CN115412366A - Traffic collection and filtration method based on dynamic IP white list of service provider - Google Patents
Traffic collection and filtration method based on dynamic IP white list of service provider Download PDFInfo
- Publication number
- CN115412366A CN115412366A CN202211333716.4A CN202211333716A CN115412366A CN 115412366 A CN115412366 A CN 115412366A CN 202211333716 A CN202211333716 A CN 202211333716A CN 115412366 A CN115412366 A CN 115412366A
- Authority
- CN
- China
- Prior art keywords
- white list
- address
- dynamic
- flow
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a traffic collection and filtration method based on a dynamic IP white list of a service provider, belonging to the field of traffic safety analysis. The method comprises the following steps: extracting DNS response flow in the flow, and matching the domain name in the problem of the response flow with a domain name white list of a user-defined service provider; extracting response records in the successfully matched response flow as IP address records, and searching in an IP white list library; if the IP address is found, updating the insertion time of the IP address, and if the IP address is not found, inserting the IP address into an IP white list library; acquiring an IP address of an IP session from the flow, and matching the IP with an IP white list library; and extracting the session flow corresponding to the IP failed in matching, and entering subsequent flow security analysis. The invention utilizes the continuously updated dynamic IP white list library to filter and collect the flow so as to eliminate the normal service flow, reduce the interference and realize the targeted network security analysis.
Description
Technical Field
The invention relates to the field of traffic safety analysis, in particular to a traffic collection and filtration method based on a dynamic IP white list of a service provider.
Background
The network flow safety analysis work is a necessary technology of the network safety analysis work, along with the blowout of the flow, the analysis difficulty is increased, the normal service flow is eliminated, and the interference is reduced.
In the prior art, patent CN114465791A discloses a method, an apparatus, a storage medium and a processor for establishing a white list in a network management device, where the method includes: monitoring the type of DNS traffic in the network to obtain a monitoring result, wherein the monitoring result comprises one of the following: DNS query traffic and DNS response traffic; matching all domain name information in the monitoring result with a target domain name template to obtain a target set, wherein the relation between each domain name in the target set is the relation between the domain name and a sub domain name; analyzing elements in the target set to obtain target information, wherein the target information at least comprises the following components: a plurality of target domain names and a target IP address corresponding to each target domain name; and storing the target information into a target white list, wherein the target white list is used for managing and controlling the internet traffic. By the method and the device, the problem that the white list of the network management equipment can only take effect on part of equipment in the related art, and the authentication efficiency of a third-party network is low is solved.
The above patent uses the analysis record of the DNS to obtain an IP list of the analysis address, and uses the IP list to manage and control the internet traffic. However, the above method has the following disadvantages: firstly, the response IP corresponding to the same domain name has an updating condition, and the target white list obtained by adopting the patent steps cannot control the updated response IP, so that misjudgment can occur during the subsequent flow control; secondly, due to the limitation of the number of the IPs, the same IP address may correspond to different domain names in different time, and at the moment, the risk of wrong screening may occur when the white list is used for flow screening; finally, the domain name input in the above patent is an accurate domain name, and domain names (pan.baidu.com, tieba.baidu.com) above two levels cannot accurately realize the traffic collection and filtering function under the condition that the domain names cannot be exhausted.
Based on the above problems, the present patent performs white list setting based on a secondary domain name (baidu.com, sina.com.cn) of a user-defined service provider (e.g., hundredths, new wave), continuously updates the white list in combination with a DNS resolution result in DNS traffic, and performs traffic collection and filtering by using the dynamic white list library.
Disclosure of Invention
The invention aims to solve the problems in the prior art and provides a traffic collection and filtration method based on a dynamic IP white list of a service provider.
In order to achieve the above object, the technical solution of the present invention is as follows:
the traffic collection and filtration method based on the dynamic IP white list of the service provider is characterized by comprising the following steps:
s1, acquiring an IP address of an IP session from flow, and matching the IP address with an IP address in a dynamic IP white list library;
discarding the IP session flow corresponding to the successfully matched IP address;
collecting IP session flow corresponding to the IP address failed in matching, entering subsequent flow security analysis, and extracting DNS response flow in the flow;
s2, extracting the domain name in the DNS response flow problem and the timestamp of the data frame of the current DNS response flow, and matching the extracted domain name with a domain name white list of a user-defined service provider:
if the matching of the domain name white list fails, skipping and continuously acquiring next DNS response flow;
extracting a response record in DNS response flow successfully matched with the domain name white list as an A record of the IP address;
s3, traversing the IP addresses in the record A, and performing operation of newly adding or updating the insertion time on the dynamic IP white list library;
and S4, acting the dynamic IP white list library obtained in the step S3 on the step S1 to filter and collect the traffic.
In a certain embodiment, in step S1, if the IP address is successfully matched with the dynamic IP whitelist library, the latest insertion time of the IP address in the dynamic IP whitelist library is read, and whether the insertion time is expired is determined:
if not, discarding the IP session flow corresponding to the IP address;
if the IP address is expired, the IP address is deleted from the dynamic IP white list library, but the IP session flow corresponding to the IP address is reserved.
In one embodiment, the manner of determining whether the insertion time is expired is as follows:
if the value obtained by subtracting the latest insertion time from the current flow acquisition time is greater than or equal to the TTL (time to live), the insertion time is over;
and if the value obtained by subtracting the latest insertion time from the current flow acquisition time is less than the TTL (time to live), the insertion time is not expired.
In a certain embodiment, the time to live TTL is a preset white list expiration time, and is determined according to the data volume of the dynamic IP white list repository or the domain name resolution frequency.
In a certain embodiment, in step S1, first, traffic is grouped according to IP sessions, and it is ensured that the traffic of each IP session only appears in one group, and then, an IP address of an IP session in each group is obtained and matched with an IP address in the dynamic IP whitelist library.
In a certain embodiment, in step S2, after extracting the domain name in the DNS response traffic problem, the domain name is separated to obtain a secondary domain name, and then the secondary domain name is matched with a domain name white list of a user-defined service provider.
In one embodiment, the dynamic IP whitelist library is a hash table with an IP address as a key and a timestamp as a value.
In one embodiment, step S3 specifically includes:
traversing the IP address in the record A, and searching a corresponding key value in a dynamic IP white list library;
if the key value is not found, inserting the record of the IP address with the IP address as the key value and the timestamp as the value into a dynamic IP white list library;
if the key value is found, the timestamp corresponding to the key value is updated in the IP dynamic white list library and is assigned as the timestamp of the data frame.
In summary, the invention has the following advantages:
1. the invention utilizes the DNS in the flow to respond to the analytic record of the flow to obtain the dynamic IP white list library of the analytic address, and utilizes the continuously updated dynamic IP white list library to filter and collect the flow so as to eliminate the normal service flow, reduce the interference and realize the targeted network security analysis;
2. in order To ensure the effectiveness of the dynamic IP white list library, the Time To Live (TTL) technology is utilized To calculate the effective period of the IP address insertion Time, so that the missed collection caused by the use of the same IP by different service providers in different Time periods is prevented, the effectiveness of the dynamic IP white list library in a reasonable scene is ensured, and the safety and the reliability of flow filtering collection are improved;
3. in the invention, the generation and the updating of the dynamic IP white list library are carried out simultaneously with the flow filtration and acquisition, and the dynamic IP white list library is continuously and dynamically updated in the flow acquisition process, thereby reducing misjudgment and improving the safety and the reliability of the flow filtration and acquisition;
4. the invention adopts a two-level domain name mode to record and update the domain name resolution of the service provider, improves the input convenience and effectiveness, conforms to the filtering scene and has wider application range.
Drawings
FIG. 1 is an overall flow diagram of the process of the present invention;
FIG. 2 is a flow chart of dynamic IP white list generation in accordance with the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example 1
The embodiment provides a traffic collection and filtering method based on a dynamic IP white list of a service provider, as shown in fig. 1 and fig. 2, including the following steps:
step one, acquiring an IP address of an IP session from flow, and matching the IP address with an IP address in a dynamic IP white list library; the dynamic IP white list library is a hash table which takes the IP address as a key value and takes the time stamp as a value.
If the matching is successful, the IP address is defined as a white list, and the IP session flow corresponding to the successfully matched IP address is discarded;
and if the matching fails, acquiring the IP session flow corresponding to the IP address, entering subsequent flow security analysis, and extracting DNS response flow therein.
Step two, extracting a domain name (such as www.tieba.baidu.com) in the DNS response traffic problem and a timestamp of a data frame of the current DNS response traffic, and matching the extracted domain name with a domain name white list of a custom service provider:
if the matching of the domain name white list fails, skipping and continuously acquiring next DNS response flow;
and extracting the response record in the DNS response flow successfully matched with the domain name white list as the A record of the IP address.
And step three, traversing the IP address in the record A, and performing operation of newly adding or updating the insertion time on the dynamic IP white list library.
And step four, acting the dynamic IP white list library obtained in the step three on the traffic filtering and collecting in the step one.
The invention utilizes the DNS in the flow to respond the analytic record of the flow to obtain the dynamic IP white list library of the analytic address, and utilizes the continuously updated dynamic IP white list library to filter and collect the flow so as to eliminate the normal service flow, reduce the interference and realize the targeted network security analysis.
Example 2
The embodiment provides a traffic collection filtering method based on a dynamic IP white list of a service provider, and based on embodiment 1, as shown in fig. 1, an IP address insertion Time validity period is further calculated by using a TTL (Time To Live) technology.
In the first step, if the matching between the IP address and the dynamic IP white list library is successful, reading the latest insertion time of the IP address in the dynamic IP white list library, and judging whether the insertion time is overdue, wherein the judgment method is as follows:
if the value obtained by subtracting the latest insertion time from the current flow acquisition time is greater than or equal to the TTL (time to live), the insertion time is over;
and if the value obtained by subtracting the latest insertion time from the current flow acquisition time is less than the TTL (time to live), the insertion time is not expired.
TTL (Time To Live) indicates the expiration Time of the customized IP address white list, and may be set To 1 hour, 1 day, etc. depending on the data volume of the IP address white list or the domain name resolution frequency.
If the judgment result is that the IP address is not overdue, the IP session flow corresponding to the IP address is indicated as white list flow, and the flow of the IP session is discarded;
if the judgment result is overdue, the IP white list is invalid, the IP address is deleted from the white list library, and the IP session flow corresponding to the IP address is reserved for flow security analysis.
In the embodiment, the TTL technology is adopted to calculate the validity period of the IP address insertion time, so that the missed collection caused by the use of the same IP address by different service providers is prevented, the effectiveness of the dynamic IP white list library in a reasonable scene is ensured, and the safety and reliability of flow filtering collection are improved.
Example 3
The embodiment provides a traffic collection and filtering method based on a dynamic IP white list of a service provider, which comprises the following steps:
step one, grouping the flow according to the IP conversation, and ensuring that the flow of the same IP conversation only appears in the same group. And after one IP session is judged to be the white list, the white list is not required to be judged again until the session is ended, so that the traffic filtering performance is improved.
And acquiring the IP address in the IP session of each packet, and matching the IP address with the IP address in the dynamic IP white list library. The dynamic IP white list library is a hash table which takes the IP address as a key value and takes the time stamp as a value.
If the matching is successful, the IP address is defined as a white list, and the IP session flow corresponding to the successfully matched IP address is discarded;
and if the matching fails, acquiring the IP session flow corresponding to the IP address, performing subsequent flow security analysis, and extracting DNS response flow in the flow.
And step two, extracting a domain name (such as www.tieba.baidu.com) in the problem of the DNS response traffic and a timestamp of a data frame of the current DNS response traffic, and matching the extracted domain name with a domain name white list of a user-defined service provider.
Further, the extracted domain name is separated to obtain a second-level domain name (such as baidu.com), and the obtained second-level domain name is matched with a domain name white list of the user-defined service provider. When matching, any sub-domain name under the secondary domain name can hit the domain name white list, such as pan. The method adopts a two-level domain name mode to record and update the list of domain name resolution of the user-defined service provider, improves the input convenience and effectiveness, accords with a filtering scene, and has wider application range. The domain name white list of the user-defined service provider is mainly a well-known service provider with large international traffic, such as baidu.
And if the matching of the domain name white list fails, skipping and continuously acquiring the next DNS response flow.
And if the domain name white list is successfully matched, extracting the response record in the DNS response flow as an A record of the IP address.
Step three, traversing the IP address in the record A, and performing operation of newly adding or updating the insertion time on the dynamic IP white list library; more specifically:
traversing the IP address in the record A, and searching the corresponding key value in the dynamic IP white list library:
if the key value is not found, the IP address is analyzed for the first time, and records of the IP address with the IP address as the key value and the timestamp as the value are inserted into the dynamic IP white list library;
if the key value is found, the IP address is analyzed by the domain name, the time stamp corresponding to the key value is updated in the IP dynamic white list library, and the time stamp is assigned as the time stamp of the data frame.
And step four, acting the dynamic IP white list library obtained in the step three on the step one to filter and collect the flow.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the design techniques described herein may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and any reference signs shall not be construed as limiting the claims concerned.
Therefore, the above description is only a partial embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent devices or equivalent processes performed by the present invention, or directly or indirectly applied to other related technical fields, which are all included in the present invention, are also included in the scope of the present invention.
Claims (8)
1. The traffic collection and filtration method based on the dynamic IP white list of the service provider is characterized by comprising the following steps:
s1, acquiring an IP address of an IP session from flow, and matching the IP address with an IP address in a dynamic IP white list library;
discarding the IP session flow corresponding to the successfully matched IP address;
collecting IP session flow corresponding to the IP address failed in matching, entering subsequent flow security analysis, and extracting DNS response flow in the flow;
s2, extracting the domain name in the DNS response flow problem and the timestamp of the data frame of the current DNS response flow, and matching the extracted domain name with a domain name white list of a user-defined service provider:
if the matching of the domain name white list fails, skipping and continuously acquiring next DNS response flow;
extracting a response record in DNS response flow successfully matched with the domain name white list as an A record of the IP address;
s3, traversing the IP address in the record A, and performing new adding or updating of the insertion time on the dynamic IP white list library;
and S4, acting the dynamic IP white list library obtained in the step S3 on the step S1 to filter and collect the traffic.
2. The traffic collection and filtering method based on the dynamic IP white list of the service provider according to claim 1, wherein in step S1, if the IP address is successfully matched with the dynamic IP white list library, reading the latest insertion time of the IP address in the dynamic IP white list library, and determining whether the insertion time is expired:
if not, discarding the IP session flow corresponding to the IP address;
if the IP address is expired, the IP address is deleted from the dynamic IP white list library, but the IP session flow corresponding to the IP address is reserved.
3. The traffic collection and filtering method based on the dynamic IP white list of the service provider according to claim 2, wherein the manner of determining whether the insertion time is expired is:
if the value obtained by subtracting the latest insertion time from the current flow acquisition time is greater than or equal to the TTL (time to live), the insertion time is over;
and if the value obtained by subtracting the latest insertion time from the current flow acquisition time is less than the TTL (time to live), the insertion time is not expired.
4. The traffic collection and filtering method according to claim 3, wherein the time to live TTL is a preset white list expiration time, and is determined by itself according to the data volume of the dynamic IP white list repository or the domain name resolution frequency.
5. The traffic collection and filtering method based on the dynamic IP white list of the service provider according to claim 1, wherein in step S1, the traffic is first grouped according to the IP session, so as to ensure that the traffic of each IP session only appears in one group, and then the IP address of the IP session in each group is obtained and matched with the IP address in the dynamic IP white list library.
6. The traffic collection and filtering method based on the dynamic IP white list of the service provider according to claim 1, wherein in step S2, after extracting a domain name in the DNS response traffic problem, the domain name is separated to obtain a secondary domain name, and then the secondary domain name is matched with the domain name white list of the custom service provider.
7. The traffic collection filtering method according to claim 1, wherein said dynamic IP whitelist repository is a hash table with IP addresses as key values and timestamps as values.
8. The traffic collection and filtering method based on the dynamic IP white list of the service provider according to claim 1, wherein the step S3 specifically includes:
traversing the IP address in the record A, and searching a corresponding key value in a dynamic IP white list library;
if the key value is not found, inserting the record of the IP address with the IP address as the key value and the timestamp as the value into a dynamic IP white list library;
and if the key value is found, updating the timestamp corresponding to the key value in the IP dynamic white list library, and assigning the timestamp as the timestamp of the data frame.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211333716.4A CN115412366B (en) | 2022-10-28 | 2022-10-28 | Traffic collection and filtration method based on dynamic IP white list of service provider |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211333716.4A CN115412366B (en) | 2022-10-28 | 2022-10-28 | Traffic collection and filtration method based on dynamic IP white list of service provider |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115412366A true CN115412366A (en) | 2022-11-29 |
| CN115412366B CN115412366B (en) | 2023-01-31 |
Family
ID=84167594
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211333716.4A Active CN115412366B (en) | 2022-10-28 | 2022-10-28 | Traffic collection and filtration method based on dynamic IP white list of service provider |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115412366B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103634315A (en) * | 2013-11-29 | 2014-03-12 | 杜跃进 | Front end control method and system of domain name server (DNS) |
| CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
| CN104639391A (en) * | 2015-01-04 | 2015-05-20 | 中国联合网络通信集团有限公司 | Method for generating network flow record and corresponding flow detection equipment |
| CN106506486A (en) * | 2016-11-03 | 2017-03-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network information security monitoring method based on white list matrix |
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| CN107835149A (en) * | 2017-09-13 | 2018-03-23 | 杭州安恒信息技术有限公司 | Network based on DNS flow analyses is stolen secret information behavioral value method and device |
| CN109391599A (en) * | 2017-08-10 | 2019-02-26 | 蓝盾信息安全技术股份有限公司 | A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis |
| US20200177606A1 (en) * | 2018-11-30 | 2020-06-04 | Cisco Technology, Inc. | Synergistic dns security update |
| CN111404912A (en) * | 2020-03-11 | 2020-07-10 | 成都千立网络科技有限公司 | Domain name detection method and device based on IP white list |
| CN112751801A (en) * | 2019-10-30 | 2021-05-04 | 中国科学院声学研究所 | Method, device and equipment for filtering denial of service attack based on IP white list |
| CN114465791A (en) * | 2022-01-25 | 2022-05-10 | 杭州盈高科技有限公司 | Method and device for establishing white list in network management equipment, storage medium and processor |
-
2022
- 2022-10-28 CN CN202211333716.4A patent/CN115412366B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103634315A (en) * | 2013-11-29 | 2014-03-12 | 杜跃进 | Front end control method and system of domain name server (DNS) |
| CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
| CN104639391A (en) * | 2015-01-04 | 2015-05-20 | 中国联合网络通信集团有限公司 | Method for generating network flow record and corresponding flow detection equipment |
| CN106506486A (en) * | 2016-11-03 | 2017-03-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network information security monitoring method based on white list matrix |
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| CN109391599A (en) * | 2017-08-10 | 2019-02-26 | 蓝盾信息安全技术股份有限公司 | A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis |
| CN107835149A (en) * | 2017-09-13 | 2018-03-23 | 杭州安恒信息技术有限公司 | Network based on DNS flow analyses is stolen secret information behavioral value method and device |
| US20200177606A1 (en) * | 2018-11-30 | 2020-06-04 | Cisco Technology, Inc. | Synergistic dns security update |
| WO2020112402A1 (en) * | 2018-11-30 | 2020-06-04 | Cisco Technology, Inc. | Synergistic dns security update |
| CN112751801A (en) * | 2019-10-30 | 2021-05-04 | 中国科学院声学研究所 | Method, device and equipment for filtering denial of service attack based on IP white list |
| CN111404912A (en) * | 2020-03-11 | 2020-07-10 | 成都千立网络科技有限公司 | Domain name detection method and device based on IP white list |
| CN114465791A (en) * | 2022-01-25 | 2022-05-10 | 杭州盈高科技有限公司 | Method and device for establishing white list in network management equipment, storage medium and processor |
Non-Patent Citations (2)
| Title |
|---|
| XIAOCHEN CHEN; XI YU; FANGQIN XU: ""Research and Implementation of DNS-White-List Tool Based on C#.NET"", 《2011 INTERNATIONAL CONFERENCE OF INFORMATION TECHNOLOGY, COMPUTER ENGINEERING AND MANAGEMENT SCIENCES》 * |
| 张维维; 龚俭; 刘尚东; 胡晓艳: ""面向主干网的DNS流量监测"", 《软件学报》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115412366B (en) | 2023-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11354364B2 (en) | Client application fingerprinting based on analysis of client requests | |
| Glatz et al. | Classifying internet one-way traffic | |
| US20080320119A1 (en) | Automatically identifying dynamic Internet protocol addresses | |
| CN106657001A (en) | Botnet detection method based on Netflow and DNS blog | |
| CN110808879B (en) | Protocol identification method, device, equipment and readable storage medium | |
| WO2016190868A1 (en) | Processing network data using a graph data structure | |
| EP2869508A1 (en) | Method for receiving message, and deep packet inspection device and system | |
| CN101502052B (en) | Nat and proxy device detection | |
| CN108282414B (en) | Data stream guiding method, server and system | |
| O'neill et al. | A methodology for sampling the world wide web | |
| CN111355817B (en) | Domain name resolution method, device, security server and medium | |
| CN112787946B (en) | Method for eliminating noise data caused by network blockage during network data acquisition | |
| CN111371914A (en) | IP library generation method, domain name resolution method, electronic device and readable storage medium | |
| CN111328067B (en) | User information checking method, device, system, equipment and medium | |
| CN115412366B (en) | Traffic collection and filtration method based on dynamic IP white list of service provider | |
| CN112367340B (en) | Intranet asset risk assessment method, device, equipment and medium | |
| CN110933082B (en) | Method, device and equipment for identifying lost host and storage medium | |
| CN112087532A (en) | Information acquisition method, device, equipment and storage medium | |
| CN115361357B (en) | Network scheduling system, method and device, electronic equipment and storage medium | |
| CN114567501B (en) | Automatic asset identification method, system and equipment based on label scoring | |
| CN113766046B (en) | Iterative traffic tracking method, DNS server and computer readable storage medium | |
| CN1852149A (en) | Method for verifying network-unit server in network management system | |
| CN115297033A (en) | Internet of things terminal flow auditing method and system | |
| CN112671949A (en) | Method and system for associating session before and after NAT according to syslog | |
| CN112769969B (en) | DNS recursive differentiated service method, equipment and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |