CN116418712A - Detection method, detection device, terminal equipment and computer readable storage medium - Google Patents
Detection method, detection device, terminal equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN116418712A CN116418712A CN202211714658.XA CN202211714658A CN116418712A CN 116418712 A CN116418712 A CN 116418712A CN 202211714658 A CN202211714658 A CN 202211714658A CN 116418712 A CN116418712 A CN 116418712A
- Authority
- CN
- China
- Prior art keywords
- data
- storm
- network
- preset value
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 86
- 238000000034 method Methods 0.000 claims abstract description 61
- 230000001629 suppression Effects 0.000 claims description 36
- 230000008569 process Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 19
- 230000006855 networking Effects 0.000 abstract description 11
- 239000010410 layer Substances 0.000 description 24
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 230000003993 interaction Effects 0.000 description 7
- 230000004044 response Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000005764 inhibitory process Effects 0.000 description 3
- 230000002829 reductive effect Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000013480 data collection Methods 0.000 description 2
- 239000002355 dual-layer Substances 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000000670 limiting effect Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 241000272814 Anser sp. Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002401 inhibitory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 125000006850 spacer group Chemical group 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Algebra (AREA)
- Environmental & Geological Engineering (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application is applicable to the field of data detection, and provides a detection method, a detection device, a terminal device and a computer readable storage medium method, comprising the following steps: acquiring first data, wherein the first data represents the message statistics number of a target network in a statistics period obtained through a first circuit, the first circuit is a field programmable gate array circuit, second data is acquired, the second data represents the message statistics number of the target network in the statistics period obtained through a driving layer of the target network, and a network storm of the target network is detected according to the first data and the second data, so that a detection result is obtained. By the method, the capability of each group of network equipment for resisting the network storm can be improved, the networking equipment can be ensured to restrain the storm, and the equipment can be ensured to normally operate.
Description
Technical Field
The application belongs to the field of data detection, and particularly relates to a detection method, a detection device, terminal equipment and a computer readable storage medium.
Background
With the rapid development of network technology, various industries gradually enter a networking and intelligent era. The network provides great convenience for life and work of people, but the network also has certain influence on people, such as network blocking, large-area network disconnection of a system and the like caused by occurrence of network storm in the intelligent substation, and the safe operation of the intelligent substation is seriously influenced.
In the current method for suppressing the network storm, the statistical number of the messages is inaccurate due to the fact that storm messages are not received in time or the processing process is too complicated, and the like, so that the detection precision of the network storm is affected.
Disclosure of Invention
The embodiment of the application provides a detection method, a detection device, terminal equipment and a computer readable storage medium, which can improve the detection precision of a network storm, thereby ensuring that the network equipment can normally operate.
In a first aspect, an embodiment of the present application provides a detection method, including:
acquiring first data, wherein the first data represents the message statistics number of a target network in a statistics period obtained through a first circuit, and the first circuit is a field programmable gate array circuit;
acquiring second data, wherein the second data represents the message statistical number of the target network in the statistical period obtained through a driving layer of the target network;
and detecting the network storm of the target network according to the first data and the second data, and obtaining a detection result.
In the embodiment of the application, the network storm is detected by comprehensively considering the actual processing message statistical number and the message statistical number obtained by the programmable logic gate array circuit through the message statistical number of the target network in the statistical period obtained by the programmable logic gate array circuit and the message statistical number of the target network in the statistical period obtained by the driving layer. By the method, the software and the hardware are combined, so that the message can be accurately counted, the condition of missing statistics and the like in a storm can be avoided, and the occurrence probability of missing report and the like in the storm can be greatly reduced.
In a possible implementation manner of the first aspect, the detecting a network storm of the target network according to the first data and the second data, to obtain a detection result, includes:
performing first detection according to the first data to obtain a first result;
and if the first result indicates that the network storm is not detected and the first data is larger than a first preset value, performing second detection according to the first data and the second data to obtain a second result, wherein the first preset value indicates the minimum number of received messages for suppressing the target network open storm in a statistical period.
In a possible implementation manner of the first aspect, the performing a first detection according to the first data to obtain a first result includes:
if the first data is larger than a second preset value, the first result indicates that a network storm is detected;
if the first data is smaller than or equal to a second preset value, the first result indicates that no network storm is detected, and the second preset value indicates the maximum number of messages which can be transmitted by the target network in the statistical period.
In a possible implementation manner of the first aspect, the performing a second detection according to the first data and the second data to obtain a second result includes:
if the difference between the first data and the second data is larger than a third preset value, the second result indicates that a network storm is detected;
and if the difference value between the first data and the second data is smaller than or equal to a third preset value, the detection result indicates that no network storm is detected.
In a possible implementation manner of the first aspect, the method further includes:
and when a network storm is detected, controlling the first circuit to carry out storm suppression.
In a possible implementation manner of the first aspect, the controlling the first circuit to perform storm suppression includes:
updating a fourth preset value, wherein the fourth preset value is the maximum number of messages which can be received by the target network when storm suppression is released in the storm suppression process, and the updated fourth preset value is compared with the fourth preset value before update;
and controlling the first circuit to carry out storm suppression according to the updated fourth preset value.
In a possible implementation manner of the first aspect, the method further includes:
when the target network is in a storm suppression state, acquiring third data, wherein the third data represents the message statistical number of the target network in the statistical period obtained through the first circuit;
and if the third data is smaller than the fourth preset value, controlling the first circuit to release storm suppression.
In a second aspect, embodiments of the present application provide a detection apparatus, including:
the acquisition unit is used for acquiring first data, wherein the first data represents the statistical number of messages of a target network in a period, which is acquired through a first circuit, and the first circuit is a field programmable gate array circuit;
the generating unit is used for acquiring second data, wherein the second data represents the message statistical number of the target network in the statistical period obtained through the driving layer of the target network;
and the detection unit is used for detecting the network storm of the target network according to the first data and the second data, and obtaining a detection result.
In a third aspect, an embodiment of the present application provides a terminal device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the detection method according to any one of the first aspects when the processor executes the computer program.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program which, when executed by a processor, implements a detection method as in any one of the first aspects above.
In a fifth aspect, embodiments of the present application provide a computer program product, which, when run on a terminal device, causes the terminal device to perform the detection method according to any one of the first aspects above.
It will be appreciated that the advantages of the second to fifth aspects may be found in the relevant description of the first aspect, and are not described here again.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required for the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a detection system according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of dual-layer storm identification according to an embodiment of the application;
FIG. 3 is a flow chart of detection result determination according to an embodiment of the present application;
FIG. 4 is a diagram of normal interactive message features provided in an embodiment of the present application;
FIG. 5 is a diagram of storm message characteristics according to an embodiment of the present application;
FIG. 6 is a block diagram of a detection device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a terminal device provided in an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
In addition, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise.
Along with the rapid development of network intelligence, the network brings great influence to the development of intelligent substations, such as the network brings convenience such as data sharing to the intelligent substations, but also brings certain influence to the safe and reliable operation of the intelligent substations, wherein the damage brought by network storm is serious. On one hand, network storm can cause network blocking, large-area network breaking of a system and the like, on the other hand, the network storm can also impact all networking equipment in a process layer and a spacer layer, so that a network card receiving buffer zone overflows, a large amount of CPU resources are occupied, and software programs of all networking equipment are halted or restarted, so that safe and stable operation of an intelligent substation is seriously influenced.
Aiming at the problems caused by networking, the main measures adopted include improving the quality of networking equipment such as switches, or reducing the probability of network storm caused by network equipment faults. By adopting effective measures, the capability of each networking device for resisting network storm can be improved, the networking device can inhibit the storm, the device can normally operate, and the core function is reserved.
At present, the suppression method adopted for the network storm mainly adopts a driving layer to count messages, the driving layer needs to judge whether the messages are storm messages or not and then process the storm messages, the driving layer is generally untimely, the device can be caused to have a clamping condition, and the operation of a system even normal service functions can be influenced along with the increase of the CPU (central processing unit) duty ratio.
At present, storm messages are of various kinds, such as TCP, ICMP, GOOSE, ARP and other common messages, but the process of adopting a driving layer to count network messages needs to be independently processed for different messages, so that the processing process is more complicated.
In order to solve the defects in the prior art, the embodiment of the application provides a detection method. In the embodiment of the application, the double-layer storm identification strategy is introduced by combining software and hardware, so that the storm can be restrained after the storm is detected, and the running reliability of networking equipment can be improved.
Referring to fig. 1, a schematic flow chart of a detection system according to an embodiment of the present application is shown. By way of example, and not limitation, the method includes the steps of:
step S101, obtaining first data, wherein the first data represent the message statistics number of a target network in a statistics period obtained through a first circuit, and the first circuit is a field programmable gate array circuit.
In the embodiment of the application, the field programmable gate array (Filed Programmable gate array, FPGA) is a product developed further on the basis of a programmable device, and is a semi-custom circuit in the field of application-specific integrated circuits, which has a very high integration level, and can complete extremely complex timing and combination logic circuits. The FPGA can be simply understood as a hardware circuit, and because the FPGA is used as the hardware circuit and has the function of supporting dynamic configuration, the FPGA is adopted to acquire the data in the network, and the influence of the system and normal service functions can be reduced by adopting the hardware to acquire the data.
And acquiring data (namely first data) in the target network by using the FPGA, wherein the data is mainly network messages in a statistical period. Network messages refer to data units exchanged and transmitted in the network, i.e. data blocks to be sent by a station at one time. The message contains the complete data information to be sent, and has inconsistent length and unlimited and variable length.
The hardware FPGA is adopted to obtain the message statistics number of the target network in the statistics period, and the FPGA can enable the functions of message deduplication, MAC flow control, IP filtration and the like according to actual requirements. Firstly, the hardware FPGA identifies and filters repeated messages through message repeated processing logic; and secondly, performing MAC flow control according to the configured flow control enabling, the network port total flow limit and the MAC white list, and finally performing IP filtering by adopting the configured IP white list, namely only processing messages sent by the IP in the white list. After the configurable function is executed, the FPGA initializes the FPGA message counting, and reads the current FPGA message counting after the sampling time is reached, so that the number of message counting in a counting period, namely the first data, can be set as Cf.
Step S102, obtaining second data, wherein the second data represents the message statistical number of the target network in the statistical period obtained through the driving layer of the target network.
In the embodiment of the application, the driving layer consists of a hardware abstraction layer, a board level support packet and a driving program, is an important part which cannot be obtained in the embedded system, and has the function of providing an operation interface of external equipment for the upper layer program, realizing the driving program of the equipment and enabling the upper layer program to call the driving interface.
The driving layer contains a driving program generated in the running process of the network equipment, and the statistical number of the messages in the statistical period of the target network, namely second data, which can be marked as Cd, can be obtained by reading the program in the driving layer. The statistics period represents a data collection period set by the number of the network messages, and because the message data is updated in real time, the collection period needs to be set for data collection and analysis, and the statistics data period can be set according to experience.
And step S103, detecting the network storm of the target network according to the first data and the second data, and obtaining a detection result.
In the embodiment of the application, since the software algorithm adopts a double-layer network storm detection strategy, under the condition of normal interaction message and storm, network storm detection results are obtained by carrying out network storm detection on the number of messages obtained according to the FPGA and the number of messages obtained according to the driving layer, the detection results show that the detection data are two results of network storm and undetected network storm, and further analysis is carried out on the detected results and corresponding measures are implemented. By the method, the number of messages in the period can be counted more accurately, and the situation that statistics is missed under the storm condition is avoided.
In one embodiment, referring to fig. 2, a schematic diagram of a dual-layer network storm detection flow provided in one embodiment of the present application is shown in fig. 2, and an implementation manner of step S103 includes:
step S201, performing a first detection according to the first data, to obtain a first result.
Step 202, if the first result indicates that no network storm is detected and the first data is greater than a first preset value, performing a second detection according to the first data and the second data to obtain a second result, where the first preset value indicates a minimum number of received messages for suppressing the target network open storm in a statistical period.
In this embodiment, after the software algorithm obtains the packet statistics data by the hardware FPGA, a first storm detection is performed, that is, a first preset value is set in the process, where the first preset value represents the minimum packet number Cmin of the target network in the statistics period, and the value is obtained by performing experimental test and empirical analysis.
If the network storm is detected for the first time, the detected result indicates that the network storm is not detected, and the number of messages in a period obtained through the hardware FPGA is larger than the Cmin obtained through experimental test or empirical analysis, at the moment, the network storm is detected for the second time, and the second detection result is analyzed.
By the method, the characteristics of the network storm can be accurately extracted and the storm can be identified by adopting the method for detecting the double-layer network storm, accurate data can be provided for suppressing the network storm, and the method is beneficial to improving the operation reliability of networking equipment.
In one embodiment, one implementation of step S201 includes:
if the first data is larger than a second preset value, the first result indicates that a network storm is detected;
if the first data is smaller than or equal to a second preset value, the first result indicates that no network storm is detected, and the second preset value indicates the maximum number of messages which can be transmitted by the target network in the statistical period.
In this embodiment, after a first detection is performed on the counted number of messages in a period obtained by the FPGA, an obtained detection result is analyzed, in this process, a second preset value is set, where the second preset value represents a maximum number Cmax of messages that can be transmitted by the target network in the counted period, and the value is also obtained through experimental test or empirical analysis, in the first detection result, if the counted number Cf of the periodic messages, that is, the first data is greater than the maximum number Cmax of messages, it is determined that the detection result is a network storm, and at this time, the network storm needs to be suppressed. Also, the first data being less than or equal to the maximum number of messages indicates that no network storm is detected, and implementation of step S202 is required.
By the method, the detection result can be accurately represented in the first-layer network storm detection process, and whether secondary detection is needed or not can be accurately judged.
In one embodiment, referring to fig. 3, a flow chart of determining a detection result provided in one embodiment of the present application is shown in fig. 3, and an implementation manner of step S203 further includes:
in step S301, if the difference between the first data and the second data is greater than a third preset value, the second result indicates that a network storm is detected.
In step S302, if the difference between the first data and the second data is less than or equal to a third preset value, the second result indicates that no network storm is detected.
In this embodiment, if the first layer does not detect a network storm and the number Cf of messages in the statistical period, that is, the first data, is greater than Cmin, then the second network storm detection is performed. At this time, the statistical number Cd (i.e., the second data) of the messages to be read, and if the difference between Cf and Cd is greater than the set value Δd, the message is considered as a storm message. In this process, a third preset value Δd needs to be set, and the third preset value may be set according to a difference value between the first data and the second data.
In the second layer network storm detection, a certain message does not need to be processed separately, see fig. 4, which is a message feature diagram of normal message interaction provided in an embodiment of the present application, as shown in fig. 4. The normal interaction message is discussed in the following three cases:
(1) The TCP message is impossible to be sent endlessly by the sending end due to the sliding window, so that the statistics of the FPGA message is basically consistent with the statistics of the message processed in the driving.
(2) The UDP message is mainly applied to daily business communication, and the mechanism is a question-to-answer, so that the statistics of the FPGA message is basically consistent with the statistics of the message processed in the driving.
(3) ICMP type message mechanism is also a question and answer, answer or overtime can continue the next frame, the overtime time is generally not considered in the second level; only the one-to-one condition is considered, so that the FPGA message statistics and the message statistics processed in the driving are basically consistent.
From the above scenario and as shown in fig. 4, under the condition of three normal interaction messages, statistics of FPGA messages and statistics of messages already processed in the driving are basically identical, and normal interaction message characteristics are determined. Meanwhile, specific messages can be omitted, and certain messages do not need to be processed independently, so that processing codes are simplified greatly. In a storm situation, network storm messages are typically sent to the device periodically at certain intervals, and such messages are characterized in that: the transmission is continued regardless of the response of the device.
In one embodiment, referring to fig. 5, a feature diagram of a storm message provided in an embodiment of the application is shown in fig. 5. Under the storm condition, the message statistics count of the FPGA and the message statistics processed in the driving have larger difference, so that the difference between the normal interaction message and the storm message is the difference between the message statistics count of the FPGA and the message statistics processed in the driving, and the network storm is determined if the difference is too large.
Through the method, the second storm identification is realized by means of the hardware FPGA, and the condition of storm report missing can be effectively avoided.
In one embodiment, a detection method further comprises:
and when a network storm is detected, controlling the first circuit to carry out storm suppression.
Updating a fourth preset value, wherein the fourth preset value is the maximum number of messages which can be received by the target network when the storm suppression is released in the storm suppression process, and the fourth preset value after updating is compared with the fourth preset value before updating;
and controlling the first circuit to carry out storm suppression according to the updated fourth preset value.
In this embodiment of the present application, when the detection result indicates that the network storm is detected by the first or second storm, the first circuit, that is, the FPGA, needs to be controlled to perform storm suppression, and before storm suppression, a fourth preset value needs to be set first, which indicates the maximum number of messages Cs allowed to be transmitted by the target network in the statistics period.
Optionally, the fourth preset value may be set to half of the original value in the storm suppressing process, that is, the updated fourth preset value is half of the fourth preset value before updating. By the method, the time for eliminating the storm suppression of the FPGA can be prolonged, the storm message is prevented from being received again by eliminating the suppression too quickly, and finally, the relevant counter is cleared, so that the statistics period is restarted.
It is to be understood that the proportional relationship between the fourth preset value after updating and the fourth preset value before updating may be set according to actual needs, which is not limited herein. The smaller the updated fourth preset value is, the longer the storm suppressing time is; the larger the updated fourth preset value is, the shorter the storm suppressing time is.
By the method, the inhibition condition of the network storm can be observed in real time in the process of inhibiting the network storm, and the inhibition condition can be relieved when the storm inhibition is finished.
In one embodiment, a detection method further comprises:
when the target network is in a storm suppression state, acquiring third data, wherein the third data represents the message statistical number of the target network in the statistical period obtained through the first circuit;
and if the third data is smaller than the fourth preset value, controlling the first circuit to release storm suppression.
In this embodiment of the present application, after the FPGA suppresses the network storm, the suppression state needs to be released to ensure that the communication function runs normally, first, it is determined whether the network port is in the suppression state, if yes, the number of messages of the target network in the period, that is, third data, is counted, and if the third data is smaller than the fourth preset value, the completion of the storm is indicated, and the FPGA may be enabled to release the storm suppression.
The application provides a network storm suppression method based on software and hardware combination. The method comprises the steps of detecting the number of messages in a statistical period obtained by the aid of the hardware FPGA and the number of messages obtained by a driving layer, if a first detection result shows a network storm, suppressing the storm by the aid of the FPGA, and if the network storm is not detected, detecting the network storm for the second time by means of data obtained by storm characteristics and further working.
In the method, the method is not only dependent on the number of the driving statistical messages, and the message counter of the hardware FPGA is adopted for counting the messages, so that the influence on the system and normal service function operation is reduced while the device blocking condition caused by the driving layer statistical messages is relieved, and data is provided for software algorithm identification and storm suppression. The method also effectively reduces the occurrence of the conditions of message missing statistics, storm missing report and the like, improves the storm resistance of the equipment, and has great significance for improving the working reliability of networking equipment.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic of each process, and should not limit the implementation process of the embodiment of the present application in any way.
Corresponding to the detection method described in the above embodiments, fig. 5 is a block diagram of the detection apparatus provided in the embodiment of the present application, and for convenience of explanation, only the portion related to the embodiment of the present application is shown.
Referring to fig. 6, the apparatus includes:
an obtaining unit 61, configured to obtain first data, where the first data represents a packet statistics number of a target network in a period obtained by a first circuit, and the first circuit is a field programmable gate array circuit;
a generating unit 62, configured to obtain second data, where the second data represents a statistical number of packets of the target network in the statistical period obtained by the driving layer of the target network;
and a detection unit 63, configured to detect a network storm of the target network according to the first data and the second data, and obtain a detection result.
Optionally, the detection unit 63 is further configured to:
performing first detection according to the first data to obtain a first result;
and if the first result indicates that the network storm is not detected and the first data is larger than a first preset value, performing second detection according to the first data and the second data to obtain a second result, wherein the first preset value indicates the minimum number of received messages for suppressing the target network open storm in a statistical period.
Optionally, the detection unit 63 is further configured to:
if the first data is larger than a second preset value, the first result indicates that a network storm is detected;
and detecting a network storm, wherein the second preset value represents the maximum number of messages which can be transmitted by the target network in the statistical period.
Optionally, the detection unit 63 is further configured to:
if the difference between the first data and the second data is larger than a third preset value, the second result indicates that a network storm is detected;
and if the difference value between the first data and the second data is smaller than or equal to a third preset value, the second result indicates that no network storm is detected.
Optionally, the detection unit 63 is further configured to:
and when a network storm is detected, controlling the first circuit to carry out storm suppression.
Optionally, the detection unit 63 is further configured to:
updating a fourth preset value, wherein the fourth preset value is the maximum number of messages which can be received by the target network when storm suppression is released in the storm suppression process, and the updated fourth preset value is compared with the fourth preset value before update;
and controlling the first circuit to carry out storm suppression according to the updated fourth preset value.
Optionally, the detection unit 63 is further configured to:
when the target network is in a storm suppression state, acquiring third data, wherein the third data represents the message statistical number of the target network in the statistical period obtained through the first circuit;
and if the third data is smaller than the fourth preset value, controlling the first circuit to release storm suppression.
It should be noted that, because the content of information interaction and execution process between the above devices/units is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be referred to in the method embodiment section, and will not be described herein again.
In addition, the detection device shown in fig. 6 may be a software unit, a hardware unit, or a unit combining soft and hard, which are built in an existing terminal device, or may be integrated into the terminal device as an independent pendant, or may exist as an independent terminal device.
Fig. 7 is a schematic structural diagram of a terminal device provided in an embodiment of the present application. As shown in fig. 7, the terminal device 7 of this embodiment includes: at least one processor 70 (only one of which is shown in 70), a memory 71 and a computer program 72 stored in the memory 51 and executable on the at least one processor 70, the processor 70 implementing the steps in any of the various control method embodiments described above when executing the computer program 72.
The terminal equipment can be computing equipment such as a desktop computer, a notebook computer, a palm computer, a cloud server and the like. The terminal device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that fig. 7 is merely an example of the terminal device 7 and is not limiting of the terminal device 7, and may include more or fewer components than shown, or may combine certain components, or different components, such as may also include input-output devices, network access devices, etc.
The processor 70 may be a central processing unit (Central Processing Unit, CPU) and the processor 70 may be any other general purpose processor, digital signal processor (Digital SignalProcessor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 51 may in some embodiments be an internal storage unit of the terminal device 7, such as a hard disk or a memory of the terminal device 5. The memory 71 may in other embodiments also be an external storage device of the terminal device 5, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the terminal device 7. Further, the memory 51 may also include both an internal storage unit and an external storage device of the terminal device 7. The memory 51 is used for storing an operating system, application programs, boot Loader (Boot Loader), data, other programs, etc., such as program codes of the computer program. The memory 71 may also be used for temporarily storing data that has been output or is to be output.
Embodiments of the present application also provide a computer readable storage medium storing a computer program, which when executed by a processor, may implement the steps in the above-described method embodiments.
The embodiments of the present application provide a computer program product which, when run on a terminal device, causes the terminal device to perform the steps of the method embodiments described above.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application implements all or part of the flow of the method of the above embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to an apparatus/terminal device, recording medium, computer Memory, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. Such as a U-disk, removable hard disk, magnetic or optical disk, etc. In some jurisdictions, computer readable media may not be electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other manners. For example, the apparatus/terminal device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical function division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. A method of detection comprising:
acquiring first data, wherein the first data represents the message statistics number of a target network in a statistics period obtained through a first circuit, and the first circuit is a field programmable gate array circuit;
acquiring second data, wherein the second data represents the message statistical number of the target network in the statistical period obtained through a driving layer of the target network;
and detecting the network storm of the target network according to the first data and the second data, and obtaining a detection result.
2. The method of detecting according to claim 1, wherein the detecting the network storm of the target network according to the first data and the second data, to obtain the detection result, includes:
performing first detection according to the first data to obtain a first result;
and if the first result indicates that the network storm is not detected and the first data is larger than a first preset value, performing second detection according to the first data and the second data to obtain a second result, wherein the first preset value indicates the minimum number of received messages for suppressing the target network open storm in a statistical period.
3. The method of detecting according to claim 2, wherein the performing the first detection based on the first data to obtain a first result includes:
if the first data is larger than a second preset value, the first result indicates that a network storm is detected;
if the first data is smaller than or equal to a second preset value, the first result indicates that no network storm is detected, and the second preset value indicates the maximum number of messages which can be transmitted by the target network in the statistical period.
4. The method of detecting according to claim 2, wherein said performing a second detection based on said first data and said second data to obtain a second result comprises:
if the difference between the first data and the second data is larger than a third preset value, the second result indicates that a network storm is detected;
and if the difference value between the first data and the second data is smaller than or equal to a third preset value, the second result indicates that no network storm is detected.
5. The method of detection according to any one of claims 1 to 4, further comprising:
and when a network storm is detected, controlling the first circuit to carry out storm suppression.
6. The method of detecting as in claim 5, wherein said controlling said first circuit for storm suppression comprises:
updating a fourth preset value, wherein the fourth preset value is the maximum number of messages which can be received by the target network when storm suppression is released in the storm suppression process, and the updated fourth preset value is compared with the fourth preset value before update;
and controlling the first circuit to carry out storm suppression according to the updated fourth preset value.
7. The method of detection of claim 6, wherein the method further comprises:
when the target network is in a storm suppression state, acquiring third data, wherein the third data represents the message statistical number of the target network in the statistical period obtained through the first circuit;
and if the third data is smaller than the fourth preset value, controlling the first circuit to release storm suppression.
8. A control apparatus, characterized by comprising:
the acquisition unit is used for acquiring first data, wherein the first data represents the statistical number of messages of a target network in a period, which is acquired through a first circuit, and the first circuit is a field programmable gate array circuit;
the generating unit is used for acquiring second data, wherein the second data represents the message statistical number of the target network in the statistical period obtained through the driving layer of the target network;
and the detection unit is used for detecting the network storm of the target network according to the first data and the second data, and obtaining a detection result.
9. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 7 when executing the computer program.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211714658.XA CN116418712A (en) | 2022-12-26 | 2022-12-26 | Detection method, detection device, terminal equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211714658.XA CN116418712A (en) | 2022-12-26 | 2022-12-26 | Detection method, detection device, terminal equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116418712A true CN116418712A (en) | 2023-07-11 |
Family
ID=87053832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211714658.XA Pending CN116418712A (en) | 2022-12-26 | 2022-12-26 | Detection method, detection device, terminal equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116418712A (en) |
-
2022
- 2022-12-26 CN CN202211714658.XA patent/CN116418712A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102769549A (en) | Network security monitoring method and device | |
| US11444861B2 (en) | Method and apparatus for detecting traffic | |
| CN110944016B (en) | DDoS attack detection method, device, network equipment and storage medium | |
| CN106790299B (en) | Wireless attack defense method and device applied to wireless Access Point (AP) | |
| CN110650060A (en) | Processing method, equipment and storage medium for flow alarm | |
| CN106788888B (en) | Method and system for improving communication success rate of android mobile terminal in weak network environment | |
| CN111813638A (en) | Alarm information processing method and device and terminal equipment | |
| CN111949511A (en) | Application program pause processing method and device, terminal and storage medium | |
| CN1578231A (en) | Technique of detecting denial of service attacks | |
| CN109815702B (en) | Software behavior safety detection method, device and equipment | |
| CN114363062A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| CN116418712A (en) | Detection method, detection device, terminal equipment and computer readable storage medium | |
| CN117221085A (en) | Network fault early warning method and device, electronic equipment and storage medium | |
| CN111884883A (en) | Quick auditing processing method for service interface | |
| CN111949512A (en) | Application program jamming detection method and device, terminal and medium | |
| CN112579576B (en) | Data processing method, device, medium and computing equipment | |
| CN113886175A (en) | Hystrix-based distributed system cluster fusing method and distributed system | |
| CN112311760B (en) | Terminal credibility analysis method and device for one-end multi-network environment | |
| CN114240476A (en) | Abnormal user determination method, device, equipment and storage medium | |
| CN107885618B (en) | Data monitoring method, device, equipment and storage medium based on network game | |
| CN112882856A (en) | System maintenance method, apparatus and computer-readable storage medium | |
| CN112689280A (en) | Method for monitoring terminal switching base station and access and mobility management functions | |
| CN112367324B (en) | CDN attack detection method and device, storage medium and electronic equipment | |
| CN113839826B (en) | Method and device for detecting windows terminal and computer readable storage medium | |
| CN116437349B (en) | Method, device, equipment and medium for controlling access to mobile network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |