TWI650986B - Superspreader determination method and system thereof - Google Patents

Superspreader determination method and system thereof Download PDF

Info

Publication number
TWI650986B
TWI650986B TW106125426A TW106125426A TWI650986B TW I650986 B TWI650986 B TW I650986B TW 106125426 A TW106125426 A TW 106125426A TW 106125426 A TW106125426 A TW 106125426A TW I650986 B TWI650986 B TW I650986B
Authority
TW
Taiwan
Prior art keywords
source
packet
data
judgment
short code
Prior art date
Application number
TW106125426A
Other languages
Chinese (zh)
Other versions
TW201911833A (en
Inventor
賴裕昆
特佑 魏
Original Assignee
中原大學
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中原大學 filed Critical 中原大學
Priority to TW106125426A priority Critical patent/TWI650986B/en
Application granted granted Critical
Publication of TWI650986B publication Critical patent/TWI650986B/en
Publication of TW201911833A publication Critical patent/TW201911833A/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

一種超級散播者之判斷方法及其系統,係用以判斷出一超級散播者來源位址。依據資料封包之來源位址與目的位址形成來源目的對照資料表,並在藉由來源目的對照資料表判斷出目的位址未對應於來源位址之數量小於數量預設值且判斷資料封包未重複出現時,依據來源位址相同者累計為短碼相同數量。在判斷出短碼相同數量大於基礎數量時,判斷對應於短碼相同數量之來源位址為超級散播者來源位址。 A method and system for judging a super-distributor is used to determine a source address of a super-spreader. According to the source address and the destination address of the data packet, the source data comparison source table is formed, and the source destination comparison data table is used to determine that the destination address does not correspond to the source address and the quantity is less than the preset value and the data packet is not determined. When repeated, the same number of short codes is accumulated according to the same source address. When it is determined that the same number of short codes is greater than the basic number, it is determined that the same number of source addresses corresponding to the short code are the super-spreader source address.

Description

超級散播者之判斷方法及其系統 Super disseminator's judgment method and system thereof

本發明係有關於一種超級散播者之判斷方法及其系統,尤其是指一種藉由來源目的對照資料表與布隆過濾器對資料封包進行篩選之超級散播者之判斷方法及其系統。 The invention relates to a method for judging a super-distributor and a system thereof, in particular to a method and system for judging a super-distributor for screening a data packet by a source purpose comparison data table and a bloom filter.

從八零年代個人電腦開始普及以來,資訊的傳遞變得越來越便利、快速與便宜。人們為了尋求一種更快捷的通訊方式,發展出了現在人們所使用的網際網路。網路的發展促使了各類網路軟體蓬勃發展,即時通訊軟體與電郵令分隔兩地的人可以於短時間內實現通訊。因而突破了地域、距離、與意識形態的限制,使人們能接觸到各種思想與文化。其中,網際網路使得資訊得以即時性地傳遞至目的。 Since the popularity of personal computers in the 1980s, the transmission of information has become more convenient, faster and cheaper. In order to find a faster way to communicate, people have developed the Internet that people use today. The development of the Internet has led to the development of various types of Internet software. Instant messaging software and e-mails enable people in two places to communicate in a short period of time. Thus breaking through the limits of geography, distance, and ideology, so that people can access a variety of ideas and culture. Among them, the Internet enables information to be delivered to the purpose in an instant.

然而,在現今資訊發達的年代,某些資訊傳播者利用資訊傳播的便利性與快捷性將資料大量地傳輸至大量不同的目的端。因此,我們將這些將資料大量地傳輸至大量不同的目的端的人稱作為超級散播者 (Superspreader)。其中,這些超級散播者可能包含廣告業者或駭客。廣告業者為了要讓廣告資訊為大眾所知悉,因此會藉由電子郵件或即時訊息將廣告資訊傳遞給社會大眾。然而,現代人因為資訊傳遞的發達,每天會接收到大量的資訊。因此,在一般狀況下,廣告業者所傳遞的廣告資訊會被人們視為垃圾訊息,不僅占用儲存空間,且需要浪費時間去瀏覽資訊內容。 However, in today's information-rich era, some information disseminators use the convenience and speed of information dissemination to transmit large amounts of information to a large number of different destinations. Therefore, we call these people who transmit a large amount of data to a large number of different destinations as super-distributors. (Superspreader). Among them, these super-distributors may include advertisers or hackers. In order to make the advertising information known to the public, the advertising company will pass the advertising information to the public through email or instant message. However, modern people receive a lot of information every day because of the development of information transmission. Therefore, under normal circumstances, the advertising information transmitted by the advertising industry will be regarded as spam by people, which not only takes up storage space, but also wastes time to browse the information content.

另外,駭客為了竊取人們的個人資料或其他目的,會將病毒、蠕蟲、木馬程式或其他惡意程式傳遞給大量的網路使用者。網路使用者在無意間接收到並啟動這些病毒、蠕蟲、木馬程式或其他惡意程式後,個人資料或個人電腦程式會因為這些病毒、蠕蟲、木馬程式或其他惡意程式而遭到竊取或破壞,而蒙受難以挽回的損失。 In addition, hackers will pass viruses, worms, Trojans or other malicious programs to a large number of Internet users in order to steal people's personal data or other purposes. After a network user has inadvertently received and activated these viruses, worms, Trojans or other malicious programs, personal data or personal computer programs may be stolen due to these viruses, worms, Trojans or other malicious programs. Destroy and suffer irreparable damage.

資安公司為了偵測這些超級散播者的來源位址,會藉由一個大容量的資料庫儲存每個接收到的資料封包,並一一分析這些封包的來源位址與目的位址,藉以判斷出超級散播者的來源位址。但由於超級散播者會傳遞大量的封包,因此需要不斷地購置硬碟或其他儲存模組來儲存這些資料封包,並需要購買運算能力較佳的硬體來進行解析與判斷,因此需要支出大量的開銷。 In order to detect the source address of these super-spreaders, the security company will store each received data packet through a large-capacity database and analyze the source and destination addresses of these packets one by one to judge The source address of the super-spreader. However, since the super-spreader will transmit a large number of packets, it is necessary to continuously purchase a hard disk or other storage module to store the data packets, and it is necessary to purchase a hardware with better computing power for parsing and judgment, so that a large amount of expenditure is required. Overhead.

有鑒於在先前技術中,需要不斷地購置硬 碟或其他儲存模組來儲存資料封包,且需要購買運算能力較佳的硬體來進行解析與判斷,因而需要支出大量的開銷之問題。 In view of the prior art, it is necessary to continuously purchase hard Discs or other storage modules store data packets, and need to purchase hardware with better computing power for parsing and judgment, thus requiring a large amount of overhead.

本發明為解決先前技術之問題,所採用之必要技術手段為提供一種超級散播者之判斷方法。超級散播者之判斷方法用以判斷出一超級散播者來源位址。首先,接收複數個資料封包,並解析出複數個分別對應於資料封包之來源位址與複數個分別對應於資料封包之目的位址。接著,將各來源位址與各目的位址換算成複數個目的短碼,並將各來源位址換算成複數個第一來源短碼。 The present invention solves the problems of the prior art, and the necessary technical means adopted is to provide a method for judging a super-distributor. The method of judging by the super-distributor is used to determine the source address of a super-spreader. First, receiving a plurality of data packets, and parsing a plurality of source addresses respectively corresponding to the data packets and a plurality of destination addresses respectively corresponding to the data packets. Then, each source address and each destination address are converted into a plurality of destination short codes, and each source address is converted into a plurality of first source short codes.

之後,形成一來源目的對照資料表,將各資料封包所對應之目的短碼與第一來源短碼儲存於來源目的對照資料表。接著,將資料封包中之一者定義為一資料判斷封包,將來源目的對照資料表中所儲存之第一來源短碼中對應於資料判斷封包者定義為一判斷來源短碼,判斷出目的短碼未對應於判斷來源短碼之數量是否小於一數量預設值。 Thereafter, a source data comparison reference table is formed, and the short code of the destination corresponding to each data packet and the first source short code are stored in the source purpose comparison data table. Then, one of the data packets is defined as a data judgment packet, and the first source short code stored in the source data comparison data table is defined as a judgment source short code, and the short object is determined. The code does not correspond to whether the number of the source short codes is less than a predetermined number of preset values.

當判斷結果為是時,依據資料判斷封包所對應之一判斷封包來源位址與一判斷封包目的位址判斷資料判斷封包是否重複出現。當判斷結果為否時,將資料判斷封包之判斷封包來源位址換算為一第二來源短碼,並將第二來源短碼紀錄於一數量累計資料。 When the judgment result is yes, it is determined according to the data to determine whether the packet source address and the judgment packet destination address judgment data determine whether the packet is repeated. When the judgment result is no, the source address of the judgment packet of the data judgment packet is converted into a second source short code, and the second source short code is recorded in a quantity accumulated data.

重複執行上述步驟,藉以使數量累計資料儲存有複數個第二來源短碼,將上述複數個第二來源短 碼之相同者累計為一短碼相同數量,並依據短碼相同數量,將上述複數個第二來源短碼之相同者所對應之判斷封包來源位址判斷為超級散播者來源位址。 Repeating the above steps, so that the quantity accumulated data is stored with a plurality of second source short codes, and the plurality of second sources are short. The same code is accumulated into the same number of short codes, and the source address of the judgment packet corresponding to the same one of the plurality of second source short codes is determined as the source address of the super-spreader according to the same number of short codes.

在上述必要技術手段的基礎下,上述超級散播者之判斷方法所衍生之一附屬技術手段為在依據短碼相同數量,將上述複數個第二來源短碼之相同者所對應之判斷封包來源位址判斷為超級散播者來源位址時,是藉由在判斷出短碼相同數量大於一基礎數量時,將上述複數個第二來源短碼之相同者所對應之判斷封包來源位址判斷為超級散播者來源位址。 On the basis of the above-mentioned necessary technical means, one of the sub-technical means derived from the above-mentioned method for judging the super-distributor is to determine the source of the judgment packet corresponding to the same of the plurality of second-source short codes according to the same number of short codes. When the address is determined to be the source address of the super-spreader, the judging packet source address corresponding to the same one of the plurality of second source short codes is judged to be super when judging that the same number of short codes is greater than a basic number. The source address of the distributor.

在上述必要技術手段的基礎下,上述超級散播者之判斷方法所衍生之一附屬技術手段為在將各來源位址與各目的位址換算成複數個目的短碼,並將各來源位址換算成複數個第一來源短碼時,是經由一第一雜湊函數(Hash Function)將各來源位址與各目的位址換算為目的短碼,並經由一第二雜湊函數將各來源位址換算為第一來源短碼。 Based on the above-mentioned necessary technical means, one of the subsidiary technical means derived from the above-mentioned method of judging the super-distributor is to convert each source address and each destination address into a plurality of destination short codes, and convert each source address. When a plurality of first source short codes are formed, each source address and each destination address are converted into a destination short code via a first hash function, and each source address is converted by a second hash function. Short code for the first source.

在上述必要技術手段的基礎下,上述超級散播者之判斷方法所衍生之一附屬技術手段為在將資料判斷封包之判斷封包來源位址換算為一第二來源短碼時,是經由一第三雜湊函數將資料判斷封包之判斷封包來源位址換算為第二來源短碼。 On the basis of the above-mentioned necessary technical means, one of the subsidiary technical means derived from the above-mentioned method of judging the super-distributor is to convert the source address of the judgment packet of the data judgment packet into a second source short code, which is via a third The hash function converts the source address of the judgment packet of the data judgment packet into the second source short code.

在上述必要技術手段的基礎下,上述超級散播者之判斷方法所衍生之一附屬技術手段為在依據資料判斷封包所對應之判斷封包來源位址與判斷封包目的 位址判斷資料判斷封包是否重複出現時,須先解析出對應於資料判斷封包之判斷封包來源位址與判斷封包目的位址。接著,再藉由一布隆過濾模組依據資料判斷封包所應之判斷封包來源位址與判斷封包目的位址判斷資料判斷封包是否重複出現。其中,布隆過濾模組係一布隆過濾器(Bloom Filter)。 On the basis of the above-mentioned necessary technical means, one of the subsidiary technical means derived from the above-mentioned super-distributor's judgment method is to judge the source address of the packet and judge the purpose of the packet in accordance with the data judgment packet. When the address judgment data determines whether the packet is repeated, the source address of the judgment packet corresponding to the data judgment packet and the destination address of the judgment packet are first parsed. Then, the Bulong filter module determines whether the packet is repeated by determining the source address of the packet and determining the destination address of the packet according to the data. Among them, the Bloom filter module is a Bloom filter.

在上述必要技術手段的基礎下,上述超級散播者之判斷方法所衍生之一附屬技術手段為在藉由一布隆過濾模組依據資料判斷封包所應之判斷封包來源位址與判斷封包目的位址判斷資料判斷封包是否重複出現時,需將判斷封包來源位址與判斷封包目的位址經由複數個過濾雜湊函數換算成一過濾短碼集合,過濾短碼集合包含複數個各過濾雜湊函數所換算出之過濾短碼。其中,數量累計資料為一數量累計表。接著,將一依據至少一預存過濾短碼集合所產生之過濾短碼集合資料與過濾短碼集合進行比對,藉以判斷出過濾短碼集合是否重複出現。藉此,判斷封包來源位址與判斷封包目的位址判斷資料判斷封包是否重複出現。 On the basis of the above-mentioned necessary technical means, one of the sub-technical methods derived from the above-mentioned method of judging the super-distributor is to determine the source address of the packet and the destination of the packet by judging the packet according to the data by a Bloom filter module. When the address judgment data determines whether the packet is repeated, the address of the judgment packet source address and the destination address of the judgment packet are converted into a filter short code set through a plurality of filter hash functions, and the filter short code set includes a plurality of filter hash functions. Filter short codes. The quantity cumulative data is a quantity accumulation table. Then, the filtered short code set data generated according to the at least one pre-stored filtered short code set is compared with the filtered short code set to determine whether the filtered short code set is repeated. Thereby, judging the source address of the packet and determining the destination address of the packet to determine whether the packet is repeated.

在上述必要技術手段的基礎下,上述超級散播者之判斷方法所衍生之一附屬技術手段為在將判斷封包來源位址與判斷封包目的位址經由複數個過濾雜湊函數換算成一包含過濾短碼之過濾短碼集合時,是經由過濾雜湊函數將判斷封包來源位址與判斷封包目的位址換算為過濾短碼。 Based on the above-mentioned necessary technical means, one of the auxiliary technical means derived from the above-mentioned method for judging the super-distributor is to convert the address of the judgment packet source address and the judgment packet destination address into a filter-containing short code via a plurality of filtering hash functions. When filtering the short code set, the packet source address and the judgment packet destination address are converted into the filtering short code by the filter hash function.

本發明為解決先前技術之問題,所採用之 必要技術手段為另外提供一種超級散播者之判斷系統。超級散播者之判斷系統用以判斷出一超級散播者來源位址,並包含一封包解析模組、一運算模組、一儲存模組與一判斷模組。封包解析模組用以接收複數個資料封包,並解析出複數個分別對應於資料封包之來源位址與複數個分別對應於資料封包之目的位址。 The present invention solves the problems of the prior art and adopts The necessary technical means provide a judgment system for the super-distributor. The super-distributor's judgment system is used to determine a super-spreader source address, and includes a packet parsing module, a computing module, a storage module and a judging module. The packet parsing module is configured to receive a plurality of data packets, and parse a plurality of source addresses corresponding to the data packets and a plurality of destination addresses respectively corresponding to the data packets.

運算模組電性連接於封包解析模組,用以將各來源位址與各目的位址換算成複數個目的短碼,並將各來源位址換算成複數個第一來源短碼。儲存模組電性連接於運算模組,並設有一來源目的對照資料表,用以將各資料封包所對應之目的短碼與第一來源短碼儲存於來源目的對照資料表。 The computing module is electrically connected to the packet parsing module, and is configured to convert each source address and each destination address into a plurality of destination short codes, and convert each source address into a plurality of first source short codes. The storage module is electrically connected to the computing module, and is provided with a source purpose comparison data table for storing the short code of the destination corresponding to each data packet and the first source short code in the source purpose comparison data table.

判斷模組電性連接於儲存模組,並設有一數量預設值,用以將資料封包中之一者定義為一資料判斷封包,將來源目的對照資料表中所儲存之第一來源短碼中對應於資料判斷封包者定義為一判斷來源短碼,並判斷出目的短碼未對應於判斷來源短碼之數量是否小於數量預設值。 The judging module is electrically connected to the storage module, and is provided with a preset number for defining one of the data packets as a data judging packet, and storing the first source short code stored in the source data comparison table. The data corresponding to the data judgment packet is defined as a judgment source short code, and it is determined whether the destination short code does not correspond to the number of the determination source short codes is less than the preset number.

其中,當判斷出目的短碼未對應於判斷來源短碼之數量小於數量預設值,且依據資料判斷封包所對應之一判斷封包來源位址與一判斷封包目的位址判斷資料判斷封包未重複出現時,將資料判斷封包之判斷封包來源位址換算為一第二來源短碼,並將第二來源短碼紀錄於一數量累計資料,藉以使數量累計資料儲存有複數個第二來源短碼,並將上述複數個第二來源短碼之相 同者累計為一短碼相同數量,並依據數量累計資料之短碼相同數量將上述複數個第二來源短碼之相同者所對應之判斷封包來源位址判斷為超級散播者來源位址。 Wherein, when it is determined that the destination short code does not correspond to the number of the determined source short codes is less than the preset number, and one of the corresponding packets is determined according to the data, the source address of the packet is determined, and the address of the judgment packet is determined by the address judgment data. When present, the source address of the judgment packet of the data judgment packet is converted into a second source short code, and the second source short code is recorded in a quantity accumulation data, so that the quantity accumulation data is stored with a plurality of second source short codes. And the above multiple second source short code phases The same person accumulates the same number of short codes, and judges the source address of the judgment packet corresponding to the same one of the plurality of second source short codes as the source address of the super-spreader according to the same number of short codes of the quantity accumulated data.

在上述必要技術手段的基礎下,上述超級散播者之判斷系統所衍生之一附屬技術手段為超級散播者之判斷系統更包含一判斷封包解析模組一判斷封包運算模組一布隆過濾模組一判斷封包儲存模組與一判斷封包判斷模組。判斷封包解析模組電性連接於判斷模組,用以解析出對應於資料判斷封包之判斷封包來源位址與判斷封包目的位址。 Based on the above-mentioned necessary technical means, one of the affiliated technical means derived from the above-mentioned super-distributor's judgment system is a super-distributor's judgment system, which further includes a judgment packet analysis module, a judgment packet operation module, a bloom filter module. A judging packet storage module and a judging packet judging module. The judging packet parsing module is electrically connected to the judging module, and is configured to parse the source address of the judging packet corresponding to the data judging packet and the destination address of the judging packet.

判斷封包運算模組電性連接於判斷封包解析模組,用以將判斷封包來源位址與判斷封包目的位址換算成一過濾短碼集合。濾短碼集合包含複數個過濾短碼。布隆過濾模組電性連接於判斷封包運算模組,並設有一依據至少一預存過濾短碼集合所產生之過濾短碼集合資料,用以將過濾短碼集合資料與過濾短碼集合進行比對。 The determining packet computing module is electrically connected to the determining packet parsing module, and is configured to convert the determining packet source address and the determining packet destination address into a filtered short code set. The filtered short code set contains a plurality of filtered short codes. The Bloom filter module is electrically connected to the determining packet computing module, and is provided with a filtered short code set data generated according to at least one pre-stored filtered short code set, which is used to compare the filtered short code set data with the filtered short code set. Correct.

判斷封包儲存模組電性連接於判斷封包運算模組,並設有數量累計資料,用以在布隆過濾模組比對出過濾短碼集合未重複出現而判斷出資料判斷封包未重複出現時,藉由判斷封包運算模組將資料判斷封包之判斷封包來源位址換算為第二來源短碼,並將第二來源短碼紀錄於判斷封包儲存模組之數量累計資料,藉以使數量累計資料儲存有複數個第二來源短碼,並將上述複數個第二來源短碼之相同者累計為短碼相同數量。 Determining that the packet storage module is electrically connected to the judging packet computing module, and is provided with a quantity accumulating data, which is used to determine that the data judging packet is not repeated when the Bron filter module compares the filtering short code set without repeated occurrence By judging the packet computing module, the source address of the judgment packet of the data judgment packet is converted into the second source short code, and the second source short code is recorded in the judgment quantity accumulation data of the packet storage module, so as to make the quantity accumulated data A plurality of second source short codes are stored, and the same of the plurality of second source short codes are accumulated into the same number of short codes.

判斷封包判斷模組電性連接於判斷封包儲存模組並設有一基礎數量,用以判斷出短碼相同數量大於基礎數量時,將上述複數個第二來源短碼之相同者所對應之判斷封包來源位址判斷為超級散播者來源位址。 Determining that the packet judging module is electrically connected to the judging packet storage module and is provided with a basic quantity for judging that the same number of the short codes is greater than the basic number, and determining the corresponding packet corresponding to the same of the plurality of second source short codes The source address is judged to be the source address of the super-spreader.

承上所述,本發明所提供之超級散播者之判斷方法及其系統,係透過來源目的對照資料表來對資料封包進行初步的篩選,藉以將目的短碼未對應於判斷來源短碼之數量小於一數量預設值之資料判斷封包篩選出。接著,藉由布隆過濾模組將具有相同來源位址與目的位址之資料判斷封包過濾,並將第二來源短碼相同者累計成數量累計資料。藉以判斷資料判斷封包之來源位址是否為超級散播者來源位址。 As described above, the method and system for judging the super-distributor provided by the present invention perform preliminary screening of the data packet through the source-specific comparison data table, so that the destination short code does not correspond to the number of the judgment source short code. A data less than a predetermined number of predetermined values is judged to be filtered out. Then, the data of the same source address and the destination address is filtered by the Bloom filter module, and the same source of the second source short code is accumulated into the quantity accumulated data. By judging the data, it is judged whether the source address of the packet is the source address of the super-spreader.

相較於先前技術,由於本發明所提供之超級散播者之判斷方法及其系統僅將代表資料封包之來源位址與目的位址所換算成之第一來源短碼與目的短碼紀錄於來源目的對照資料表,且僅將經過布隆過濾模組所篩選出之判斷封包來源位址所換算成的第二來源短碼中之重複者累計成一數量累計資料。因此,省去了儲存大量資料封包所需之儲存空間。藉此,不需額外購置硬碟或其他儲存模組來儲存資料封包,且無需購買運算能力較佳的硬體來進行解析與判斷,因而解決了需要支出大量的開銷之問題。 Compared with the prior art, the method and system for judging the super-distributor provided by the present invention only records the first source short code and the destination short code converted into the source address and the destination address of the data packet in the source. The purpose is to compare the duplicates in the second source short code converted into the source address of the judgment packet selected by the Bloom filter module into a quantity accumulation data. Therefore, the storage space required to store a large number of data packets is eliminated. In this way, there is no need to purchase a hard disk or other storage module to store data packets, and it is not necessary to purchase hardware with better computing power for parsing and judgment, thereby solving the problem that a large amount of overhead is required.

1‧‧‧超級散播者之判斷系統 1‧‧‧Super disseminator's judgment system

11‧‧‧封包解析模組 11‧‧‧Packet Analysis Module

12‧‧‧運算模組 12‧‧‧ Computing Module

121‧‧‧第一雜湊函數運算單元 121‧‧‧First hash function unit

122‧‧‧第二雜湊函數運算單元 122‧‧‧Secondary function unit

13‧‧‧儲存模組 13‧‧‧ Storage Module

14‧‧‧判斷模組 14‧‧‧Judgement module

15‧‧‧判斷封包解析模組 15‧‧‧Determining packet parsing module

16‧‧‧判斷封包運算模組 16‧‧‧Determining the packet computing module

161‧‧‧過濾雜湊函數運算單元 161‧‧‧Filtering the hash function unit

162‧‧‧第三雜湊函數運算單元 162‧‧‧ third hash function unit

17‧‧‧布隆過濾模組 17‧‧‧Bron filter module

18‧‧‧判斷封包儲存模組 18‧‧‧Determination of packet storage module

19‧‧‧判斷封包判斷模組 19‧‧‧Determination of packet judgment module

2‧‧‧處理晶片 2‧‧‧Processing wafer

3‧‧‧軟體程式 3‧‧‧Software

D1‧‧‧來源目的對照資料表 D1‧‧‧Source purpose comparison data sheet

D2‧‧‧過濾短碼集合資料 D2‧‧‧Filter short code collection data

D3‧‧‧數量累計資料 D3‧‧‧Quantitative data

V1‧‧‧數量預設值 V1‧‧‧ quantity preset

V2‧‧‧基礎數量 V2‧‧‧Basic quantity

第一圖係顯示本發明較佳實施例所提供之超級散播者之判斷系統之方塊圖;第二A圖至第二C圖係顯示本發明較佳實施例所提供之超級散播者之判斷方法之流程圖;第三圖係顯示本發明較佳實施例所提供之超級散播者之判斷方法之來源目的對照資料表之示意圖;以及第四圖係顯示本發明較佳實施例所提供之超級散播者之判斷方法之數量累計資料之示意圖。 The first figure shows a block diagram of the judging system of the super-distributor provided by the preferred embodiment of the present invention; the second graph A to the second C shows the judging method of the super-spreader provided by the preferred embodiment of the present invention. FIG. 3 is a schematic diagram showing a source of comparison of the source of the method for judging the super-distributor provided by the preferred embodiment of the present invention; and a fourth diagram showing the super-distribution provided by the preferred embodiment of the present invention. A schematic diagram of the cumulative amount of data for the method of judgment.

請參閱第一圖,第一圖係顯示本發明較佳實施例所提供之超級散播者之判斷系統之方塊圖。如圖所示,本發明較佳實施例提供了一種超級散播者之判斷系統1。超級散播者之判斷系統1包含一封包解析模組11、一運算模組12、一儲存模組13、一判斷模組14、一判斷封包解析模組15、一判斷封包運算模組16、一布隆過濾模組17、一判斷封包儲存模組18與一判斷封包判斷模組19。在本實施例當中,超級散播者之判斷系統1係應用於一路由器,在其他實施例當中,可應用於各類網路設備,尤其適合應用於記憶體容量較低或運算能力較低的網路設備,但不以此為限。 Please refer to the first figure, which is a block diagram showing the judging system of the super-distributor provided by the preferred embodiment of the present invention. As shown, the preferred embodiment of the present invention provides a judging system 1 for a super-distributor. The judging system 1 of the super-distributor includes a packet parsing module 11, a computing module 12, a storage module 13, a judging module 14, a judging packet parsing module 15, a judging packet computing module 16, and a The Bloom filter module 17, a judging packet storage module 18 and a judging packet judging module 19. In this embodiment, the super-distributor's judgment system 1 is applied to a router. In other embodiments, it can be applied to various network devices, and is particularly suitable for a network with low memory capacity or low computing power. Road equipment, but not limited to this.

在本實施例當中,封包解析模組11、運算模組12、儲存模組13與判斷模組14位於一處理晶片2上,例如為現場可程式邏輯門陣列(Field Programmable Gate Array;FPGA)晶片,但在其他實施例當中不以此為限。另外,在本實施例當中,判斷封包解析模組15、判斷封包運算模組16、布隆過濾模組17、判斷封包儲存模組18與判斷封包判斷模組19被編寫於一軟體程式3,但在其他實施例當中不以此為限。 In this embodiment, the packet parsing module 11, the computing module 12, the storage module 13 and the judging module 14 are located on a processing chip 2, such as a field programmable logic gate array (Field Programmable). Gate Array; FPGA) chip, but not limited to other embodiments. In addition, in the embodiment, the determination packet parsing module 15, the judging packet computing module 16, the Bloom filter module 17, the judging packet storage module 18, and the judging packet judging module 19 are written in a software program 3, However, it is not limited to this in other embodiments.

運算模組12電性連接於封包解析模組11,並包含一第一雜湊函數(Hash Function)運算單元121與一第二雜湊函數運算單元122。儲存模組13電性連接於運算模組12,並設有一來源目的對照資料表D1。其中,儲存模組13例如為區塊隨機存取記憶體(Block RAM;BRAM),但不以此為限。判斷模組14電性連接於儲存模組13,並設有一數量預設值V1。 The computing module 12 is electrically connected to the packet parsing module 11 and includes a first hash function unit 121 and a second hash function unit 122. The storage module 13 is electrically connected to the computing module 12 and is provided with a source purpose comparison data table D1. The storage module 13 is, for example, a block random access memory (BRAM), but is not limited thereto. The determining module 14 is electrically connected to the storage module 13 and is provided with a predetermined number of values V1.

判斷封包解析模組15電性連接於判斷模組14。判斷封包運算模組16電性連接於判斷封包解析模組15,並包含複數個過濾雜湊函數運算單元161(在此僅標示其中一者)與一第三雜湊函數運算單元162。 The determination packet analysis module 15 is electrically connected to the determination module 14 . The judging packet computing module 16 is electrically connected to the judging packet parsing module 15 and includes a plurality of filtering hash function computing units 161 (only one of which is labeled here) and a third hash function computing unit 162.

布隆過濾模組17電性連接於判斷封包運算模組16,並設有一依據至少一預存過濾短碼集合所產生之過濾短碼集合資料D2。在本實施例當中,布隆過濾模組17為布隆過濾器(Bloom Filter)。判斷封包儲存模組18電性連接於判斷封包運算模組16,並設有一數量累計資料D3。在本實施例當中,數量累計資料D3為一數量累計表,但在其他實施例當中並不以此為限。判斷封包判斷模組19電性連接於判斷封包儲存模組18並設有一基礎數量V2。 The Bloom filter module 17 is electrically connected to the judging packet computing module 16 and is provided with a filtered short code set data D2 generated according to at least one pre-stored filtered short code set. In this embodiment, the Bloom filter module 17 is a Bloom Filter. The packet storage module 18 is electrically connected to the judging packet computing module 16 and is provided with a quantity of accumulated data D3. In the embodiment, the quantity accumulation data D3 is a quantity accumulation table, but it is not limited thereto in other embodiments. The determination packet determination module 19 is electrically connected to the determination packet storage module 18 and is provided with a base quantity V2.

請一併參閱第一圖至第二C圖,第二A圖至第二C圖係顯示本發明較佳實施例所提供之超級散播者之判斷方法之流程圖。如圖所示,先接收複數個資料封包,並藉由封包解析模組11解析出複數個分別對應於資料封包之來源位址與複數個分別對應於資料封包之目的位址(即步驟S1)。 Please refer to FIG. 1 to FIG. 2C together. FIG. 2A to FIG. 2C are flowcharts showing a method for judging the super-distributor provided by the preferred embodiment of the present invention. As shown in the figure, a plurality of data packets are received first, and the packet resolution module 11 parses a plurality of source addresses corresponding to the data packets and a plurality of destination addresses respectively corresponding to the data packets (ie, step S1). .

請一併參閱第一圖、第二A圖與第三圖,第三圖係顯示本發明較佳實施例所提供之超級散播者之判斷方法之來源目的對照資料表之示意圖。如圖所示,藉由運算模組12之第一雜湊函數運算單元121將各來源位址與各目的位址換算為一目的短碼。其中,目的短碼是一經由第一雜湊函數所換算而成之雜湊值(Hash value)。藉由運算模組12之第二雜湊函數運算單元122將各來源位址換算一第一來源短碼。其中,第一來源短碼是一經由第二雜湊函數所換算而成之雜湊值(即步驟S2)。 Please refer to FIG. 1 , FIG. 2A and FIG. 3 together. FIG. 3 is a schematic diagram showing the source of the comparison data table of the method for judging the super-distributor provided by the preferred embodiment of the present invention. As shown in the figure, each source address and each destination address are converted into a destination short code by the first hash function operation unit 121 of the operation module 12. The destination short code is a hash value converted by the first hash function. Each source address is converted to a first source short code by a second hash function operation unit 122 of the computing module 12. The first source short code is a hash value converted by the second hash function (ie, step S2).

接著,將資料封包所對應之目的短碼與第一來源短碼儲存於儲存模組13之來源目的對照資料表D1(即步驟S3)。在本實施例當中,第一雜湊函數運算單元121運算出10個目的短碼,目的短碼分別為5869、fd11、555a、e154、e5f1、44d6、a47b、e4a6、e5dd與eee4。第二雜湊函數運算單元122運算出10個第一來源短碼。第一來源短碼分別為1a2b、5d1e、6dd9、c232、F127、365c、52af、fe24、4dd1與C21d,但在其他實施例並不以此為限。在未接收到封包前,在來源目的對照資料表D1中, 目的短碼與第一來源短碼所對應之欄位皆為0。 Then, the destination short code corresponding to the data packet and the first source short code are stored in the source destination comparison data table D1 of the storage module 13 (ie, step S3). In the present embodiment, the first hash function operation unit 121 calculates 10 destination short codes, and the destination short codes are 5869, fd11, 555a, e154, e5f1, 44d6, a47b, e4a6, e5dd, and eee4, respectively. The second hash function operation unit 122 calculates ten first source short codes. The first source short codes are 1a2b, 5d1e, 6dd9, c232, F127, 365c, 52af, fe24, 4dd1, and C21d, respectively, but are not limited thereto in other embodiments. Before the packet is received, in the source purpose comparison data table D1, The field corresponding to the destination short code and the first source short code is 0.

接著,將資料封包中之一者定義為一資料判斷封包,將來源目的對照資料表D1中所儲存之資料判斷封包所對應之第一來源短碼定義為一判斷來源短碼。在本實施例當中,當目的短碼與第一來源短碼儲存於來源目的對照資料表D1後,將目的短碼與第一來源短碼所定義出之判斷來源短碼所對應出之欄位填入為1。 Then, one of the data packets is defined as a data judgment packet, and the first source short code corresponding to the data judgment packet stored in the source destination comparison data table D1 is defined as a judgment source short code. In this embodiment, after the destination short code and the first source short code are stored in the source destination comparison data table D1, the destination short code is compared with the field corresponding to the judgment source short code defined by the first source short code. Fill in as 1.

藉由判斷模組14判斷出目的短碼未對應於判斷來源短碼之數量是否小於一數量預設值V1(即步驟S4)。在本實施例當中,數量預設值V1為3,但在其他實施例並不以此為限。 The determining module 14 determines whether the destination short code does not correspond to the number of the determined source short codes is less than a predetermined number of preset values V1 (ie, step S4). In the embodiment, the preset value V1 is 3, but it is not limited thereto in other embodiments.

若判斷出目的短碼未對應於判斷來源短碼之數量未小於數量預設值V1,則可以得知判斷來源短碼所對應之來源位址並非超級散播者來源位址(即步驟S41),因為從判斷來源短碼所對應之來源位址所發送之資料封包所傳送到的目的位址之數量並未超過數量預設值V1,因而不符合超級散播者來源位址的條件。藉此,將資料判斷封包做第一階段的篩選。 If it is determined that the destination short code does not correspond to the number of the determined source short codes is not less than the quantity preset value V1, it may be known that the source address corresponding to the source short code is not the super-spreader source address (ie, step S41), Because the number of destination addresses transmitted from the data packet sent by the source address corresponding to the source short code does not exceed the preset value V1, it does not meet the condition of the super-spreader source address. In this way, the data judgment packet is selected as the first stage of screening.

舉例而言,在來源目的對照資料表D1中,當第一來源短碼之5d1e被定義為判斷來源短碼時,未對應於判斷來源短碼之5d1e之目的短碼之數量為6(六個0)。由於未對應於判斷來源短碼之5d1e之目的短碼之數量(6)大於數量預設值V1(3),因此可以得知判斷來源短碼所對應之來源位址並非超級散播者來源位址。 For example, in the source destination comparison data table D1, when the 5d1e of the first source short code is defined as the judgment source short code, the number of short codes that do not correspond to the 5d1e of the judgment source short code is 6 (six 0). Since the number of short codes (6) that are not corresponding to the 5d1e of the source short code is greater than the preset value V1(3), it can be known that the source address corresponding to the source short code is not the source address of the super-spreader. .

請一併參閱第一圖與第二B圖。如圖所 示,當判斷模組14判斷出目的短碼未對應於判斷來源短碼之數量小於數量預設值V1時,藉由判斷封包解析模組15解析出對應於資料判斷封包之一判斷封包來源位址與一判斷封包目的位址(即步驟S51)。 Please refer to the first picture and the second picture B together. As shown When the determining module 14 determines that the destination short code does not correspond to the number of the determined source short codes is less than the quantity preset value V1, it is determined that the packet parsing module 15 parses out one of the data determining packets to determine the source of the packet. The address and the address of the judgment packet are determined (ie, step S51).

舉例而言,在來源目的對照資料表D1中,當第一來源短碼之1a2b與c21d被定義為判斷來源短碼時,未對應於判斷來源短碼之1a2b之目的短碼之數量為2(兩個0),未對應於判斷來源短碼之c21d之目的短碼之數量為1(一個0)。 For example, in the source destination comparison data table D1, when 1a2b and c21d of the first source short code are defined as the judgment source short code, the number of short codes of the destination 1a2b that does not correspond to the judgment source short code is 2 ( Two 0), the number of short codes that do not correspond to the c21d of the source short code is 1 (one 0).

由於未對應於判斷來源短碼之1a2b與c21d之目的短碼之數量皆小於數量預設值V1,因此解析出對應於資料判斷封包之一判斷封包來源位址與一判斷封包目的位址。其中,可透過查尋第二奏函數之雜湊表(Hash Table)得知判斷來源短碼所對應的來源位址。在本實施例當中,假定判斷來源短碼之1a2b所對之來源位址有兩個,判斷來源短碼之c21d所對之來源位址有一個。 Since the number of the short codes of the destinations 1a2b and c21d that are not corresponding to the source short code is less than the preset value V1, the address corresponding to the source of the data packet and the address of the judgment packet are parsed. Wherein, the source address corresponding to the source short code can be obtained by searching the hash table of the second function. In the present embodiment, it is assumed that the source address of the source short code 1a2b is two, and the source address of the source short code c21d is one.

接著,藉由判斷封包運算模組16之複數個過濾雜湊函數運算單元161(在此僅標示其中一者)將判斷封包來源位址與判斷封包目的位址換算為複數個過濾短碼,藉以形成複數個過濾短碼所形成之過濾短碼集合(步驟S521)。其中,上述複數個過濾短碼為複數個不同的過濾雜湊函數所換算出雜湊值。 Then, by determining a plurality of filtering hash function operation units 161 (only one of which is labeled here) of the packet computing module 16, the packet determining source address and the determining packet destination address are converted into a plurality of filtering short codes, thereby forming A plurality of filtered short code sets formed by filtering the short codes (step S521). The plurality of filtering short codes are converted into hash values by a plurality of different filtering hash functions.

接著,藉由布隆過濾模組17之過濾短碼集合資料D2與過濾短碼集合進行比對,並判斷出過濾短碼 集合是否與過濾短碼集合資料D2之預存過濾短碼集合相符,藉以判斷過濾短碼集合是否重複出現。(步驟S522)。 Then, the filtered short code set data D2 of the Bloom filter module 17 is compared with the filtered short code set, and the filtered short code is determined. Whether the set matches the pre-stored filtered short code set of the filtered short code set data D2, thereby determining whether the filtered short code set is repeated. (Step S522).

簡而言之,之前曾經出現過的資料判斷封包之判斷封包來源位址與判斷封包目的位址會被上述複數個不同的過濾雜湊函數換算成複數個雜湊值而形成預存過濾短碼集合,並以預存過濾短碼集合之形式儲存於過濾短碼集合資料D2。 In short, the data of the judgment packet originating from the previous judgment packet and the destination address of the judgment packet are converted into a plurality of hash values by the plurality of different filter hash functions to form a pre-stored filter short code set, and The filtered short code set data D2 is stored in the form of a pre-stored filtered short code set.

當要判斷資料判斷封包之判斷封包來源位址與判斷封包目的位址是否重複時,將判斷資料判斷封包所對應的過濾短碼集合與過濾短碼集合資料D2之預存過濾短碼集合進行比對,藉以判斷出資料判斷封包之判斷封包來源位址與判斷封包目的位址是否重複。藉此,節省了儲存判斷資料封包所需要的儲存空間。 When it is judged whether the source address of the judgment packet of the data judgment packet and the address of the judgment packet are duplicated, the comparison of the filter short code set corresponding to the data judgment packet and the pre-stored filter short code set of the filter short code set data D2 are compared. By judging the data, judging the source address of the packet and determining whether the destination address of the packet is duplicated. Thereby, the storage space required for storing the judgment data packet is saved.

當判斷出過濾短碼集合重複出現時,將資料判斷封包之判斷封包來源位址與判斷封包目的位址捨棄,因為不需要計算重複的資料判斷封包之判斷封包來源位址與判斷封包目的位址(及步驟S5221)。 When it is determined that the filtered short code set is repeated, the source address of the judgment packet and the destination address of the judgment packet are discarded, because it is not necessary to calculate the duplicate data to determine the source address of the packet and the destination address of the packet. (and step S5221).

請一併參閱第二C圖與第四圖,第四圖係顯示本發明較佳實施例所提供之超級散播者之判斷方法之數量累計資料之示意圖。如圖所示,當判斷出過濾短碼集合未重複出現時,藉由判斷封包運算模組16之第三雜湊函數運算單元162將資料判斷封包之判斷封包來源位址換算為一第二來源短碼,並將第二來源短碼紀錄於判斷封包儲存模組18之數量累計資料D3。 Please refer to FIG. 2C and FIG. 4 together. FIG. 4 is a schematic diagram showing the cumulative amount of data of the method for judging the super-distributor provided by the preferred embodiment of the present invention. As shown in the figure, when it is determined that the filtered short code set is not repeatedly generated, the third hash function operation unit 162 of the packet computing module 16 determines that the source address of the data packet of the data judgment packet is converted into a second source. The code is recorded in the second source short code to determine the quantity accumulated data D3 of the packet storage module 18.

其中,第二來源短碼是經由一第三雜湊函數將資料判斷封包之判斷封包來源位址所換算成的雜湊值。之後,不斷地重複上述之步驟,藉以使數量累計資料D3儲存有複數個第二來源短碼,並將第二來源短碼之相同者累計為一短碼相同數量(即步驟S6)。 The second source short code is a hash value converted into a source address of the judgment packet of the data judgment packet via a third hash function. Thereafter, the above steps are continually repeated, so that the quantity cumulative data D3 stores a plurality of second source short codes, and the same of the second source short codes is accumulated into a short code of the same number (ie, step S6).

舉例來說,對應於判斷來源短碼為1a2b的兩個來源位址在經過第三雜湊函數運算單元162之運算而分別形成為456a與89a4之第二來源短碼。另外,對應於判斷來源短碼為c21d的來源位址在經過第三雜湊函數運算單元162之運算而形成為ee66之第二來源短碼。接著,將第二來源短碼之456a、89a4與ee66紀錄於數量累計資料D3,並將第二來源短碼之相同者累計為一短碼相同數量。其中,第二來源短碼之456a累計了6次,第二來源短碼之89a4累計了2次,第二來源短碼之456a累計了6次,第二來源短碼之ee66累計了9次。 For example, the two source addresses corresponding to the source code short code 1a2b are formed into the second source short codes of 456a and 89a4 by the operation of the third hash function operation unit 162, respectively. In addition, the source address corresponding to the source code short code c21d is formed as the second source short code of ee66 by the operation of the third hash function operation unit 162. Next, the second source short code 456a, 89a4 and ee66 are recorded in the quantity cumulative data D3, and the same ones of the second source short codes are accumulated into one short code same number. Among them, the 456a of the second source short code is accumulated 6 times, the 89a4 of the second source short code is accumulated 2 times, the 456a of the second source short code is accumulated 6 times, and the ee66 of the second source short code is accumulated 9 times.

最後,藉由判斷封包判斷模組19判斷短碼相同數量是否大於一基礎數量V2(即步驟S71)。當判斷出判斷短碼相同數量未大於基礎數量V2時,則可判定上述第二來源短碼之相同者所對應的判斷封包來源位址非超級散播者來源位址(即步驟S711)。當判斷出判斷短碼相同數量大於基礎數量V2時,將上述第二來源短碼之相同者所對應之判斷封包來源位址判定為超級散播者來源位址(即步驟S72)。 Finally, it is judged by the judgment packet judging module 19 whether the same number of short codes is greater than a basic number V2 (ie, step S71). When it is determined that the same number of short codes is not greater than the basic number V2, the judging packet source address non-super-spreader source address corresponding to the same one of the second source short codes may be determined (ie, step S711). When it is determined that the same number of short codes is greater than the base quantity V2, the judgment packet source address corresponding to the same one of the second source short codes is determined as the super-spreader source address (ie, step S72).

舉例來說,若基礎數量V2設定為5,則判斷封包判斷模組19可判斷出第二來源短碼之456a與ee66 的短碼相同數量都超過基礎數量V2。在藉由查詢第三雜湊函數之雜湊表後,可得知第二來源短碼之456a與ee66所對應的來源短碼為超級散播者來源位址。另外,判斷封包判斷模組19可判斷出第二來源短碼之89a4的短碼相同數量未超過基礎數量V2。在藉由查詢第三雜湊函數之雜湊表後,可得知第二來源短碼之89a4所對應的來源短碼不是超級散播者來源位址。 For example, if the base quantity V2 is set to 5, it is determined that the packet determination module 19 can determine the 456a and ee66 of the second source short code. The same number of short codes exceeds the base quantity V2. After querying the hash table of the third hash function, it can be known that the source short code corresponding to the 456a and ee66 of the second source short code is the super-spreader source address. In addition, the judgment packet judging module 19 can judge that the same number of short codes of the 89a4 of the second source short code does not exceed the basic number V2. After querying the hash table of the third hash function, it can be known that the source short code corresponding to 89a4 of the second source short code is not the super-spreader source address.

順帶一提,在本實施例當中,目的短碼、第一來源短碼、過濾短碼與第二來源短碼皆為十六進位之英文字母與阿拉伯數字混合之雜湊值,但在其他實施例當中,目的短碼、第一來源短碼、過濾短碼與第二來源短碼可為僅有阿拉伯數字之雜湊值或僅有英文字母之雜湊值,但在其他實施例當中並不以此為限。 Incidentally, in this embodiment, the destination short code, the first source short code, the filtered short code, and the second source short code are all mashed values of hexadecimal English letters mixed with Arabic numerals, but in other embodiments The destination short code, the first source short code, the filtered short code and the second source short code may be a hash value of only Arabic numerals or a hash value of only English letters, but in other embodiments, this is not limit.

綜上所述,在本發明較佳實施例所提供之超級散播者之判斷方法及其系統中,先將各資料封包的來源位址與目的位址解析出,並依據來源位址與目的位址進行雜湊運算而形成目的短碼與第一來源短碼。接著,依據目的短碼與第一來源短碼所形成的來源目的對照資料表,藉以篩出傳送給對應多個目的短碼的並被定義為判斷來源短碼之第一來源短碼。 In summary, in the method and system for judging the super-distributor provided by the preferred embodiment of the present invention, the source address and the destination address of each data packet are first parsed, and according to the source address and the destination address. The address is hashed to form a destination short code and a first source short code. Then, according to the source destination comparison data table formed by the destination short code and the first source short code, the first source short code transmitted to the corresponding plurality of destination short codes and defined as the source short code is screened out.

接著,對上述判斷來源短碼所對應的來源位址進行過濾雜湊函數之運算,藉以藉由布隆過濾模組過濾出來源位址與目的位址未重複的判斷資料封包。接著,將第二來源短碼之相同者累計出短碼相同數量,並藉由比較短碼相同數量與基礎數量來判斷資料判斷封包 之來源位址是否為超級散播者來源位址。 Then, the filtering source function is performed on the source address corresponding to the source short code, so that the Bulong filtering module filters out the judgment data packet whose source address and destination address are not duplicated. Then, the same number of short codes of the second source are accumulated to the same number of short codes, and the data judgment packet is judged by comparing the same number of short codes with the basic quantity. Whether the source address is a super-spreader source address.

相較於先前技術,由於本發明較佳實施例所提供之超級散播者之判斷方法及其系統僅需要儲存依據各資料封包之第一來源短碼與目的短碼來形成來源目的對照資料表,並儲存依據各第二來源短碼之短碼相同數量而形成之數量累計資料。因此,不需要藉由大容量的儲存空間來儲存資料封包,因而節省了因為購置硬碟、其他儲存模組或運算能力較佳的硬體所需支出的大量開銷。 Compared with the prior art, the method and system for judging the super-distributor provided by the preferred embodiment of the present invention only need to store the first source short code and the destination short code according to each data packet to form a source-specific reference data table. And storing the accumulated amount of data formed according to the same number of short codes of the short codes of the second source. Therefore, there is no need to store data packets by a large storage space, thereby saving a large amount of overhead for purchasing hard disks, other storage modules, or hardware with better computing power.

藉由以上較佳具體實施例之詳述,係希望能更加清楚描述本發明之特徵與精神,而並非以上述所揭露的較佳具體實施例來對本發明之範疇加以限制。相反地,其目的是希望能涵蓋各種改變及具相等性的安排於本發明所欲申請之專利範圍的範疇內。 The features and spirit of the present invention will be more apparent from the detailed description of the preferred embodiments. On the contrary, the intention is to cover various modifications and equivalents within the scope of the invention as claimed.

Claims (11)

一種超級散播者之判斷方法,係用以判斷出一超級散播者(Superspreader)來源位址,並包含以下步驟:(a)接收複數個資料封包,並解析出複數個分別對應於該些資料封包之來源位址與複數個分別對應於該些資料封包之目的位址;(b)將各該些來源位址與各該些目的位址經由一第一雜湊函數之計算換算成一目的短碼,並將各該些來源位址經由一第二雜湊函數之計算換算成一第一來源短碼;(c)形成一來源目的對照資料表,將各該些資料封包所對應之該些目的短碼與該些第一來源短碼儲存於該來源目的對照資料表;(d)將該些資料封包中之一者定義為一資料判斷封包,將該來源目的對照資料表中所儲存之該些第一來源短碼中對應於該資料判斷封包者定義為一判斷來源短碼,判斷出該些目的短碼未對應於該判斷來源短碼之數量是否小於一數量預設值;(e)當該步驟(d)之判斷結果為是時,依據該資料判斷封包所對應之一判斷封包來源位址與一判斷封包目的位址判斷該資料判斷封包是否重複出現;(f)當該步驟(e)之判斷結果為否時,將該資料判斷封包之該判斷封包來源位址換算為一第二來源短碼,並將該第二來源短碼紀錄於一數量累計資料;以及 (g)重複執行該步驟(a)至該步驟(f),藉以使該數量累計資料儲存有複數個該第二來源短碼,將上述複數個該第二來源短碼之相同者累計為一短碼相同數量,並依據該短碼相同數量將上述複數個該第二來源短碼之相同者所對應之該判斷封包來源位址判斷為該超級散播者來源位址。 A super-distributor judgment method is used for judging a Superspreader source address, and includes the following steps: (a) receiving a plurality of data packets, and parsing a plurality of data packets respectively corresponding to the data packets The source address and the plurality of destination addresses respectively corresponding to the data packets; (b) converting each of the source addresses and the destination addresses into a destination short code via a first hash function calculation, And converting each of the source addresses into a first source short code by using a second hash function; (c) forming a source destination comparison data table, and using the short codes of the destinations corresponding to the data packets The first source short codes are stored in the source purpose comparison data table; (d) one of the data packets is defined as a data judgment packet, and the first one stored in the source purpose comparison data table is stored The source short code corresponding to the data determines that the packetizer is defined as a judgment source short code, and determines whether the short codes of the destinations do not correspond to the number of the short codes of the judgment source is less than a predetermined number; (e) when the step (d) When the judgment result is yes, determining, according to the data, the source address of the packet and the address of the judgment packet to determine whether the data packet is repeated; (f) when the judgment result of the step (e) is no And converting the source address of the judgment packet of the data judgment packet into a second source short code, and recording the second source short code in a quantity accumulated data; (g) repeating the steps (a) to (f), wherein the quantity accumulated data is stored with a plurality of the second source short codes, and the same of the plurality of the second source short codes is accumulated into one The short codes are the same number, and the judgment packet source address corresponding to the same plurality of the second source short codes is determined as the super-spreader source address according to the same number of the short codes. 如申請專利範圍第1項所述之超級散播者之判斷方法,其中,在該步驟(g)中,係判斷出該短碼相同數量大於一基礎數量時,將上述複數個該第二來源短碼之相同者所對應之該判斷封包來源位址判斷為該超級散播者來源位址。 The method for judging a super-distributor according to claim 1, wherein in the step (g), when the same number of the short codes is greater than a basic quantity, the plurality of the second sources are short. The source address of the judgment packet corresponding to the same code is determined as the source address of the super-spreader. 如申請專利範圍第1項所述之超級散播者之判斷方法,其中,在該步驟(b)中,係經由一第一雜湊函數(Hash Function)將各該些來源位址與各該些目的位址換算為該些目的短碼,並經由一第二雜湊函數將各該些來源位址換算為該些第一來源短碼。 The method for judging a super-distributor according to claim 1, wherein in the step (b), each of the source addresses and each of the objects are performed via a first hash function. The address is converted into short codes of the destinations, and each of the source addresses is converted into the first source short codes via a second hash function. 如申請專利範圍第1項所述之超級散播者之判斷方法,其中,在該步驟(f)中,係經由一第三雜湊函數將該資料判斷封包之該判斷封包來源位址換算為該第二來源短碼。 The method for judging a super-distributor according to claim 1, wherein in the step (f), the source address of the judgment packet of the data judgment packet is converted into the first Two source short codes. 如申請專利範圍第1項所述之超級散播者之 判斷方法,其中,在該步驟(e)之中,更包含以下步驟:(e1)解析出對應於該資料判斷封包之該判斷封包來源位址與該判斷封包目的位址;以及(e2)藉由一布隆過濾模組依據該資料判斷封包所對應之該判斷封包來源位址與該判斷封包目的位址判斷該資料判斷封包是否重複出現。 Such as the super-distributor described in item 1 of the patent application scope a determining method, wherein, in the step (e), the method further comprises the following steps: (e1) parsing the source address of the determining packet corresponding to the data determining packet and the destination address of the determining packet; and (e2) borrowing The Bron filter module determines, according to the data, the source address of the judgment packet corresponding to the packet and the destination address of the judgment packet to determine whether the data is repeated. 如申請專利範圍第5項所述之超級散播者之判斷方法,其中,該布隆過濾模組係一布隆過濾器(Bloom Filter)。 The method for judging a super-distributor according to claim 5, wherein the Bloom filter module is a Bloom Filter. 如申請專利範圍第5項所述之超級散播者之判斷方法,其中,在該步驟(e2)中,更包含以下步驟:(e21)將該判斷封包來源位址與該判斷封包目的位址經由複數個過濾雜湊函數換算成一過濾短碼集合,該過濾短碼集合係包含複數個各該些過濾雜湊函數所換算出之過濾短碼;以及(e22)將一依據至少一預存過濾短碼集合所產生之過濾短碼集合資料與該過濾短碼集合進行比對,藉以判斷出該過濾短碼集合是否重複出現。 The method for judging a super-distributor according to claim 5, wherein in the step (e2), the method further comprises the following steps: (e21) via the source address of the judgment packet and the destination address of the judgment packet Converting a plurality of filtering hash functions into a filtered short code set, the filtering short code set comprising a plurality of filtering short codes converted by each of the filtering hash functions; and (e22) separating the short code sets according to at least one pre-stored filtering The generated filtered short code set data is compared with the filtered short code set to determine whether the filtered short code set is repeated. 如申請專利範圍第7項所述之超級散播者之判斷方法,其中,在該步驟(e21)中,係經由該些過濾雜湊函數將該判斷封包來源位址與該判斷封包目的位址換算為該些過濾短碼。 The method for judging a super-distributor according to claim 7 , wherein in the step (e21), the determining packet source address and the determining packet destination address are converted into the destination address of the determining packet by the filtering hash function These filter short codes. 如申請專利範圍第1項所述之超級散播者之判斷方法,其中,該數量累計資料係一數量累計表。 The method for judging a super-distributor as described in claim 1 of the patent application, wherein the quantity-accumulated data is a quantity accumulation table. 一種超級散播者之判斷系統,係用以判斷出一超級散播者來源位址,並包含:一封包解析模組,係用以接收複數個資料封包,並解析出複數個分別對應於該些資料封包之來源位址與複數個分別對應於該些資料封包之目的位址;一運算模組,係電性連接於該封包解析模組,用以將各該些來源位址與各該些目的位址經由一第一雜湊函數之計算換算成一目的短碼,並將各該些來源位址經由一第二雜湊函數之計算換算成一第一來源短碼;一儲存模組,係電性連接於該運算模組,並設有一來源目的對照資料表,用以將各該些資料封包所對應之該些目的短碼與該些第一來源短碼儲存於該來源目的對照資料表;以及一判斷模組,係電性連接於該儲存模組,並設有一數量預設值,用以將該些資料封包中之一者定義為一資料判斷封包,將該來源目的對照資料表中所儲存之該些第一來源短碼中對應於該資料判斷封包者定義為一判斷來源短碼,並判斷出該些目的短碼未對應於該判斷來源短碼之數量是否小於該數量預設值;其中,當判斷出該些目的短碼未對應於該判斷來源短碼之數量小於該數量預設值,且依據該資料判斷封包所 對應之一判斷封包來源位址與一判斷封包目的位址判斷該資料判斷封包未重複出現時,將該資料判斷封包之該判斷封包來源位址換算為一第二來源短碼,並將該第二來源短碼紀錄於一數量累計資料,藉以使該數量累計資料儲存有複數個該第二來源短碼,並將上述複數個該第二來源短碼之相同者累計為一短碼相同數量,並依據該數量累計資料之該短碼相同數量將上述複數個該第二來源短碼之相同者所對應之該判斷封包來源位址判斷為該超級散播者來源位址。 A super-distributor judgment system is used for judging a super-spreader source address, and includes: a packet parsing module for receiving a plurality of data packets, and parsing a plurality of corresponding data respectively The source address of the packet and the plurality of destination addresses respectively corresponding to the data packets; an operation module electrically connected to the packet parsing module for using the source addresses and the respective destinations The address is converted into a short code by a calculation of a first hash function, and each of the source addresses is converted into a first source short code by a second hash function; a storage module is electrically connected to The computing module has a source-specific comparison data table for storing the short codes of the destinations corresponding to the data packets and the first source short codes in the source-specific comparison data table; The module is electrically connected to the storage module, and is provided with a preset value for defining one of the data packets as a data judgment packet, and storing the source object in the comparison data table. The first source short code corresponding to the data determines that the packetizer is defined as a judgment source short code, and determines whether the number of the short codes that do not correspond to the judgment source short code is less than the preset number; Wherein, when it is determined that the short codes of the destinations do not correspond to the number of the short codes of the judgment source, the number is less than the preset value, and the packet is determined according to the data. Corresponding to determining the source address of the packet and determining the destination address of the packet to determine that the data is not repeated, the source address of the judgment packet of the data judgment packet is converted into a second source short code, and the first The two source short codes are recorded in a quantity of accumulated data, so that the quantity accumulated data stores a plurality of the second source short codes, and the same number of the plurality of the second source short codes are accumulated into a short code of the same quantity. And determining, according to the same quantity of the short code of the quantity accumulation data, the judgment packet source address corresponding to the same one of the plurality of the second source short codes as the super-spreader source address. 如申請專利範圍第10項所述之超級散播者之判斷系統,更包含:一判斷封包解析模組,係電性連接於該判斷模組,用以解析出對應於該資料判斷封包之該判斷封包來源位址與該判斷封包目的位址;一判斷封包運算模組,係電性連接於該判斷封包解析模組,用以將該判斷封包來源位址與該判斷封包目的位址換算成一過濾短碼集合,該過濾短碼集合係包含複數個過濾短碼;一布隆過濾模組,係電性連接於該判斷封包運算模組,並設有一依據至少一預存過濾短碼集合所產生之過濾短碼集合資料,用以將該過濾短碼集合資料與該過濾短碼集合進行比對;一判斷封包儲存模組,係電性連接於該判斷封包運算模組,並設有該數量累計資料,用以在該布隆過濾模組 比對出該過濾短碼集合未重複出現而判斷出該資料判斷封包未重複出現時,藉由該判斷封包運算模組將該資料判斷封包之該判斷封包來源位址換算為該第二來源短碼,並將該第二來源短碼紀錄於該判斷封包儲存模組之該數量累計資料,藉以使該數量累計資料儲存有複數個該第二來源短碼,並將上述複數個該第二來源短碼之相同者累計為該短碼相同數量;以及一判斷封包判斷模組,係電性連接於該判斷封包儲存模組並設有一基礎數量,用以判斷出該短碼相同數量大於該基礎數量時,將上述複數個該第二來源短碼之相同者所對應之該判斷封包來源位址判斷為該超級散播者來源位址。 The judging system of the super-distributor as described in claim 10, further comprising: a judging packet parsing module electrically connected to the judging module, configured to parse the judgment corresponding to the data judging packet The source address of the packet and the address of the determining packet; a determining packet computing module is electrically connected to the determining packet parsing module, and is configured to convert the source address of the determining packet and the destination address of the determining packet into a filtering a short code set, the filter short code set includes a plurality of filter short codes; a Bron filter module is electrically connected to the judgment packet operation module, and is provided with a set according to at least one pre-stored filter short code set. Filtering the short code set data for comparing the filtered short code set data with the filtered short code set; and determining the packet storage module electrically connected to the determining packet computing module, and having the quantity accumulated Data for the Bloom filter module Comparing that the filtered short code set is not repeated and determining that the data is not repeatedly displayed, the determining the packet computing module converts the source address of the determining packet to the second source by the determining packet computing module And storing the second source short code in the quantity accumulation data of the judgment packet storage module, so that the quantity accumulation data stores a plurality of the second source short codes, and the plurality of the second source sources are The same number of short codes is accumulated for the same number of short codes; and a judgment packet judgment module is electrically connected to the judgment packet storage module and is provided with a basic quantity for determining that the same number of the short codes is greater than the basis In the case of quantity, the source address of the judgment packet corresponding to the same one of the plurality of second source short codes is determined as the source address of the super-spreader.
TW106125426A 2017-07-28 2017-07-28 Superspreader determination method and system thereof TWI650986B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106125426A TWI650986B (en) 2017-07-28 2017-07-28 Superspreader determination method and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106125426A TWI650986B (en) 2017-07-28 2017-07-28 Superspreader determination method and system thereof

Publications (2)

Publication Number Publication Date
TWI650986B true TWI650986B (en) 2019-02-11
TW201911833A TW201911833A (en) 2019-03-16

Family

ID=66214004

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106125426A TWI650986B (en) 2017-07-28 2017-07-28 Superspreader determination method and system thereof

Country Status (1)

Country Link
TW (1) TWI650986B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI228902B (en) * 2002-06-12 2005-03-01 Rdc Semiconductor Co Ltd Method and system for controlling and managing network security
TWI366365B (en) * 2008-08-20 2012-06-11 Chunghwa Telecom Co Ltd System and method for dynamic data backup
TWI420320B (en) * 2010-08-02 2013-12-21 O2Micro Int Ltd Device, system and method for assigning addresses
TW201443670A (en) * 2013-01-30 2014-11-16 Microsoft Corp Virtual library providing content accessibility irrespective of content format and type

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI228902B (en) * 2002-06-12 2005-03-01 Rdc Semiconductor Co Ltd Method and system for controlling and managing network security
TWI366365B (en) * 2008-08-20 2012-06-11 Chunghwa Telecom Co Ltd System and method for dynamic data backup
TWI420320B (en) * 2010-08-02 2013-12-21 O2Micro Int Ltd Device, system and method for assigning addresses
TW201443670A (en) * 2013-01-30 2014-11-16 Microsoft Corp Virtual library providing content accessibility irrespective of content format and type

Also Published As

Publication number Publication date
TW201911833A (en) 2019-03-16

Similar Documents

Publication Publication Date Title
US11936764B1 (en) Generating event streams based on application-layer events captured by remote capture agents
US10264027B2 (en) Computer-implemented process and system employing outlier score detection for identifying and detecting scenario-specific data elements from a dynamic data source
US20230188441A1 (en) Aggregation of select network traffic statistics
KR102387725B1 (en) Malware Host Netflow Analysis System and Method
US10574658B2 (en) Information security apparatus and methods for credential dump authenticity verification
US20230085654A1 (en) Virtual private cloud flow log event fingerprinting and aggregation
US20110276709A1 (en) Locational Tagging in a Capture System
CN108664480B (en) Multi-data-source user information integration method and device
EP2180660B1 (en) Method and system for statistical analysis of botnets
CN111581397A (en) Network attack tracing method, device and equipment based on knowledge graph
US9021085B1 (en) Method and system for web filtering
CN104639391A (en) Method for generating network flow record and corresponding flow detection equipment
CN103297433A (en) HTTP botnet detection method and system based on net data stream
CN108764902B (en) Method, node and blockchain system for storing data
CN111523012B (en) Method, apparatus and computer readable storage medium for detecting abnormal data
CN102833111A (en) Visual hyper text transfer protocol (HTTP) data supervising method and device
CN113111951A (en) Data processing method and device
CN110837646A (en) Risk investigation device of unstructured database
TWI650986B (en) Superspreader determination method and system thereof
Culley Computer forensics: past, present and future
CN114500580B (en) Distributed storage system and method based on block chain
CN115001724B (en) Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN113076355A (en) Method for sensing data security flow situation
Vu et al. Impact of DHCP churn on network characterization
Santosa et al. Analysis of educational institution DNS network traffic for insider threats

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees