behavior data of a single user in the access log for accessing the application program once;
and if the access behavior information accords with the preset illegal behavior characteristics, taking the behavior data as an access record corresponding to the illegal user behavior, wherein the preset illegal behavior characteristics are determined based on the type of the application program, the starting time, the ending time, the URL and the flow.
4. The method of claim 1, wherein the performing multidimensional analysis on the suspected offending inner layer IP according to the target log data to determine whether traffic corresponding to the suspected offending inner layer IP is offending traffic comprises:
Determining the offensiveness of the suspected offensive inner layer IP in each dimension according to the target log data;
and sequencing the target inner layer IP with the violation suspected degree meeting the set condition according to the violation suspected degree, and determining whether the flow corresponding to the inner layer IP with the violation suspected degree is the violation flow or not according to the sequencing result.
5. The method of claim 4, further comprising, after determining the offending plausibility of the suspected offending inner layer IP in each dimension from the target log data:
judging whether the suspected illegal inner layer IP is crossed among a plurality of dimensions;
if yes, adjusting the illegal suspicion of the suspected illegal inner layer IP according to the cross occurrence times.
6. The method of any of claims 1-5, further comprising, after determining the offending traffic based on the target log data and the suspected offending inner layer IP using a preset decision strategy:
determining suspected illegal ISP according to the inner layer IP and the outer layer IP corresponding to the illegal flow;
performing traceability analysis on the access point of the suspected illegal ISP according to the target log data;
and generating treatment suggestions of the inner layer IP and/or the outer layer IP corresponding to the illegal traffic according to the traceability analysis result.
7. A monitoring device for offending flow, comprising:
the system comprises a log acquisition module, a VPN encryption tunnel, a DPI device, a VPN encryption module and a user behavior data acquisition module, wherein the log acquisition module is used for acquiring an IP flow log and an access log reported by the DPI device, the IP flow log is determined based on an inner layer IP and an outer layer IP obtained by analyzing a data packet in the VPN encryption tunnel by the DPI device, and the access log is determined based on the user behavior data obtained by analyzing the data packet in the VPN encryption tunnel by the DPI device; the DPI equipment is deep data packet detection equipment;
the IP determining module is used for determining an access record corresponding to the behavior of the illegal user in the access log, and determining an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal according to the access record and the IP flow log; wherein, the illegal user behavior is the behavior violating the normal IDC service regulation;
the violation flow determining module is used for acquiring target log data in a ticket log according to the suspected violation outer layer IP and determining the violation flow based on the target log data and the suspected violation inner layer IP by adopting a preset judging strategy; the preset judgment policy is a policy combination comprising an IDC machine room outward access traffic ranking, an IDC machine room outward access http get number ranking, a VPN suspected traffic ratio ranking, a pure outward access traffic ranking, an abnormal application statistics ranking and a terminal number ratio dimension;
The IP determination module is specifically further configured to: inquiring the IP flow log according to a user identifier contained in the access record to obtain an inner layer IP suspected to be illegal and an outer layer IP suspected to be illegal;
the illegal flow determination module is specifically used for: inquiring the ticket log according to the suspected illegal outer layer IP to obtain corresponding target log data in the ticket log; and carrying out multidimensional analysis on the suspected illegal inner layer IP according to the target log data, and determining whether the flow corresponding to the suspected illegal inner layer IP is illegal flow or not.
8. An electronic device, the electronic device comprising:
one or more processors;
a memory for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of monitoring offending traffic as recited in any of claims 1-6.
9. A system for monitoring offending traffic, comprising: DPI device and electronic device;
the DPI equipment is connected to the IDC network equipment in a bypass mode, and is used for collecting data packets transmitted by the IDC network equipment through a VPN encrypted tunnel in a beam-splitting or mirror mode, analyzing the data packets to obtain inner-layer IP, outer-layer IP and user behavior data, generating an IP flow log based on the inner-layer IP and the outer-layer IP, generating an access log based on the user behavior data, and transmitting the IP flow log and the access log to a server;
The server is configured to perform the method for monitoring offending traffic as claimed in any one of claims 1 to 6.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements a method of monitoring offending traffic as claimed in any of the claims 1-6.
CN202210048641.9A 2022-01-17 2022-01-17 Method, device, electronic equipment, system and medium for monitoring illegal flow Active CN114422232B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210048641.9A CN114422232B (en) 2022-01-17 2022-01-17 Method, device, electronic equipment, system and medium for monitoring illegal flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210048641.9A CN114422232B (en) 2022-01-17 2022-01-17 Method, device, electronic equipment, system and medium for monitoring illegal flow

Publications (2)

Publication Number Publication Date
CN114422232A CN114422232A (en) 2022-04-29
CN114422232B true CN114422232B (en) 2024-03-22

Family

ID=81274024

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210048641.9A Active CN114422232B (en) 2022-01-17 2022-01-17 Method, device, electronic equipment, system and medium for monitoring illegal flow

Country Status (1)

Country Link
CN (1) CN114422232B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110351307A (en) * 2019-08-14 2019-10-18 杭州安恒信息技术股份有限公司 Abnormal user detection method and system based on integrated study
CN111934954A (en) * 2020-08-11 2020-11-13 中国联合网络通信集团有限公司 Broadband detection method and device, electronic equipment and storage medium
CN112511459A (en) * 2020-11-23 2021-03-16 恒安嘉新(北京)科技股份公司 Traffic identification method and device, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11201881B2 (en) * 2018-10-31 2021-12-14 Hewlett Packard Enterprise Development Lp Behavioral profiling of service access using intent to access in discovery protocols

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110351307A (en) * 2019-08-14 2019-10-18 杭州安恒信息技术股份有限公司 Abnormal user detection method and system based on integrated study
CN111934954A (en) * 2020-08-11 2020-11-13 中国联合网络通信集团有限公司 Broadband detection method and device, electronic equipment and storage medium
CN112511459A (en) * 2020-11-23 2021-03-16 恒安嘉新(北京)科技股份公司 Traffic identification method and device, electronic equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"COM13-LS161-attachment".3GPP tsg_sa\WG2_Arch.2011,全文. *
基于机器学习的用户实体行为分析技术在账号异常检测中的应用;莫凡;何帅;孙佳;范渊;刘博;;通信技术(第05期);全文 *

Also Published As

Publication number Publication date
CN114422232A (en) 2022-04-29

Similar Documents

Publication Publication Date Title
EP3496338B1 (en) Method for identifying application information in network traffic, and apparatus
CN108701187B (en) Apparatus and method for hybrid hardware-software distributed threat analysis
US9860154B2 (en) Streaming method and system for processing network metadata
US9185093B2 (en) System and method for correlating network information with subscriber information in a mobile network environment
KR101010302B1 (en) Security management system and method of irc and http botnet
US20190014084A1 (en) Hybrid hardware-software distributed threat analysis
CN106815112B (en) Massive data monitoring system and method based on deep packet inspection
EP3449600B1 (en) A data driven intent based networking approach using a light weight distributed sdn controller for delivering intelligent consumer experiences
Erlacher et al. On high-speed flow-based intrusion detection using snort-compatible signatures
JP2018531527A6 (en) Method and apparatus for identifying application information in network traffic
US20170134957A1 (en) System and method for correlating network information with subscriber information in a mobile network environment
Pulls et al. Website fingerprinting with website oracles
WO2014110293A1 (en) An improved streaming method and system for processing network metadata
US9055113B2 (en) Method and system for monitoring flows in network traffic
CN108123962A (en) A kind of method that BFS algorithms generation attack graph is realized using Spark
EP4293550A1 (en) Traffic processing method and protection system
CN113238923B (en) Service behavior tracing method and system based on state machine
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address
US8010526B1 (en) Instance counting and ranking
CN114422232B (en) Method, device, electronic equipment, system and medium for monitoring illegal flow
Brahmi et al. A Snort-based mobile agent for a distributed intrusion detection system
Holkovič et al. Automating network security analysis at packet-level by using rule-based engine
Doshi et al. Digital forensics analysis for network related data
Repetto et al. Leveraging the 5G architecture to mitigate amplification attacks
Abdurahiman Towards Residential Proxies Detection: An Experimental Analysis in the Android Environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant