CN115967582A - Monitoring method and device for industrial internet node, equipment and medium - Google Patents
Monitoring method and device for industrial internet node, equipment and medium Download PDFInfo
- Publication number
- CN115967582A CN115967582A CN202310251221.5A CN202310251221A CN115967582A CN 115967582 A CN115967582 A CN 115967582A CN 202310251221 A CN202310251221 A CN 202310251221A CN 115967582 A CN115967582 A CN 115967582A
- Authority
- CN
- China
- Prior art keywords
- node
- target dns
- preset
- dns node
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 131
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012806 monitoring device Methods 0.000 claims abstract description 7
- 238000001514 detection method Methods 0.000 claims description 117
- 230000004044 response Effects 0.000 claims description 48
- 230000036541 health Effects 0.000 claims description 43
- 238000004458 analytical method Methods 0.000 claims description 40
- 238000004590 computer program Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000001934 delay Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The embodiment of the disclosure discloses a monitoring method, a monitoring device, equipment and a medium for industrial internet nodes, wherein the monitoring method comprises the following steps: acquiring a query rate per second of a target Domain Name System (DNS) node in a first preset time period and a network protocol address for querying the target DNS node in the first preset time period by using a monitoring node in a domain name system of an industrial internet; if the query rate per second of the first network protocol address in the first preset time period is larger than a preset query rate per second threshold value, determining that the target DNS node is suspected to be attacked by the first network protocol address; and displaying the registration information of the first network protocol address, the query rate per second information of the first network protocol address and the information of the target DNS node. The embodiment of the disclosure can help to prevent the DNS node from being attacked again by the same attacking means, and improve the security of the DNS node, thereby improving the security of the domain name system.
Description
Technical Field
The disclosure relates to the technical field of industrial internet, in particular to a monitoring method, a monitoring device, monitoring equipment and monitoring media for industrial internet nodes.
Background
The industrial internet is a novel infrastructure, an application mode and an industrial ecology deeply integrated with an information communication technology and industrial economy, and a brand new manufacturing and service system covering a whole industrial chain and a whole value chain is constructed by comprehensively connecting people, machines, objects, systems and the like, so that a realization way is provided for the industrial and even industrial digital, networked and intelligent development.
A domain name system is provided in the industrial internet, and when the domain name system receives a security attack, for example, a Distributed Denial Of Service (DDOS) attack may not normally provide a domain name resolution Service. If the security of the domain name system is improved, the problem to be solved urgently is solved.
Disclosure of Invention
The embodiment of the disclosure provides a monitoring method, a monitoring device, equipment and a monitoring medium for industrial internet nodes, which can improve the security of a domain name system.
In a first aspect of the embodiments of the present disclosure, a method for monitoring an industrial internet node is provided, including:
acquiring a query rate per second of a target DNS node in a first preset time period and a network protocol address for querying the target DNS node in the first preset time period by using a monitoring node in a domain name system of an industrial internet, wherein the monitoring node comprises at least one of an active monitoring node and a passive monitoring node, the active monitoring node acquires information of the target DNS node according to a preset active monitoring rule, and the passive monitoring node acquires the information of the target DNS node according to a data acquisition instruction;
if the query rate per second of a first network protocol address in the first preset time period is larger than a preset query rate per second threshold value, determining that the target DNS node is suspected to be attacked by the first network protocol address;
and displaying the registration information of the first network protocol address, the query rate per second information of the first network protocol address and the information of the target DNS node.
In an embodiment of the present disclosure, the displaying the registration information of the first network protocol address and the query rate per second information of the first network protocol address includes:
acquiring registration information of the first network protocol address, wherein the registration information comprises a province and an operator to which the first network protocol address belongs;
acquiring a peak value of a query rate per second of the first network protocol address to the target DNS node within the first preset time period and a time point of the peak value of the query rate per second;
and displaying the province and operator of the first network protocol address, the peak value of the query rate per second, the time point and the registration information of the target DNS node through a webpage.
In one embodiment of the present disclosure, further comprising:
performing heartbeat detection on the target DNS node by using the monitoring node to obtain a first ratio between the number of response heartbeat requests of the target DNS node and the total number of heartbeat requests;
acquiring a second ratio of the target DNS node in the heartbeat detection period by using the monitoring node, wherein the second ratio is the ratio between the query rate per second of the target DNS node and the maximum query rate per second;
and if the first ratio is greater than a first preset threshold and the second ratio is greater than a second preset threshold, determining that the heartbeat detection of the target DNS node is successful.
In one embodiment of the present disclosure, further comprising:
performing network delay detection on the target DNS node by using the monitoring node to obtain the average network delay of the target DNS node in a second preset time;
and if the average network delay is smaller than a preset network delay threshold value, determining that the network delay detection of the target DNS node is successful.
In one embodiment of the present disclosure, further comprising:
carrying out health detection on the target DNS node by using the monitoring node to obtain an average network delay, an average load rate and a heartbeat request response rate of the target DNS node in a third preset time, wherein the average load rate is a ratio of an average query rate per second to a maximum query rate per second of the target DNS node, and the heartbeat request response rate is a ratio of the number of response heartbeat requests of the target DNS node to the total number of heartbeat requests;
and determining a health detection result of the target DNS node based on the numerical relationship between the average network delay and a preset network delay threshold value, the numerical relationship between the average load rate and a preset load rate threshold value, and the numerical relationship between the heartbeat request response rate and a preset heartbeat request response rate threshold value.
In one embodiment of the present disclosure, further comprising:
analyzing delay detection is carried out on the target DNS node by utilizing the monitoring node, and average analyzing delay of the target DNS node is obtained;
and if the average analysis delay is smaller than a preset analysis delay threshold value, determining that the analysis delay detection of the target DNS node is successful.
In one embodiment of the present disclosure, further comprising:
and if the detection result of the preset detection of the target DNS node is failure, giving an alarm, wherein the preset detection comprises at least one of heartbeat detection, network delay detection, health detection and analysis delay detection.
In a second aspect of the embodiments of the present disclosure, a monitoring device for an industrial internet node is provided, including:
the system comprises an acquisition module and a processing module, wherein the acquisition module is used for acquiring the query rate per second of a target DNS node in a first preset time period and a network protocol address for querying the target DNS node in the first preset time period by using a monitoring node in a domain name system of the industrial internet, the monitoring node comprises at least one of an active monitoring node and a passive monitoring node, the active monitoring node acquires the information of the target DNS node according to a preset active monitoring rule, and the passive monitoring node acquires the information of the target DNS node according to a data acquisition instruction;
the attack determining module is used for determining that the target DNS node is suspected to be attacked by the first network protocol address if the query rate per second of the first network protocol address in the first preset time period is greater than a preset query rate per second threshold value;
and the display module is used for displaying the registration information of the first network protocol address, the query rate per second information of the first network protocol address and the information of the target DNS node.
In an embodiment of the present disclosure, the display module is configured to acquire registration information of the first network protocol address, where the registration information includes a province and an operator to which the first network protocol address belongs; the display module is further configured to acquire a peak value of a query rate per second of the first network protocol address to the target DNS node within the first preset time period and a time point of the peak value of the query rate per second; the display module is further configured to display, through a web page, the province and the operator of the first network protocol address, the peak value of the query rate per second, the time point, and the registration information of the target DNS node.
In one embodiment of the present disclosure, the monitoring apparatus of the industrial internet node further includes:
the heartbeat detection module is used for carrying out heartbeat detection on the target DNS node by using the monitoring node to obtain a first ratio between the response heartbeat request quantity of the target DNS node and the total quantity of the heartbeat requests; the heartbeat detection module is further configured to acquire, by using the monitoring node, a second ratio of the target DNS node during the heartbeat detection, where the second ratio is a ratio between a query rate per second of the target DNS node and a maximum query rate per second; the heartbeat detection module is further configured to determine that the heartbeat detection of the target DNS node is successful if the first ratio is greater than a first preset threshold and the second ratio is greater than a second preset threshold.
In one embodiment of the present disclosure, the monitoring apparatus for an industrial internet node further includes:
the network delay detection module is used for carrying out network delay detection on the target DNS node by using the monitoring node to obtain the average network delay of the target DNS node in a second preset time; the network delay detection module is further configured to determine that the network delay detection of the target DNS node is successful if the average network delay is smaller than a preset network delay threshold.
In one embodiment of the present disclosure, the monitoring apparatus of the industrial internet node further includes:
the health detection module is used for performing health detection on the target DNS node by using the monitoring node to obtain an average network delay, an average load rate and a heartbeat request response rate of the target DNS node in a third preset time, wherein the average load rate is a ratio of an average query rate per second to a maximum query rate per second of the target DNS node, and the heartbeat request response rate is a ratio of the number of response heartbeat requests of the target DNS node to the total number of heartbeat requests; the health detection module is further used for determining a health detection result of the target DNS node based on a numerical relationship between the average network delay and a preset network delay threshold, a numerical relationship between the average load rate and a preset load rate threshold, and a numerical relationship between the heartbeat request response rate and a preset heartbeat request response rate threshold.
In one embodiment of the present disclosure, the monitoring apparatus for an industrial internet node further includes:
the analysis delay detection module is used for carrying out analysis delay detection on the target DNS node by using the monitoring node to obtain the average analysis delay of the target DNS node; the analysis delay detection module is further configured to determine that the analysis delay detection of the target DNS node is successful if the average analysis delay is smaller than a preset analysis delay threshold.
In one embodiment of the present disclosure, the monitoring apparatus for an industrial internet node further includes:
and the alarm module is used for giving an alarm if the detection result of the preset detection on the target DNS node is failure, wherein the preset detection comprises at least one of heartbeat detection, network delay detection, health detection and analysis delay detection.
In a third aspect of the embodiments of the present disclosure, an electronic device is provided, which includes:
a memory for storing a computer program;
and a processor, configured to execute the computer program stored in the memory, and when the computer program is executed, implement the monitoring method for an industrial internet node according to the first aspect.
In a fourth aspect of the embodiments of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, where the computer program is executed by a processor to implement the monitoring method for the industrial internet node according to the first aspect.
According to the monitoring method, the monitoring device, the monitoring equipment and the monitoring medium of the industrial Internet node, the monitoring node in a domain name system of the industrial Internet is used for obtaining the query rate per second of a target DNS node in a first preset time period and a network protocol address for querying the target DNS node. If the query rate per second of the first network protocol address in the first preset time period is greater than the preset query rate per second threshold value, it can be reasonably determined that the target DNS node is suspected to be attacked (for example, DDOS attack or DOS attack) by the first network protocol address, and by displaying the registration information of the first network protocol address, the query rate per second information of the first network protocol address, and the information of the target DNS node, the worker can quickly and accurately determine whether the target DNS node is attacked and the type of the attack through the displayed information, and further the worker can help to prevent the DNS node from being attacked again by the same attack means, and the security of the DNS node is improved, so that the security of the domain name system is improved.
The technical solution of the present disclosure is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a schematic flow chart diagram of a monitoring method for an industrial Internet node according to an embodiment of the present disclosure;
FIG. 2 is a block diagram of a monitoring device for an industrial Internet node according to an embodiment of the present disclosure;
fig. 3 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
It will be understood by those within the art that the terms "first", "second", etc. in the embodiments of the present disclosure are used only for distinguishing between different steps, devices or modules, etc., and do not denote any particular technical meaning or necessary logical order therebetween.
It is also understood that in embodiments of the present disclosure, "a plurality" may refer to two or more than two, and "at least one" may refer to one, two or more than two.
It is also to be understood that any reference to any component, data, or structure in the embodiments of the disclosure, may be generally understood as one or more, unless explicitly defined otherwise or stated otherwise.
In addition, the term "and/or" in the present disclosure is only one kind of association relationship describing an associated object, and means that three kinds of relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in the present disclosure generally indicates that the former and latter associated objects are in an "or" relationship.
It should also be understood that the description of the embodiments in the present disclosure emphasizes the differences between the embodiments, and the same or similar parts may be referred to each other, and are not repeated for brevity.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be discussed further in subsequent figures.
The disclosed embodiments may be applied to electronic devices such as terminal devices, computer systems, servers, etc., which are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known terminal devices, computing systems, environments, and/or configurations that may be suitable for use with electronic devices, such as terminal devices, computer systems, servers, and the like, include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, network personal computers, small computer systems, mainframe computer systems, and distributed cloud computing environments that include any of the above, and the like.
Electronic devices such as terminal devices, computer systems, servers, etc. may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
Fig. 1 is a schematic flow chart of a monitoring method for an industrial internet node according to an embodiment of the present disclosure. As shown in fig. 1, the monitoring method for the industrial internet node includes:
s1: the method comprises the steps of utilizing a monitoring node in a Domain Name System (DNS) of the industrial Internet to obtain a query rate per second (QPS) of a target DNS node in a first preset time period and a network protocol address for querying the target DNS node in the first preset time period.
The domain name system of the industrial internet can comprise an acquisition platform, a monitoring node and a DNS node.
The acquisition platform is used for acquiring the operating parameters of the DNS node through the monitoring node and sending a data acquisition instruction to the monitoring node.
The monitoring nodes comprise active monitoring nodes and passive monitoring nodes. The active monitoring node can acquire information of a target DNS node according to a preset active monitoring rule and then send the information to a domain name system of the industrial Internet. The preset active monitoring rule may include collecting the operation parameters of the target DNS node once every preset time. And the passive monitoring node acquires the information of the target DNS node according to the instruction sent by the industrial Internet domain name system and then sends the information to the acquisition platform.
The number of the DNS nodes is multiple, and the DNS nodes are used for performing DNS resolution. The target DNS node may include one or more DNS nodes, among others. When monitoring for DDOS attacks is required, the target DNS node includes multiple DNS nodes. When a single Denial of service (DOS) attack needs to be monitored, the target DNS node comprises one DNS node.
The first preset time period may be a time period with the current time as the end time node and a time length of a preset duration, for example, the first preset time period may be a time period with the current time as the end time node and a time length of N days or M months. Wherein N and M are integers greater than 0.
The information storage device of the target DNS node stores QPS data of the own node and a network protocol address for querying the target DNS node. The network Protocol address may include an (Internet Protocol, IP) address. The monitoring node can read the query rate per second of the target DNS node in the first preset time period and the corresponding network protocol address from the information storage device of the target DNS node.
S2: if the query rate per second of the first network protocol address in the first preset time period is larger than a preset query rate per second threshold value, the target DNS node is determined to be suspected to be attacked by the first network protocol address.
Since a DDOS attack may be performed by a single IP address on multiple DNS nodes in the target DNS node, and a DDOS attack may typically occur with a high QPS for the single IP address (e.g., higher than 2000 queries per second), the embodiments of the present disclosure may determine that the target DNS node is suspected of being subjected to the DDOS attack by the first network protocol address if the QPS for the multiple DNS nodes in the target DNS node for the first network protocol address (e.g., a certain IP address) exceeds a preset query rate threshold per second (e.g., 2000 queries per second) within a first preset time.
Since a DOS attack may be performed on one of the target DNS nodes by a single IP address, and the QPS of the single IP address is generally high (for example, higher than 100 queries per second) in the DOS attack, the embodiments of the present disclosure may determine that the target DNS node is suspected to be subjected to the DOS attack by the first network protocol address if the QPS of the target DNS node to which the first network protocol address (for example, a certain IP address) exists within the first preset time exceeds the preset query rate threshold per second (for example, 100 queries per second).
S3: and displaying the registration information of the first network protocol address, the query rate per second information of the first network protocol address and the information of the target DNS node.
The registration information of the first network protocol address, the query rate per second information of the first network protocol address and the information of the target DNS node can be displayed through a webpage, or the registration information of the first network protocol address, the query rate per second information of the first network protocol address and the information of the target DNS node can be displayed through a binding terminal of a worker of the industrial Internet node, so that the worker can rapidly and accurately judge whether the target DNS node is attacked and the type of the attack through the displayed information.
In this embodiment, a monitoring node in a domain name system of an industrial internet is used to obtain a query rate per second of a target DNS node in a first preset time period, and a network protocol address for querying the target DNS node. If the query rate per second of the first network protocol address in the first preset time period is greater than the preset query rate per second threshold value, it can be reasonably determined that the target DNS node is suspected to be attacked (for example, DDOS attack or DOS attack) by the first network protocol address, and by displaying the registration information of the first network protocol address, the query rate per second information of the first network protocol address, and the information of the target DNS node, the worker can quickly and accurately determine whether the target DNS node is attacked and the type of the attack through the displayed information, and further the worker can help to prevent the DNS node from being attacked again by the same attack means, and the security of the DNS node is improved, so that the security of the domain name system is improved.
In an embodiment of the present disclosure, step S3 may include:
s3-1: registration information of a first network protocol address is obtained.
The registration information of the first network protocol address may be obtained from a server of a domain name system of the industrial internet. The registration information may include the province and the operator of the first network protocol address, and may also include information of the operator, such as a registration address, an enterprise operation scope, a main business and a contact way, and the like.
S3-2: and acquiring a peak value of the query rate per second of the first network protocol address to the target DNS node in a first preset time period and a time point of the peak value of the query rate per second.
The peak value of the query rate per second of the first network protocol address to the target DNS node in the first preset time period and the time point corresponding to the peak value of the query rate per second may be extracted from the information storage device of the target DNS node, and details of the query rate per second of the first network protocol address in the first preset time period may also be extracted from the information storage device.
S3-3: and displaying the province and operator of the first network protocol address, the peak value of the query rate per second, the time point and the registration information of the target DNS node through a webpage.
By displaying the province and operator of the first network protocol address, the peak value of the query rate per second, the time point and the registration information of the target DNS node, the method is beneficial for workers of a domain name system of the industrial internet to analyze and determine whether the first network protocol address attacks the target DNS node.
In this embodiment, the province and the operator of the first network protocol address, the query rate peak value per second, the time point corresponding to the query rate peak value per second, and the registration information of the target DNS node are displayed through the web page, which can reasonably help the staff of the domain name system of the industrial internet to quickly analyze whether the first network protocol address attacks the target DNS node.
In an embodiment of the present disclosure, the method for monitoring the industrial internet node may further include:
and step S4: and carrying out heartbeat monitoring on the target DNS node. Wherein, step S4 may include:
s4-1: the method comprises the steps that heartbeat detection is carried out on a target DNS node by using a monitoring node, and a first ratio between the number of response heartbeat requests of the target DNS node and the total number of the heartbeat requests is obtained.
The monitoring node can send a plurality of heartbeat detection requests to the target DNS node and record the response state of the target DNS node to each heartbeat detection request. Wherein the response state of the heartbeat detection request includes a response heartbeat detection request and an unresponsive heartbeat detection request.
And the monitoring node counts the total quantity of the heartbeat detection requests and counts the quantity of the response heartbeat requests. And calculating the ratio of the number of the response heartbeat requests to the total number of the heartbeat detection requests to obtain a first ratio.
S4-2: and acquiring a second ratio of the target DNS node during the heartbeat detection by using the monitoring node. And the second ratio is the ratio between the query rate per second and the maximum query rate per second of the target DNS node.
The monitoring node can read the maximum query rate per second of the target DNS node during heartbeat detection from the information storage device of the target DNS node and obtain the maximum QPS of the target DNS node. And calculating the ratio of the query rate per second of the target DNS node to the maximum query rate per second to obtain a second ratio. Wherein the maximum QPS of the target DNS node may characterize the maximum capability value of the target DNS node in the QPS dimension. The second ratio may characterize a load rate of the target DNS node in the QPS dimension.
S4-3: and if the first ratio is greater than a first preset threshold and the second ratio is greater than a second preset threshold, determining that the heartbeat detection of the target DNS node is successful.
The first preset threshold may be, for example, a%, and the second preset threshold may be, for example, B%. Wherein A and B are each an integer of 1 to 100. When the first ratio is greater than the first preset threshold and the second ratio is greater than the second preset threshold, it can be characterized that the target DNS node still can ensure normal heartbeat (i.e., a heartbeat ratio greater than the heartbeat ratio corresponding to the first preset threshold) under the condition that the load ratio is greater than a certain load ratio (i.e., a load ratio corresponding to the second preset threshold), it is determined that the heartbeat detection of the target DNS node is successful, otherwise, it is determined that the heartbeat detection of the target DNS node is failed.
In this embodiment, the monitoring node is used to obtain the first ratio and the second ratio of the target DNS node, and if the first ratio is greater than the first preset threshold and the second ratio is greater than the second preset threshold, it can be reasonably determined that the target DNS node still can ensure normal heartbeat when the load factor is higher than a certain load factor, so as to determine that the heartbeat detection of the target DNS node is successful.
In an embodiment of the present disclosure, the method for monitoring the industrial internet node may further include:
step S5: and carrying out network delay detection on the target DNS node. Wherein, step S5 may include:
s5-1: and carrying out network delay detection on the target DNS node by using the monitoring node to obtain the average network delay of the target DNS node in a second preset time.
And respectively sending ping instructions to the target DNS node at a plurality of different moments within a second preset time period by using the monitoring node, and obtaining a plurality of network delays according to feedback results of the ping instructions sent at the plurality of different moments. And counting the average value of the plurality of network delays to obtain the average network delay.
S5-2: and if the average network delay is smaller than a preset network delay threshold value, determining that the network delay detection of the target DNS node is successful.
The preset network delay threshold value is determined according to the network bandwidth of the target DNS node, if the average network delay is smaller than the preset network delay threshold value, the network delay representing the target DNS node meets the network delay standard, and the network delay detection of the target DNS node is determined to be successful.
In this embodiment, the monitoring node is used to obtain an average network delay of the target DNS node within a second preset time, and if the average network delay is smaller than a preset network delay threshold, the network delay representing the target DNS node meets the network delay standard, so that it can be reasonably determined that the network delay detection of the target DNS node is successful.
In an embodiment of the present disclosure, the method for monitoring the industrial internet node may further include:
step S6: and carrying out health detection on the target DNS node. Wherein, step S6 may include:
s6-1: and carrying out health detection on the target DNS node by using the monitoring node to obtain the average network delay, the average load rate and the heartbeat request response rate of the target DNS node in third preset time.
Health detection can be performed from three dimensions of average network delay, average load rate and heartbeat request response rate of the target DNS node in a third preset time. The average load rate is a ratio of an average query rate per second of the target DNS node to a maximum query rate per second, and the heartbeat request response rate is a ratio of the number of response heartbeat requests of the target DNS node to the total number of heartbeat requests.
S6-2: and determining a health detection result of the target DNS node based on the numerical relationship between the average network delay and a preset network delay threshold, the numerical relationship between the average load rate and a preset load rate threshold, and the numerical relationship between the heartbeat request response rate and a preset heartbeat request response rate threshold.
The preset network latency threshold may be one or more. When the preset network delay thresholds are multiple, the numerical values of the multiple preset network delay thresholds are different from each other, and the health value of the target DNS node in the network delay dimension can be determined through the numerical value size relation between the average network delay of the target DNS node and the multiple preset network delay thresholds. When the preset network delay threshold is one, the health value of the target DNS node in the network delay dimension can be determined through the numerical relationship between the average network delay of the target DNS node and the preset network delay threshold.
In one example of the present disclosure, the preset network delay threshold includes a first preset network delay threshold, a second network delay threshold, and a third network delay threshold (denoted as t) 1 、t 2 And t 3 ) And is and
and the health value (denoted as V) of the target DNS node in the network delay dimension 1 ) Is in the range of 0 to 100. The average network latency of the target DNS node is denoted as t.
When t is less than or equal to t 1 When, V 1 = first preset delay health value (e.g. 100);
when in use
When, V 1 = second preset delay health value (e.g. 80);
when in use
When, V 1 = third preset delay health value (e.g. 60);
when t is>t 3 When, V 1 = fourth preset delay health value (e.g. 0).
In another example of the present disclosure, the preset network delay threshold comprises a fourth preset network delay threshold (denoted as t) 4 ) And the health value (denoted as V) of the target DNS node in the network delay dimension 1 ) Is in the range of 0 to 100. The average network latency of the target DNS node is denoted as t.
When t is less than or equal to t 4 When, V 1 = fifth preset delay health value (e.g. 100);
when in use
When, is greater or less>
;
When in use
When, V 1 = sixth preset latency health value (e.g. 0).
The preset load rate threshold may be one or more. When the preset load rate threshold is multiple, the numerical values of the preset load rate thresholds are different from each other, and the health value of the target DNS node in the network delay dimension can be determined through the numerical value size relationship between the average load rate of the target DNS node and the preset load rate thresholds. When the preset load rate threshold is one, the health value of the target DNS node in the load rate dimension may be determined through a numerical relationship between the average load rate of the target DNS node and the preset load rate threshold.
In one example of the present disclosure, the preset load rate threshold includes a first preset load rate threshold, a second preset load rate threshold and a third preset load rate threshold (denoted as p) 1 、p 2 And p 3 ) And is made of
And the health value of the target DNS node in the load rate dimension (denoted as V) 2 ) Is in the range of 0 to 100. The average load rate of the target DNS node is denoted as p.
When p is less than or equal to p 1 When, V 2 = a first preset duty cycle health value (e.g. 100);
when in use
When, V 2 = second preset duty cycle health value (e.g. 80);
when in use
When, V 2 = third preset load factor health value (e.g. 60);
when p is>p 3 When, V 2 = fourth preset load factor health value (e.g. 0).
In another example of the present disclosure, the predetermined network latency threshold comprises a fourth predetermined network latency threshold (denoted as p) 4 ) And the health value (denoted as V) of the target DNS node in the network delay dimension 2 ) Ranges from 0 to 100. The average network latency of the target DNS node is denoted as p.
When p is less than or equal to p 4 When, V 1 = fifth preset load factor health value (e.g. 100);
when in use
When, is greater or less>
;
When in use
When, V 1 = sixth preset load factor healthy value (e.g. 0).
The preset heartbeat request response rate threshold value can be one or more. When the preset heartbeat request response rate threshold is multiple, the numerical values of the multiple preset heartbeat request response rate thresholds are different from each other, and the health value of the target DNS node in the heartbeat request response rate dimension can be determined through the numerical value size relationship between the heartbeat request response rate of the target DNS node and the multiple preset heartbeat request response rate thresholds. When the preset heartbeat request response rate threshold is one, the health value of the target DNS node in the load rate dimension can be determined through the numerical relationship between the heartbeat request response rate of the target DNS node and the preset heartbeat request response rate threshold.
In this embodiment, the monitoring node is used to obtain an average network delay, an average load rate and a heartbeat request response rate of the target DNS node within a third preset time, and a health detection result of the target DNS node can be determined quickly and reasonably according to a numerical relationship between the average network delay and a preset network delay threshold, a numerical relationship between the average load rate and a preset load rate threshold, and a numerical relationship between the heartbeat request response rate and a preset heartbeat request response rate threshold.
In an embodiment of the present disclosure, the monitoring method for an industrial internet node may further include:
step S7: and analyzing and detecting the time delay of the target DNS node. Wherein, step S7 may include:
s7-1: and carrying out analysis delay detection on the target DNS node by using the monitoring node to obtain the average analysis delay of the target DNS node.
And obtaining the resolution time delay of the plurality of DNS resolution requests by utilizing the monitoring node to perform a plurality of DNS resolution requests to the target DNS node. And counting the average value of the resolution time delay of the DNS resolution requests to obtain the average resolution time delay.
S7-2: and if the average analysis delay is smaller than a preset analysis delay threshold, determining that the analysis delay detection of the target DNS node is successful.
The preset analysis delay threshold is determined according to the DNS analysis capability of the target DNS node, if the average analysis delay is smaller than the preset analysis delay threshold, the analysis delay representing the target DNS node meets the standard, and the analysis delay detection of the target DNS node is determined to be successful.
In this embodiment, the monitoring node is used to obtain the average analysis delay of the target DNS node, and if the average network delay is smaller than the preset analysis delay threshold, the analysis delay representing the target DNS node meets the standard, so that it can be reasonably determined that the analysis delay detection of the target DNS node is successful.
In an embodiment of the present disclosure, the method for monitoring the industrial internet node may further include:
and if the detection result of the preset detection of the target DNS node is failure, alarming. The preset detection comprises at least one of heartbeat detection, network delay detection, health detection and analysis delay detection.
The manner of the alarm may include alarming the staff of the business internet domain name system through the web page, and may also include sending alarm information to a terminal (e.g., a mobile terminal) of the staff of the business internet domain name system through the web page.
Fig. 2 is a block diagram of a monitoring apparatus of an industrial internet node according to an embodiment of the present disclosure. As shown in fig. 2, the monitoring apparatus for an industrial internet node includes:
the system comprises an acquisition module 100, a processing module and a processing module, wherein the acquisition module 100 is used for acquiring a query rate per second of a target Domain Name System (DNS) node in a first preset time period and a network protocol address for querying the target DNS node in the first preset time period by using a monitoring node in a domain name system of an industrial internet, the monitoring node comprises at least one of an active monitoring node and a passive monitoring node, the active monitoring node acquires information of the target DNS node according to a preset active monitoring rule, and the passive monitoring node acquires information of the target DNS node according to a data acquisition instruction;
the attack determination module 200 is configured to determine that the target DNS node is suspected to be attacked by the first network protocol address if the query rate per second of the first network protocol address in the first preset time period is greater than a preset query rate per second threshold;
a display module 300, configured to display registration information of the first network protocol address, query rate per second information of the first network protocol address, and information of the target DNS node.
In an embodiment of the present disclosure, the display module 300 is configured to obtain registration information of a first network protocol address, where the registration information includes a province and an operator to which the first network protocol address belongs; the display module 300 is further configured to acquire a peak value of the query rate per second of the first network protocol address to the target DNS node within a first preset time period and a time point of the peak value of the query rate per second; the display module 300 is further configured to display, through a web page, the province and operator to which the first network protocol address belongs, a peak query rate per second, a time point, and registration information of the target DNS node.
In one embodiment of the present disclosure, the monitoring apparatus for an industrial internet node further includes:
the heartbeat detection module is used for carrying out heartbeat detection on the target DNS node by using the monitoring node to obtain a first ratio between the response heartbeat request quantity of the target DNS node and the total quantity of the heartbeat requests; the heartbeat detection module is further used for acquiring a second ratio of the target DNS node in the heartbeat detection period by using the monitoring node, wherein the second ratio is the ratio between the query rate per second of the target DNS node and the maximum query rate per second; the heartbeat detection module is further used for determining that the heartbeat detection of the target DNS node is successful if the first ratio is larger than a first preset threshold and the second ratio is larger than a second preset threshold.
In one embodiment of the present disclosure, the monitoring apparatus for an industrial internet node further includes:
the network delay detection module is used for carrying out network delay detection on the target DNS node by using the monitoring node to obtain the average network delay of the target DNS node in a second preset time; the network delay detection module is further used for determining that the network delay detection of the target DNS node is successful if the average network delay is smaller than a preset network delay threshold.
In one embodiment of the present disclosure, the monitoring apparatus of the industrial internet node further includes:
the health detection module is used for performing health detection on the target DNS node by using the monitoring node to obtain an average network delay, an average load rate and a heartbeat request response rate of the target DNS node within a third preset time, wherein the average load rate is a ratio of an average query rate per second to a maximum query rate per second of the target DNS node, and the heartbeat request response rate is a ratio of the number of response heartbeat requests of the target DNS node to the total number of heartbeat requests; the health detection module is further used for determining a health detection result of the target DNS node based on a numerical relationship between the average network delay and a preset network delay threshold, a numerical relationship between the average load rate and a preset load rate threshold, and a numerical relationship between the heartbeat request response rate and a preset heartbeat request response rate threshold.
In one embodiment of the present disclosure, the monitoring apparatus for an industrial internet node further includes:
the analysis delay detection module is used for carrying out analysis delay detection on the target DNS node by using the monitoring node to obtain the average analysis delay of the target DNS node; the analysis delay detection module is further used for determining that the analysis delay detection of the target DNS node is successful if the average analysis delay is smaller than a preset analysis delay threshold.
In one embodiment of the present disclosure, the monitoring apparatus for an industrial internet node further includes:
and the alarm module is used for giving an alarm if the detection result of the preset detection on the target DNS node is failure, wherein the preset detection comprises at least one of heartbeat detection, network delay detection, health detection and analysis delay detection.
It should be noted that, a specific implementation of the monitoring apparatus for an industrial internet node in the embodiment of the present disclosure is similar to a specific implementation of the monitoring method for an industrial internet node in the embodiment of the present disclosure, and specific reference is specifically made to the description of the monitoring method portion for an industrial internet node, and details are not repeated in order to reduce redundancy.
In addition, an embodiment of the present disclosure also provides an electronic device, including:
a memory for storing a computer program;
and a processor, configured to execute the computer program stored in the memory, and when the computer program is executed, implement the monitoring method for the industrial internet node according to any of the above embodiments of the present disclosure.
Fig. 3 is a block diagram of an electronic device in an embodiment of the disclosure. As shown in fig. 3, the electronic device includes one or more processors and memory.
The processor may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device to perform desired functions.
The memory may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium and executed by a processor to implement the monitoring method of the industrial internet node of the various embodiments of the present disclosure described above and/or other desired functions.
In one example, the electronic device may further include: an input device and an output device, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
The input device may also include, for example, a keyboard, a mouse, and the like.
The output device may output various information including the determined distance information, direction information, and the like to the outside. The output devices may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, among others.
Of course, for simplicity, only some of the components of the electronic device relevant to the present disclosure are shown in fig. 3, omitting components such as buses, input/output interfaces, and the like. In addition, the electronic device may include any other suitable components, depending on the particular application.
In addition to the above methods and apparatus, embodiments of the present disclosure may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps in the method of monitoring of an industrial internet node according to various embodiments of the present disclosure described in the above section of this specification.
The computer program product may write program code for carrying out operations for embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions, which, when executed by a processor, cause the processor to perform the steps in the monitoring method of an industrial internet node according to various embodiments of the present disclosure described in the above section of this specification.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The foregoing describes the general principles of the present disclosure in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present disclosure are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present disclosure. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the disclosure is not intended to be limited to the specific details so described.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The block diagrams of devices, apparatuses, devices, systems involved in the present disclosure are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
The method and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
It is also noted that in the apparatus, devices, and methods of the present disclosure, various components or steps may be broken down and/or re-combined. These decompositions and/or recombinations are to be considered equivalents of the present disclosure.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit embodiments of the disclosure to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.
Claims (10)
1. A monitoring method of an industrial internet node is characterized by comprising the following steps:
acquiring a query rate per second of a target DNS node in a first preset time period and a network protocol address for querying the target DNS node in the first preset time period by using a monitoring node in a domain name system of an industrial internet, wherein the monitoring node comprises at least one of an active monitoring node and a passive monitoring node, the active monitoring node acquires information of the target DNS node according to a preset active monitoring rule, and the passive monitoring node acquires the information of the target DNS node according to a data acquisition instruction;
if the query rate per second of a first network protocol address in the first preset time period is larger than a preset query rate per second threshold value, determining that the target DNS node is suspected to be attacked by the first network protocol address;
and displaying the registration information of the first network protocol address, the query rate per second information of the first network protocol address and the information of the target DNS node.
2. The method of claim 1, wherein displaying the registration information of the first network protocol address and the query rate per second information of the first network protocol address comprises:
acquiring registration information of the first network protocol address, wherein the registration information comprises a province and an operator of the first network protocol address;
acquiring a peak value of a query rate per second of the first network protocol address to the target DNS node within the first preset time period and a time point of the peak value of the query rate per second;
and displaying the province and operator of the first network protocol address, the peak value of the query rate per second, the time point and the registration information of the target DNS node through a webpage.
3. The method of claim 1, further comprising:
performing heartbeat detection on the target DNS node by using the monitoring node to obtain a first ratio between the number of response heartbeat requests of the target DNS node and the total number of heartbeat requests;
acquiring a second ratio of the target DNS node in the heartbeat detection period by using the monitoring node, wherein the second ratio is the ratio between the query rate per second of the target DNS node and the maximum query rate per second;
and if the first ratio is greater than a first preset threshold and the second ratio is greater than a second preset threshold, determining that the heartbeat detection of the target DNS node is successful.
4. The method of claim 1, further comprising:
performing network delay detection on the target DNS node by using the monitoring node to obtain the average network delay of the target DNS node in a second preset time;
and if the average network delay is smaller than a preset network delay threshold value, determining that the network delay detection of the target DNS node is successful.
5. The method of claim 1, further comprising:
performing health detection on the target DNS node by using the monitoring node to obtain an average network delay, an average load rate and a heartbeat request response rate of the target DNS node within a third preset time, wherein the average load rate is a ratio of an average query rate per second to a maximum query rate per second of the target DNS node, and the heartbeat request response rate is a ratio of the number of response heartbeat requests of the target DNS node to the total number of heartbeat requests;
and determining a health detection result of the target DNS node based on the numerical relationship between the average network delay and a preset network delay threshold value, the numerical relationship between the average load rate and a preset load rate threshold value, and the numerical relationship between the heartbeat request response rate and a preset heartbeat request response rate threshold value.
6. The method of claim 1, further comprising:
analyzing delay detection is carried out on the target DNS node by utilizing the monitoring node, and average analyzing delay of the target DNS node is obtained;
and if the average analysis delay is smaller than a preset analysis delay threshold value, determining that the analysis delay detection of the target DNS node is successful.
7. The method of any of claims 3-6, further comprising:
and if the detection result of the preset detection of the target DNS node is failure, giving an alarm, wherein the preset detection comprises at least one of heartbeat detection, network delay detection, health detection and analysis delay detection.
8. A monitoring device of an industrial Internet node is characterized by comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring the query rate per second of a target DNS node in a first preset time period and a network protocol address for querying the target DNS node in the first preset time period by using a monitoring node in a domain name system of the industrial internet, the monitoring node comprises at least one of an active monitoring node and a passive monitoring node, the active monitoring node acquires the information of the target DNS node according to a preset active monitoring rule, and the passive monitoring node acquires the information of the target DNS node according to a data acquisition instruction;
an attack determination module, configured to determine that the target DNS node is suspected to be attacked by the first network protocol address if a query rate per second of the first network protocol address in the first preset time period is greater than a preset query rate per second threshold;
and the display module is used for displaying the registration information of the first network protocol address, the query rate per second information of the first network protocol address and the information of the target DNS node.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program stored in the memory, and when the computer program is executed, implementing the monitoring method of the industrial internet node according to any one of the claims 1 to 7.
10. A computer-readable storage medium on which a computer program is stored, wherein the computer program, when executed by a processor, implements the method for monitoring an industrial internet node according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310251221.5A CN115967582A (en) | 2023-03-10 | 2023-03-10 | Monitoring method and device for industrial internet node, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310251221.5A CN115967582A (en) | 2023-03-10 | 2023-03-10 | Monitoring method and device for industrial internet node, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115967582A true CN115967582A (en) | 2023-04-14 |
Family
ID=87360271
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310251221.5A Pending CN115967582A (en) | 2023-03-10 | 2023-03-10 | Monitoring method and device for industrial internet node, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115967582A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104883282A (en) * | 2015-06-19 | 2015-09-02 | 中国互联网络信息中心 | Method and system for monitoring DNS server of terminal |
| CN106888192A (en) * | 2015-12-16 | 2017-06-23 | 中国移动通信集团江苏有限公司 | The method and device that a kind of resistance DNS is attacked |
| CN108092940A (en) * | 2016-11-23 | 2018-05-29 | 贵州白山云科技有限公司 | The means of defence and relevant device of a kind of DNS |
| US20200106791A1 (en) * | 2018-09-28 | 2020-04-02 | Fireeye, Inc. | Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic metrics |
| CN115134332A (en) * | 2021-03-12 | 2022-09-30 | 京东科技控股股份有限公司 | Domain name system monitoring method, device, server and storage medium |
-
2023
- 2023-03-10 CN CN202310251221.5A patent/CN115967582A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104883282A (en) * | 2015-06-19 | 2015-09-02 | 中国互联网络信息中心 | Method and system for monitoring DNS server of terminal |
| CN106888192A (en) * | 2015-12-16 | 2017-06-23 | 中国移动通信集团江苏有限公司 | The method and device that a kind of resistance DNS is attacked |
| CN108092940A (en) * | 2016-11-23 | 2018-05-29 | 贵州白山云科技有限公司 | The means of defence and relevant device of a kind of DNS |
| US20200106791A1 (en) * | 2018-09-28 | 2020-04-02 | Fireeye, Inc. | Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic metrics |
| CN115134332A (en) * | 2021-03-12 | 2022-09-30 | 京东科技控股股份有限公司 | Domain name system monitoring method, device, server and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10554526B2 (en) | Feature vector based anomaly detection in an information technology environment | |
| US20200169579A1 (en) | Detection of potential security threats in machine data based on pattern detection | |
| US9900344B2 (en) | Identifying a potential DDOS attack using statistical analysis | |
| US10944784B2 (en) | Identifying a potential DDOS attack using statistical analysis | |
| US9866573B2 (en) | Dynamic malicious application detection in storage systems | |
| US20160164893A1 (en) | Event management systems | |
| CN112073389A (en) | Cloud host security situation awareness system, method, device and storage medium | |
| US7711518B2 (en) | Methods, systems and computer program products for providing system operational status information | |
| CN108809678A (en) | A kind of method and server of information push | |
| WO2015000428A1 (en) | Data processing method, server and system | |
| CN107026851A (en) | A kind of real-time system guard method based on stream data processing | |
| CN116451071A (en) | Sample labeling method, device and readable storage medium | |
| CN115967582A (en) | Monitoring method and device for industrial internet node, equipment and medium | |
| CN115981969A (en) | Monitoring method and device for block chain data platform, electronic equipment and storage medium | |
| CN110955890A (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN113987478A (en) | Method and system for detecting and protecting CC attack based on nginx server | |
| CN116192697B (en) | Method, device, equipment and medium for monitoring outbound traffic of data analysis system | |
| CN116074218B (en) | Pressure test method, device, equipment and medium for identifying analysis node | |
| CN115714662A (en) | Processing method of multi-source data, alarm analysis method, device and equipment | |
| CN116938678A (en) | Cloud platform operation and maintenance method and device, computer equipment and storage medium | |
| CN117714169A (en) | Network attack detection method, system and storage medium | |
| Park et al. | User Application Monitoring through Assessment of Abnormal Behaviours Recorded in RAS Logs | |
| CN117955725A (en) | Flow monitoring method and device, electronic equipment and storage medium | |
| JP2013171347A (en) | Information processing device, server detection method, and program | |
| CN113920698A (en) | Early warning method, device, equipment and medium for abnormal interface calling |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230414 |
|
| RJ01 | Rejection of invention patent application after publication |