WO2015165229A1 - 一种识别异常ip数据流的方法、装置和系统 - Google Patents

一种识别异常ip数据流的方法、装置和系统 Download PDF

Info

Publication number
WO2015165229A1
WO2015165229A1 PCT/CN2014/089939 CN2014089939W WO2015165229A1 WO 2015165229 A1 WO2015165229 A1 WO 2015165229A1 CN 2014089939 W CN2014089939 W CN 2014089939W WO 2015165229 A1 WO2015165229 A1 WO 2015165229A1
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
bucket
value
total
auxiliary queue
Prior art date
Application number
PCT/CN2014/089939
Other languages
English (en)
French (fr)
Inventor
何诚
黄群
李柏晴
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to US14/798,811 priority Critical patent/US9923794B2/en
Publication of WO2015165229A1 publication Critical patent/WO2015165229A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Definitions

  • the present invention relates to the field of communications, and in particular, to a method, apparatus, and system for identifying an abnormal IP data stream.
  • MBB Mobile Broadband
  • Internet Internet
  • MBB Mobile Broadband
  • intelligent devices such as smart terminals and tablet PCs
  • MBB data network traffic at the same time, it has brought new Problem:
  • Various networks are unusually frequent.
  • network anomalies include: abnormal traffic, network attacks, viruses, etc., and abnormal traffic includes heavy hitters and heavy changers. This has a significant negative impact on network utilization, network performance, and user experience, as well as risk of critical information disclosure, system and terminal damage.
  • a large traffic object refers to a data flow that frequently appears in a network. In this paper, it is defined as a data flow with a large overall traffic; a large change object refers to a main feature (including size, port number, protocol number) within a given time period. Etc.) A stream of data that changes greatly.
  • the quintuple of the IP (Internet Protocol) packet (including: source IP, destination IP, source port, destination port, protocol number) defines an IP data stream object (hereinafter referred to as "object").
  • the method for identifying abnormal traffic of a network includes: 1) a data collection node randomly transmits collected elements for different objects to one or more working nodes; wherein, the relationship between the object and the element can be expressed as “element (object, Value) is the element (key, value); the "value" contained in the element can be the flow value of the element, or information indicating the flow value of the element (for example, the number of packets included in the element, etc.) 2)
  • the working node maps the received elements to a data structure table composed of multiple buckets according to a mapping algorithm, and in each time zone At the end of the interval, report to the control node the total traffic mapped to the elements in each bucket in the time interval; wherein the elements for the same object are generally mapped into the same bucket, and, in addition, because the number of objects is large, Saving the storage space occupied by the data structure table, the different objects can be mapped into the same bucket; 3) the control node summarizes the information reported by each working node, when the total traffic of the elements mapped
  • Embodiments of the present invention provide a method, apparatus, and system for identifying an abnormal IP data stream to improve recognition accuracy.
  • a method for identifying an abnormal IP data stream is provided, which is applied to a working node, the method comprising:
  • mapping the Y elements into N buckets according to a mapping algorithm wherein N ⁇ 1, N is an integer
  • the type of the preset abnormal object is a large traffic object; the type according to the preset abnormal object and r traffic in the current time interval
  • the upper bound identifies whether the first object is an abnormal object, including:
  • the type of the preset abnormal object is a large change object; the method further includes:
  • Determining, according to the preset type of the abnormal object, and the r traffic upper bounds in the current time interval, whether the first object is an abnormal object includes:
  • the element distribution for the first object is included in the On d working nodes of the working node, d ⁇ 2, d is an integer, and the d working nodes identify d abnormal object sets, each work The node identifies one set of the abnormal object; after the determining, according to the type of the preset abnormal object and the r traffic upper bounds in the current time interval, whether the first object is an abnormal object, the method further includes :
  • the first object is a target abnormal object; wherein d ⁇ d2 ⁇ 1.
  • the mapping the Y elements according to the mapping algorithm Into N buckets including:
  • the method further includes:
  • the record information included in the first bucket includes: a total traffic and an auxiliary queue mapped to all elements in the first bucket; wherein the auxiliary queue is used to determine the first bucket
  • Each of the mapped objects has an upper bound on the flow in the first bucket.
  • the auxiliary queue is configured by an object total traffic that is mapped to an object in the first bucket, where the first element includes the a flow value v of the first object; wherein the first element is an element for the first object; and the updating the record information included in the first bucket includes:
  • the v is Superimposed on the value of the total flow of the object of the first object.
  • auxiliary queue When the auxiliary queue does not include the total object traffic of the first object, adding the total object traffic of the first object to the auxiliary queue, and assigning the v to the object of the first object Total flow.
  • the auxiliary queue is configured by an object total traffic that is mapped to an object in the first bucket, where the first element includes the a flow value v of the first object; wherein the first element is an element for the first object; the record information further includes a maximum allowable capacity of the auxiliary queue; and the updating the first bucket includes Record information includes:
  • the record information further includes a maximum allowable capacity of the auxiliary queue, and a value of a current capacity of the auxiliary queue is greater than or equal to The value of the maximum allowable capacity of the auxiliary queue; before adding the total traffic of the object of the first object to the auxiliary queue, the method further includes:
  • the storage space corresponding to the value of the maximum allowable capacity of the auxiliary queue is expanded to a storage space corresponding to the value of the expanded capacity;
  • the updating the record information included in the first bucket further includes:
  • the value of the expansion capacity is assigned to the maximum allowable capacity.
  • the total flow of the object of the first object is not included in the auxiliary queue
  • the record information further includes a maximum allowable capacity of the auxiliary queue and an object flow estimation error of the first bucket, the most The value of the large allowable capacity does not satisfy the preset expansion condition, the first element includes the flow value v of the first object; wherein the first element is an element for the first object; the object of the first bucket
  • the traffic estimation error is used to determine an upper bound of the traffic mapped to the object in the first bucket in the first bucket; before the updating the record information included in the first bucket, the method further includes:
  • the updating the record information included in the first bucket includes:
  • the value of the total object flow rate of each object in the auxiliary queue is subtracted from the minimum value, and the minimum value is superimposed on the value of the object flow estimation error of the first bucket.
  • the updating the record included in the first bucket Information including:
  • the v is assigned to the total traffic of the object of the first object.
  • the auxiliary queue when the auxiliary queue does not include the total traffic of the object with a value of zero, the method also includes:
  • the method further includes:
  • the value of the expansion capacity is (k+1)(k+2)-1.
  • the determining the current number of expansion rounds k includes:
  • T is a dynamic expansion parameter
  • the W is the total flow rate of all the elements mapped to the first bucket after mapping the first element into the first bucket
  • T is a dynamic expansion parameter
  • the ⁇ refers to a preset total target flow threshold value of the first object
  • the ⁇ is a constant, and 0 ⁇ 1.
  • the first element is an element that is the first object, and is specifically for The last element of the first object;
  • Obtaining r traffic upper bounds of the first object in the r buckets that are mapped in the current time interval including:
  • the value of the total object traffic of the first object is used as the lower bound of the traffic of the first object in the first bucket, when When the total object traffic of the first object is not in the auxiliary queue, a zero value is used as a lower bound of the traffic of the first object in the first bucket;
  • a working node including:
  • a receiving unit configured to receive, by the data collection node, within the current time interval Y elements; wherein Y ⁇ 1, Y is an integer;
  • mapping unit configured to map the Y elements into N buckets according to a mapping algorithm; wherein, N ⁇ 1, N is an integer;
  • a first acquiring unit configured to acquire, as the target bucket, a bucket whose total traffic of all the elements mapped in the N buckets is greater than or equal to a first threshold
  • a second acquiring unit configured to acquire r traffic upper bounds of the first object in the r buckets that are mapped in the current time interval; wherein the first object is mapped to the target bucket
  • a identifying unit configured to identify, according to a preset type of the abnormal object and r traffic upper bounds in the current time interval, whether the first object is an abnormal object; the preset abnormal object type is a large traffic object Or a big change object.
  • the type of the preset abnormal object is a large traffic object
  • the identifying unit is configured to determine that the first object is a large traffic object when an upper bound of r 1 flows in the r traffic upper bounds in the current time interval is greater than or equal to a second threshold; , r ⁇ r1 ⁇ 1.
  • the type of the preset abnormal object is a large change object; the working node further includes:
  • a third acquiring unit configured to acquire r traffic upper bounds of the first object in the r buckets that are mapped in the previous time interval of the current time interval;
  • the identifying unit is specifically configured to: obtain, according to the r traffic upper bounds in the current time interval and r traffic upper bounds in the previous time interval, a change amount of r traffic upper bounds; When the change amount of the upper boundary of the r2 flows in the change amount of the upper limit of the flow rate is greater than or equal to the third threshold, it is determined that the first object is a large change object; wherein r ⁇ r2 ⁇ 1.
  • the element distribution for the first object is included in the On d working nodes of the working node, d ⁇ 2, d is an integer, the d working nodes identify d abnormal object sets, and each working node recognizes one abnormal object set;
  • the receiving unit is further configured to receive d-1 exception object sets sent by other d-1 working nodes, when d1 exception object sets in the d exception object sets all include the first object, Determining that the first object is a target abnormal object; wherein d ⁇ d1 ⁇ 1;
  • the working node further includes: a sending unit, configured to send, to the control node, the set of abnormal objects identified by the working node, so that the control node is d2 abnormal object sets in the d abnormal object sets
  • a sending unit configured to send, to the control node, the set of abnormal objects identified by the working node, so that the control node is d2 abnormal object sets in the d abnormal object sets
  • the first object is determined to be a target abnormal object; wherein d ⁇ d2 ⁇ 1.
  • the mapping unit is specifically configured to map any one of the Y elements to the first object according to a mapping algorithm, where the first bucket refers to the first The object can be mapped to any bucket according to the mapping algorithm;
  • the working node further includes: an updating unit, configured to update the record information included in the first bucket; the record information includes: a total traffic and an auxiliary queue mapped to all elements in the first bucket; The auxiliary queue is used to determine the upper bound of the traffic in the first bucket of each object mapped by the first bucket.
  • the auxiliary queue is configured by an object total traffic that is mapped to an object in the first bucket, where the first element includes the a flow value v of the first object; wherein the first element is an element for the first object;
  • the updating unit is specifically configured to: when the auxiliary queue includes the first object When the total flow of the object is over, the v is superimposed on the value of the total flow of the object of the first object; or, when the total flow of the object of the first object is not included in the auxiliary queue, The total traffic of the object of the first object is added to the queue, and the v is assigned to the total traffic of the object of the first object.
  • the auxiliary queue is configured by an object total traffic that is mapped to an object in the first bucket, where the first element includes the a flow value v of the first object; wherein the first element is an element for the first object; the record information further includes a maximum allowable capacity of the auxiliary queue;
  • the updating unit is specifically configured to: when the value of the current capacity of the auxiliary queue is smaller than the value of the maximum allowed capacity, when the auxiliary queue does not include the total object traffic of the first object, Adding the total traffic of the object of the first object to the auxiliary queue, and assigning the v to the total traffic of the object of the first object.
  • the record information further includes a maximum allowable capacity of the auxiliary queue, and a value of a current capacity of the auxiliary queue is greater than or equal to a value of a maximum allowable capacity of the auxiliary queue;
  • the working node further includes:
  • an expansion unit configured to expand a storage space corresponding to the value of the maximum allowable capacity to a storage space corresponding to the value of the expanded capacity when a value of the maximum allowable capacity of the auxiliary queue satisfies a preset expansion condition
  • the updating unit is specifically configured to assign the value of the expansion capacity to the maximum allowable capacity.
  • the total flow of the object of the first object is not included in the auxiliary queue
  • the record information further includes a maximum allowable capacity of the auxiliary queue and an object flow estimation error of the first bucket, and a value of a maximum allowable capacity of the auxiliary queue does not satisfy a preset expansion condition
  • the first element includes the First object Flow value v; wherein the first element is an element for the first object; the object flow estimation error of the first bucket is used to determine that an object mapped to the first bucket is at the first The upper bound of the traffic in the bucket; the working node further includes:
  • a first determining unit configured to determine a minimum value of values of the object total traffic of the object in the v and the auxiliary queue
  • the updating unit is specifically configured to: subtract the value of the total object traffic of each object in the auxiliary queue by the minimum value, and superimpose the minimum value on the value of the object flow estimation error of the first bucket on.
  • the updating unit when the auxiliary queue includes the total traffic of the object with a value of zero, the updating unit is further configured to:
  • the v is assigned to the total traffic of the object of the first object.
  • the working node further includes:
  • the working node further includes:
  • a second determining unit configured to determine whether a value L of the maximum allowable capacity of the auxiliary queue meets a preset expansion condition
  • the value of the expansion capacity is (k+1)(k+2)-1.
  • the ⁇ refers to a preset total target flow threshold value of the first object; the ⁇ is a constant, and 0 ⁇ 1.
  • the first element is an element that is the first object in the Y elements, specifically The last element of the first object;
  • the second obtaining unit is specifically configured to: obtain an upper bound of the traffic of the first object in the first bucket; specifically, the method is:
  • the value of the total object traffic of the first object is used as the lower bound of the traffic of the first object in the first bucket, when When the total object traffic of the first object is not in the auxiliary queue, a zero value is used as a lower bound of the traffic of the first object in the first bucket;
  • a system for identifying an abnormal IP data stream comprising: a data collection node and any one of the working nodes provided by the second aspect, wherein the data collection node is configured to send the Y elements.
  • the method, the device, and the system for identifying an abnormal IP data stream are obtained by acquiring a bucket of a target bucket whose total traffic of all elements mapped in the current time interval is greater than or equal to the first threshold, and further Preset exception object
  • the type and the acquired first object identify the object as an abnormal object in the r traffic upper bounds in the r buckets mapped to; wherein the first object is mapped to any object in the target bucket.
  • the solution combines the total traffic mapped to all the elements in the bucket and the upper bound of the traffic of the single object in the mapped bucket to identify whether an object is an abnormal object, which can effectively avoid the prior art, because only the mapping to the bucket is utilized.
  • the total traffic of all the elements in the identification of whether an object is an abnormal object causes the problem of erroneously identifying these small traffic objects as large traffic objects, thereby improving recognition accuracy.
  • FIG. 1 is a schematic flowchart of a method for identifying an abnormal IP data stream according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of an element distribution and mapping process according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a process for updating a record information according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a process for a working node to identify abnormal traffic according to an embodiment of the present invention
  • FIG. 5 is a schematic flowchart of a process for a control node to identify abnormal traffic according to an embodiment of the present disclosure
  • FIG. 6 is a schematic flowchart of another process for identifying an abnormal traffic by a working node according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a working node according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of another working node according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of another working node according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of another working node according to an embodiment of the present disclosure.
  • FIG. 11 is a system block diagram of identifying an abnormal IP data flow according to an embodiment of the present invention.
  • FIG. 12 is a block diagram of another system for identifying an abnormal IP data flow according to an embodiment of the present invention.
  • association relationship describing an association object, indicating that there may be three relationships, for example, A and/or B, which may indicate that A exists separately, and A exists at the same time. And B, there are three cases of B alone.
  • the character "/" in this article generally indicates that the contextual object is an "or” relationship.
  • plurality as used herein means two or more.
  • a method for identifying an abnormal IP data stream is provided in a working node according to an embodiment of the present invention, where the method includes:
  • the "work node” and the “data collection node” may be: a server or a PC (Personal Computer).
  • different working nodes and/or data collection nodes may also be distributed on different CPUs (Central Processing Units) of the same device. It should be noted that, for convenience of description, different working nodes and/or data collection nodes are distributed in different devices in the following. The above is explained as an example.
  • Each server or PC can be used as a working node or a data collection node.
  • the same node is generally not a working node and a data collection node; the "application scenario” herein may include one or more data collections. Node and one/multiple working nodes.
  • Each element consists of an object and a value corresponding to the object.
  • the "element” can be expressed as: an element (object, value), ie (key, value); where the element contains a "value” that can be the flow of the element A value or information that can represent the flow value of the element. It should be noted that, in the following, if not stated, the “value” included in the element refers to the flow value of the element.
  • Different elements may contain the same or different objects. Different elements may contain the same or different values; for example: element 1 (object 1, value 1), element 2 (object 1, value 2), element 3 (object 2, Value 3), Element 4 (Object 2, Value 1), etc.
  • each data collection node may distribute the collected different elements to a preset one or more working nodes according to a certain distribution rule.
  • the specific distribution rule is not limited in the embodiment of the present invention.
  • the distribution rule may include: setting a working node distributed by each object in the data collecting node in advance, and when the data collecting node acquires an element, according to the object to which the element is targeted, the object is distributed to the preset object.
  • a worker node sends the element.
  • the value of the “current time interval” is not limited in the embodiment of the present invention.
  • the “data structure table” is first described.
  • the “data structure table” is stored in the storage unit of the working node, and is composed of I rows and J columns, wherein I ⁇ 1, J ⁇ 1, I and J are integers; each row of the data structure table corresponds to a hash function.
  • a hash function is used to map the elements received by the worker node to the row In a certain bucket.
  • the data structure table may specifically be a sketch data structure.
  • “Bucket” refers to a storage unit for storing each element in an I x J matrix, wherein those skilled in the art will appreciate that the "elements in the matrix” herein are not identical to the "elements” described elsewhere herein. concept.
  • the values of I and J are related to the size of the memory footprint, and can be determined according to the methods in the prior art.
  • the step 102 may include: the working node maps the Y elements to each row according to a mapping algorithm corresponding to each row of the data structure table (ie, a hash function corresponding to each row of the data structure table).
  • the working node may map each element to each row when receiving each element, that is, according to a mapping algorithm corresponding to each row of the data structure table.
  • the specific mapping algorithm is not limited in the embodiment of the present invention, and may be a mapping algorithm in the prior art.
  • mapping algorithm Since the mapping algorithm is mapped according to the object, in any row of the data structure table, different elements for the same object (ie different elements containing the same object) are generally mapped into the same bucket; different for different objects Elements are generally mapped to different buckets. It should be noted that, in specific implementation, on the one hand, because the number of buckets is relatively small, the number of objects is relatively large, so different objects often need to be mapped into the same bucket; on the other hand, due to different objects The mapping algorithm performs mapping to get the same value. Therefore, in any row of the data structure table, elements for different objects may also be mapped into the same bucket.
  • 103 Acquire, as the target bucket, a bucket whose total traffic of all the elements mapped in the N buckets is greater than or equal to a first threshold.
  • the first threshold the working node may determine the first threshold according to the computing capability of the working node in the actual network environment, the computing power of the working node is larger, the smaller the first threshold is, the operation of the working node
  • the smaller the capacity, the larger the first threshold, the first threshold must ensure that at least one target bucket is selected among the N buckets; specifically, when the target network environment for implementing a certain function is required
  • the working node can according to the threshold and
  • the actual network environment determines a first threshold.
  • the percentage of abnormal traffic required by different target network environments may be the same or different.
  • the percentage of abnormal traffic to total traffic may be 1%.
  • the number of target buckets can be one or more. For each bucket, the worker node can record the total traffic mapped to all elements of the bucket.
  • 104 Acquire, in the current time interval, r traffic upper bounds of the first object in the r buckets that are mapped; wherein the first object is any object mapped to the target bucket, Each of the r buckets contains one flow upper bound for the first object, r ⁇ 1, and r is an integer.
  • the step 102 may include: mapping, according to a mapping algorithm, any element of the Y elements for the first object into a first bucket of the M buckets;
  • a bucket is any bucket that the first object can be mapped according to the mapping algorithm.
  • the method further includes: updating the record information included in the first bucket; the record information includes: a total traffic and an auxiliary queue of all the elements in the first bucket; wherein the auxiliary queue is used to determine an upper bound of traffic of the objects mapped by the first bucket in the first bucket.
  • the working node may update each of the Y elements, that is, the record information contained in the bucket to which the element is mapped.
  • the "object flow value of the object” is a pointer to the object.
  • the “attachment queue” consists of the total flow of objects mapped to some/all objects in the first bucket; in which case it consists of the total flow of objects of all objects, and under what circumstances some objects.
  • the total flow composition of the object, and the total flow of objects of which objects in the latter may be referred to the specific embodiments described below.
  • the first element includes a flow value v of the first object; wherein, the first An element is an element for the first object, specifically any element of the Y elements for the first object of the Sohu; the updating the record information included in the first bucket may include: when the auxiliary queue When the total flow of the object of the first object is included, the v is superimposed on the value of the total flow of the object of the first object; or, when the object of the first object is not included in the auxiliary queue In the case of traffic, the total traffic of the object of the first object is added to the attached queue, and the v is assigned to the total traffic of the object of the first object.
  • the upper bound of the traffic of the first object in a bucket that is mapped in the current time interval is: the working node obtains at the end time of the current time interval. The value of the total flow of the object of the first object in the record information contained in the bucket.
  • the size of the storage space of the data structure table may be limited by setting a maximum allowable capacity of the auxiliary queue to avoid the problem that the storage space of the data structure table is too large due to the excessive capacity of the attached queue in the bucket.
  • the auxiliary queue is composed of a total flow of objects mapped to an object in the first bucket, and the first element includes a flow value v of the first object, where the first element is for the first An element of an object; the record information further includes a maximum allowable capacity of the auxiliary queue; and the updating the record information included in the first bucket includes: a value of a current capacity of the auxiliary queue is less than the maximum allowable capacity In the case of the value of the object, when the auxiliary queue does not include the total traffic of the object of the first object, the total traffic of the object of the first object is added to the attached queue, and the v is assigned to the The total flow of the object of the first object.
  • the present invention also provides the storage space occupied by the auxiliary queue (ie, the maximum allowable capacity of the auxiliary queue). Corresponding storage space) embodiments for proper expansion.
  • the record information further includes a maximum allowable capacity of the auxiliary queue, and a value of a current capacity of the auxiliary queue is greater than or equal to a value of a maximum allowable capacity of the auxiliary queue; adding the First object Before the total flow of the object, the method may further include: when the value of the maximum allowable capacity of the auxiliary queue satisfies a preset expansion condition, expanding the storage space corresponding to the value of the maximum allowable capacity to a value corresponding to the expanded capacity The storage space; in this case, the updating the record information included in the first bucket further includes: assigning a value of the expansion capacity to a maximum allowable capacity of the auxiliary queue.
  • the method may further include: determining whether a value L of the maximum allowable capacity of the auxiliary queue meets a preset expansion condition; specifically: determining a current number of expansion rounds k; when (k+ 1) (k+2)-1>L, determining that the value of the maximum allowable capacity of the auxiliary queue satisfies a preset expansion condition; when (k+1)(k+2)-1 ⁇ L, determining the The value of the maximum allowable capacity of the attached queue does not satisfy the preset expansion condition; in this case, the value of the expansion capacity is (k+1)(k+2)-1.
  • the values of the preset expansion conditions and the expansion capacity can also be determined based on other empirical values.
  • the auxiliary queue does not include the total object traffic of the first object
  • the record information further includes a maximum allowable capacity of the auxiliary queue and an object traffic estimation error of the first bucket, The value of the maximum allowable capacity of the auxiliary queue does not satisfy the preset expansion condition, and the first element includes the flow value v of the first object;
  • the method may further include: determining a minimum value of values of the object and total object traffic of each object in the auxiliary queue; in this case, the update
  • the record information included in the first bucket includes: subtracting the minimum value of the total object traffic of each object in the auxiliary queue from the minimum value, and superimposing the minimum value on the object traffic estimation of the first bucket Error.
  • the "preset expansion condition" and the determination manner in the alternative manner can refer to the above description.
  • the updating the record information included in the first bucket may further include deleting the total object with the value of zero. Traffic; adding, in the attached queue, the total traffic of the object of the first object; assigning the v to the total traffic of the object of the first object.
  • the method may further include: deleting the first element.
  • the upper bound of the traffic of the first object in a bucket that is mapped in the current time interval can be obtained by:
  • the first element is an element of the Y elements for the first object, specifically a last element for the first object; in this case, the step 104 may include: acquiring the first An upper bound of the traffic in the first bucket; specifically: when the total traffic of the object of the first object is in the attached queue, the value of the total traffic of the object of the first object is used as the first a lower bound of the traffic in the first bucket, when the total traffic of the object of the first object is not in the auxiliary queue, the zero value is used as the lower bound of the traffic of the first object in the first bucket And a sum of a flow lower bound of the first object in the first bucket and an object flow estimation error of the first bucket as an upper bound of a flow rate of the first object in the first bucket.
  • 105 Identify, according to a preset type of the abnormal object, and r flow upper bounds in the current time interval, whether the first object is an abnormal object; and the type of the preset abnormal object is a large flow object or a large change Object.
  • the type of the preset abnormal object is a large traffic object; in this case, The step 104 may include: when the r1 traffic upper bounds in the r traffic upper bounds in the current time interval are greater than or equal to the second threshold, determining that the first object is a large traffic object; wherein, r ⁇ r1 ⁇ 1.
  • the method may further include: acquiring the first object in the previous time interval of the current time interval to be mapped r flow upper bounds in r buckets; in this case, step 105 may include: according to r traffic upper bounds in the current time interval and r traffic rates in a previous time interval of the current time interval a boundary, the amount of change in the upper limit of the r flows is obtained; and when the amount of change in the upper boundary of the r2 flows in the change in the upper limit of the r flows is greater than or equal to a third threshold, determining the first object For large changes; where r ⁇ r2 ⁇ 1.
  • the working node may determine the second threshold according to the computing capability of the working node in the actual network environment.
  • the computing power of the working node is larger, and the smaller the second threshold is, the smaller the computing capability of the working node is.
  • the larger the second threshold, the second threshold must ensure that at least one large traffic object is selected among the objects for the Y elements.
  • the working node may determine a third threshold according to the computing capability of the working node in the actual network environment.
  • the computing power of the working node is larger, and the smaller the third threshold is, the smaller the computing capability of the working node is.
  • the larger the third threshold, the third threshold must ensure that at least one large change object is selected among the objects for the Y elements.
  • the second threshold and the third threshold may be the same or different.
  • an element for the first object is distributed on d working nodes including the working node, d ⁇ 2, and d is an integer, and the d working nodes identify d abnormal object sets, each The working node identifies one set of abnormal objects; in order to further improve the accuracy of the identification, after step 104, the method may further include any one of the following three implementation manners:
  • Method 1 receiving d-1 exception object sets sent by other d-1 working nodes, and determining, when the d1 exception object sets in the d exception object sets all include the first object, determining the first The object is a target abnormal object; wherein d ⁇ d1 ⁇ 1;
  • Method 2 Send the abnormal object set identified by the working node to the control node, so that the control node determines the location when the d2 exception object sets in the d abnormal object sets all include the first object
  • the first object is a target abnormal object; wherein d ⁇ d2 ⁇ 1;
  • Manner 3 Send the abnormal object set identified by the working node to any one of the other d-1 working nodes, so that the d3 exceptions of the working node in the d abnormal object set are When the first object is included in the object, the first object is determined to be a target abnormal object; wherein d ⁇ d3 ⁇ 1.
  • the concept of "summary node” is introduced, and the summary node is used to summarize the set of abnormal objects obtained by the working node to determine the final abnormal object (ie, the target abnormal object); that is, the summary node
  • the execution subject of the target abnormal object may be determined, that is, any one of the working nodes may be a node independent of the working node (such as the above-mentioned "control node”).
  • the identifier of the summary node for the first object may be pre-stored in the work node for transmitting the exception object set to the summary node at the end of a time interval.
  • the identifier of the summary node may be set in the summary node under the instruction of the user, or may be obtained by receiving the information sent by the data collection node or any node.
  • abnormal object set refers to a set of abnormal objects
  • manner in which each working node determines each abnormal object in the abnormal object set can refer to the manner of determining the abnormal object in the above steps 101-103.
  • the method for identifying an abnormal IP data stream is provided by the embodiment of the present invention.
  • the working node obtains a bucket whose total traffic of all elements mapped in the current time interval is greater than or equal to the first threshold as a target bucket, and further according to the preset abnormal object.
  • the type and the acquired first object identify the object as the upper bound of r traffic in the r buckets mapped to An exception object; where the first object is mapped to any object in the target bucket.
  • the solution combines the total traffic mapped to all the elements in the bucket and the upper bound of the traffic of the single object in the mapped bucket to identify whether an object is an abnormal object, which can effectively avoid the prior art, because only the mapping to the bucket is utilized.
  • the total traffic of all the elements in the identification of whether an object is an abnormal object causes the problem of erroneously identifying these small traffic objects as large traffic objects, thereby improving recognition accuracy.
  • the record information included in any one of the data structure tables includes: total traffic mapped to all elements of the bucket, the auxiliary queue, the maximum allowable capacity of the auxiliary queue, and the bucket.
  • Object traffic estimation error at the beginning of the current time interval, the total traffic value of all elements mapped to the bucket is 0, the bucket's object traffic estimation error has a value of 0, and the maximum allowable capacity value L is a preset threshold.
  • the attached queue contains the object traffic values of L empty objects.
  • the control node and the working node are not the same node.
  • the following two embodiments include: an element distribution and mapping process, a record information update process, a work node identification process, and a control node identification process.
  • This embodiment is used to determine a target large traffic object, that is, the type of the preset abnormal object is a large traffic object. Specifically, including:
  • the data collection node obtains a total of Y elements.
  • the element distribution (x, v x ) is used as an example to describe the element distribution and mapping process; where x represents the object x and v x represents the flow of the object x. value.
  • the element distribution and mapping process includes:
  • the data collection node acquires an element (x, v x ).
  • the data collection node may pre-store the working nodes distributed by each object, wherein the number of working nodes distributed by different objects may be the same or different, and the working nodes distributed by different objects may be completely/partially identical, Can be different.
  • the data collection node acquires an element, the d work nodes distributed by the object are determined according to the object for which the element is targeted, so that the element is sent to one of the d work nodes.
  • the data collection node may determine the working node distributed by the object according to the attribute characteristics of the object, and the attribute feature of the object may include a quintuple of the object. Specifically, the quintuple information of each object is calculated according to a hash function, thereby determining a working node distributed by each object. Since the hash function has a random nature, the uniformity of the partition can be guaranteed, thereby ensuring the load balance of the system.
  • the working node that receives the element maps the element to each row according to a mapping algorithm corresponding to each row of the data structure table, where the mapping is mapped to one bucket, where I refers to the number of rows of the data structure table, I ⁇ 1, I is an integer.
  • the worker node receiving the element maps the element to a bucket of the row according to a mapping algorithm corresponding to the row.
  • the working node that receives the element (x, v x ) performs a record information update process for each of the I buckets, wherein the update process for the record information of each bucket in the I buckets may be performed sequentially, Can be executed at the same time.
  • the following describes the update process of the record information by taking the i-th bucket as an example, where 1 ⁇ i ⁇ I, i is an integer.
  • the update process includes:
  • the step 301 can be described as: updating the total traffic mapped to all elements in the i-th bucket.
  • step 303 receives the element for the object x and not removing the received element for the object x / not completely deleting the received element for the object x.
  • the step 303 can be described as: updating the total object traffic of the object x.
  • the recording information update process for the element (x, v x ) ends.
  • the record information update process includes: updating the total traffic of all elements in the i-th bucket.
  • step 305 is performed; if not, the current capacity of the auxiliary queue is displayed. If the maximum allowable capacity has been reached, step 306 is performed.
  • the value of the current capacity of the attached queue refers to the total amount of object total traffic of the non-empty objects contained in the attached queue.
  • L refers to the total amount of traffic of all objects allowed in the auxiliary queue, including the total number of objects of non-empty objects and/or the total amount of objects of empty objects.
  • "adding the total traffic A[x] of the object x in the attached queue” may be implemented as: updating the total traffic of the object of an empty object in the attached queue to the total traffic A[x] of the object x.
  • the recording information update process for the element (x, v x ) ends.
  • the record information update process includes: updating the total traffic and the auxiliary queue of all elements in the i-th bucket.
  • the object total traffic threshold of the object x may be preset according to the following manner: Method 1: Determine according to the expected number of large traffic objects, for example, the number of expected large traffic objects is 100, and the known network is within a certain time. The maximum traffic is S (bandwidth ⁇ time), and the object total traffic threshold of object x may be S ⁇ 100. Manner 2: The total flow rate S' in each time interval is estimated by an adaptive algorithm (such as EWMA), and the object total flow threshold of the object x is set to S'/100.
  • Method 1 Determine according to the expected number of large traffic objects, for example, the number of expected large traffic objects is 100, and the known network is within a certain time. The maximum traffic is S (bandwidth ⁇ time), and the object total traffic threshold of object x may be S ⁇ 100.
  • Manner 2 The total flow rate S' in each time interval is estimated by an adaptive algorithm (such as EWMA), and the object total flow threshold of the object x is set to S'/100.
  • EWMA adaptive
  • step 308 is performed; if not, it is stated that: k and L do not satisfy the preset expansion condition, then step 309 is performed.
  • expansion the storage space corresponding to L to the storage space corresponding to the value of the expansion capacity may be implemented by adding (k+1)(k+2)-1 total objects of the empty object to the attached queue.
  • assigning (k+1)(k+2)-1 to the maximum allowable capacity can be described as: updating the maximum allowable capacity.
  • the recording information update process for the element (x, vx ) ends.
  • the record information update process includes: updating the total traffic of all elements in the i-th bucket, the maximum allowable capacity of the auxiliary queue and the auxiliary queue.
  • the minimum value in step 310 is the value of the total flow of one or more objects in the auxiliary queue. Further, the total flow of the object whose value is not required to be recorded in the auxiliary queue at the current time needs to be recorded. If the total flow of the object of x is performed, step 312 is performed; if not, the minimum value of step 310 is v x , and further, if the total flow of the object of object x is not required to be recorded at the current time, step 313 is performed.
  • delete total object traffic with a value of zero can be implemented by setting the total traffic of the object with a value of zero to the total traffic of the object of the empty object.
  • the recording information update process for the element (x, vx ) ends.
  • the record information update process includes: updating the total traffic of all elements in the i-th bucket, the auxiliary queue, the maximum allowable capacity of the attached queue, and the object flow estimation error of the i-th bucket.
  • the recording information update process for the element (x, v x ) ends.
  • A[x] is still not included in the attached queue.
  • the record information update process includes: updating the total traffic of all elements in the i-th bucket, the auxiliary queue, the maximum allowable capacity of the auxiliary queue, and the object flow estimation error of the i-th bucket.
  • each worker node that received the element in the current time interval performs a work node identification process.
  • the data for each work node The record information in each bucket in the structure table includes: the total traffic of the updated elements mapped to the bucket, the updated dependent queue, the maximum allowable capacity of the updated dependent queue, and the updated object of the bucket. Traffic estimation error.
  • the working node identification process includes:
  • the working node determines, in the data structure table, the updated bucket whose total traffic of the element mapped to the bucket is greater than or equal to the first threshold is the target bucket, and the number of the target bucket is N; wherein, N ⁇ 1, N is an integer.
  • the working node can sequentially detect the elements mapped to each bucket. The total traffic is used to determine the target bucket without determining the target bucket based on the object to which the element is targeted.
  • step 402 is performed for each of the N target buckets.
  • the data structure table contains 3 ⁇ 4 buckets, that is, 3 rows and 4 columns total 12 buckets
  • the position of the nth target bucket in the data structure table is the first row and the second column, that is, the nth target.
  • the bucket can be expressed as: bucket 12.
  • the objects mapped to the bucket 12 include: an object x1, an object x2, an object x3, and an object x4.
  • the buckets mapped by the four objects may be as shown in Table 1:
  • the following describes the working node identification process by using the first object mapped by the nth bucket as an example, and specifically includes steps 403-410.
  • step 404 the working node deletes all the elements for the first object when performing the record information update process, and then performs step 404; if not, the working node does not delete the first object when performing the record information update process. If the element is deleted or the part of the element is deleted, step 405 is performed.
  • steps 403-410 are performed for each object in the nth bucket.
  • the value of the total flow of the object in the i-th bucket of the first object is used as the lower bound S S1 of the flow of the first object in the i-th bucket.
  • step 406 is performed.
  • the zero value is used as the lower bound of the flow rate in the i-th bucket of the first object S down1 .
  • S up1 S down1 + e; wherein S up1 is the upper bound of the flow of the first object in the i-th bucket in the current time interval, and e is the value of the estimated error of the object flow of the i-th bucket.
  • step 408 is performed; if yes, step 409 is performed.
  • step 403 is performed.
  • step 410 is performed; if not, it indicates that the first object is not a large traffic object, and then ends.
  • the working node After performing step 410, the working node ends the identification process for the first object.
  • control node identification process includes:
  • the control node receives the d large traffic object sets sent by the d working nodes distributed by the first object.
  • step 503 is performed; if not, the control node ends the identification process of the first object.
  • control node After performing step 503, the control node ends the identification process of the first object.
  • the method for identifying an abnormal IP data stream is provided by the embodiment of the present invention.
  • the working node obtains the bucket whose total traffic of all the elements mapped in the current time interval is greater than or equal to the first threshold is used as the target bucket, and further obtains the first according to the obtained bucket.
  • the object identifies the object as a large traffic object in the r traffic upper bounds of the r buckets to be mapped.
  • the control node aggregates the large traffic objects identified by each working node to determine the target large traffic object.
  • the solution combines the total traffic mapped to all the elements in the bucket and the upper bound of the traffic of the single object in the mapped bucket to identify whether an object is an abnormal object, which can effectively avoid the prior art, because only the mapping to the bucket is utilized.
  • the total traffic of all the elements in the identification of whether an object is an abnormal object causes the problem of erroneously identifying these small traffic objects as large traffic objects, thereby improving recognition accuracy.
  • This embodiment is used to determine a target large change object, that is, the type of the preset abnormal object is a large change object. Specifically, including:
  • the other steps are the same as the "recording information update process" in the first embodiment. with.
  • the working node identification process includes:
  • 607 Acquire a traffic lower bound S down2 and a traffic upper bound S up2 that are mapped to the i-th bucket in a previous time interval of the current time interval.
  • the specific implementation method for the working node to obtain S down2 and S up2 can refer to the foregoing method for obtaining S down1 and S up1 .
  • step 610 is performed; if yes, step 611 is performed.
  • step 603 is performed.
  • the amount of change in the upper bound of the flow rate of the first object in the one bucket includes: D1, D2, ..., Di, ..., DI,
  • step 612 is performed; if not, the first object is not a large change object, and then the process ends.
  • the working node After performing step 612, the working node ends the identification process for the first object.
  • the difference between the process and the "control node identification process" in the first embodiment is that the "large traffic object set” in the above embodiment is a “large change object set”, and the above “target large traffic object” is in the present In the embodiment, it is a "target large change object”.
  • the basis of the method for identifying a large traffic object provided in the above embodiment 1 is
  • the method for identifying a large change object provided by the embodiment can be implemented as a simple change. That is, the concept of the method for identifying an abnormal IP data flow provided by the embodiment of the present invention can be applied to the scene of identifying a large traffic object. It can also be applied to scenes that recognize large changes. In the prior art solution, the method for identifying a large traffic object due to the absence of a reserved time interval reserved bit cannot be simultaneously applied to the problem of identifying a large change object.
  • a working node 7 is provided to perform the method for identifying an abnormal IP data flow shown in FIG. 1 , where the working node 7 includes:
  • the receiving unit 71 is configured to receive, in the current time interval, Y elements sent by the data collection node, where Y ⁇ 1, Y is an integer;
  • the mapping unit 72 is configured to map the Y elements into N buckets according to a mapping algorithm; wherein, N ⁇ 1, N is an integer;
  • the first obtaining unit 73 is configured to acquire, as the target bucket, a bucket whose total traffic of all the elements mapped in the N buckets is greater than or equal to the first threshold.
  • a second obtaining unit 74 configured to acquire r traffic upper bounds of the first object in the r buckets that are mapped in the current time interval, where the first object is mapped to the target bucket Any one of the r buckets includes one upper bound of the flow for the first object, r ⁇ 1, and r is an integer;
  • the identifying unit 75 is configured to identify, according to the preset type of the abnormal object and the r traffic upper bounds in the current time interval, whether the first object is an abnormal object; the preset abnormal object type is a large traffic Object or large change object.
  • the type of the preset abnormal object is a large traffic object
  • the identifying unit 75 is specifically configured to: when the r1 traffic upper bounds in the r traffic upper bounds in the current time interval are greater than or equal to the second threshold, determine that the first object is a large traffic object; , r ⁇ r1 ⁇ 1.
  • the type of the preset abnormal object is a large change object; as shown in FIG. 8, the working node 7 further includes:
  • a third obtaining unit 76 configured to acquire r traffic upper bounds of the first object in the r buckets that are mapped in the previous time interval of the current time interval;
  • the identifying unit 75 is configured to: obtain, according to the r traffic upper bounds in the current time interval and r traffic upper bounds in the previous time interval, a change amount of r traffic upper bounds; When the change amount of the upper boundary of the r2 flows in the change amount of the r flow upper bounds is greater than or equal to the third threshold, the first object is determined to be a large change object; wherein r ⁇ r2 ⁇ 1.
  • the elements of the first object are distributed on the d working nodes including the working node 7, d ⁇ 2, and d is an integer, and the d working nodes identify the d abnormal object sets, each The working nodes identify one set of abnormal objects;
  • the receiving unit 71 is further configured to receive d-1 exception object sets sent by other d-1 working nodes, where d1 exception object sets in the d exception object sets all include the first object Determining that the first object is a target abnormal object; wherein d ⁇ d1 ⁇ 1;
  • the working node 7 further includes: a sending unit 77, configured to send, to the control node, the abnormal object set identified by the working node, so that the control node is in the d abnormal objects
  • a sending unit 77 configured to send, to the control node, the abnormal object set identified by the working node, so that the control node is in the d abnormal objects
  • the d2 exception object sets in the set each include the first object, determining that the first object is a target abnormal object; wherein d ⁇ d2 ⁇ 1.
  • the mapping unit 72 is specifically configured to map, according to a mapping algorithm, any element of the Y elements for the first object into a first bucket, where the first bucket is Refers to any bucket that the first object can be mapped according to the mapping algorithm;
  • the working node 7 further includes: an updating unit 78, configured to update record information included in the first bucket; the record information includes: a total of all elements mapped to the first bucket And an auxiliary queue; wherein the auxiliary queue is used to determine an upper bound of traffic of each object mapped by the first bucket in the first bucket.
  • an updating unit 78 configured to update record information included in the first bucket; the record information includes: a total of all elements mapped to the first bucket And an auxiliary queue; wherein the auxiliary queue is used to determine an upper bound of traffic of each object mapped by the first bucket in the first bucket.
  • the auxiliary queue is composed of an object total traffic mapped to an object in the first bucket, where the first element includes a traffic value v of the first object, where the first element is for the The element of the first object;
  • the updating unit 78 is specifically configured to: when the auxiliary queue includes the total traffic of the object of the first object, superimpose the v on the value of the total traffic of the object of the first object; or When the total flow of the object of the first object is not included in the auxiliary queue, the total traffic of the object of the first object is added to the auxiliary queue, and the total traffic of the object is assigned to the first object. .
  • the auxiliary queue is composed of an object total traffic mapped to an object in the first bucket, where the first element includes a traffic value v of the first object, where the first element is for the An element of the first object; the record information further including a maximum allowable capacity of the auxiliary queue;
  • the updating unit 78 is specifically configured to: when the value of the current capacity of the auxiliary queue is smaller than the value of the maximum allowed capacity, when the auxiliary queue does not include the total object traffic of the first object, Adding an object total traffic of the first object to the auxiliary queue, and assigning the v to the total object traffic of the first object.
  • the record information further includes a maximum allowable capacity of the auxiliary queue, and a value of a current capacity of the auxiliary queue is greater than or equal to a value of a maximum allowable capacity of the auxiliary queue; as shown in FIG. Work node 7 also includes:
  • the expansion unit 79 is configured to expand, when the value of the maximum allowable capacity of the auxiliary queue meets a preset expansion condition, a storage space corresponding to the value of the maximum allowable capacity to a storage space corresponding to the value of the expanded capacity;
  • the updating unit 78 is specifically configured to assign the value of the expansion capacity to the maximum allowable capacity.
  • the auxiliary queue does not include the total object traffic of the first object
  • the record information further includes a maximum allowable capacity of the auxiliary queue and an object traffic estimation error of the first bucket, where the accessory The maximum allowable capacity of the queue does not meet the preset An expansion condition
  • the first element includes a flow value v of the first object; wherein the first element is an element for the first object; and an object flow estimation error of the first bucket is used to determine a mapping to the An upper bound of the flow rate of the object in the first bucket in the first bucket;
  • the working node 7 further includes:
  • a first determining unit 7A configured to determine a minimum value of values of the object total traffic of the object in the v and the auxiliary queue;
  • the updating unit 78 is specifically configured to: subtract the value of the total object traffic of each object in the auxiliary queue by the minimum value, and superimpose the minimum value on the object flow estimation error of the first bucket. Value.
  • the updating unit 78 is further configured to:
  • the v is assigned to the total traffic of the object of the first object.
  • the working node 7 further includes:
  • the deleting unit 7B is configured to delete the first element when the auxiliary queue does not include the total traffic of the object with a value of zero.
  • the working node 7 further includes:
  • the second determining unit 7C is configured to determine whether the value L of the maximum allowable capacity of the auxiliary queue meets a preset expansion condition; specifically:
  • the value of the expansion capacity is (k+1)(k+2)-1.
  • the ⁇ refers to a preset total target flow threshold value of the first object; the ⁇ is a constant, and 0 ⁇ 1.
  • the first element is an element of the Y elements for the first object, specifically a last element for the first object;
  • the second obtaining unit 7C is specifically configured to: acquire an upper bound of the traffic of the first object in the first bucket; specifically, the method is:
  • the value of the total object traffic of the first object is used as the lower bound of the traffic of the first object in the first bucket, when When the total object traffic of the first object is not in the auxiliary queue, a zero value is used as a lower bound of the traffic of the first object in the first bucket;
  • the working node 7 may specifically be a server or a device such as a PC.
  • the working node obtained by the embodiment of the present invention obtains the bucket of the target bucket whose total traffic of all the elements mapped in the current time interval is greater than or equal to the first threshold, and further obtains the bucket according to the type of the preset abnormal object.
  • the first object identifies the object as an abnormal object in the r traffic upper bounds of the r buckets mapped to; wherein the first object is mapped to any object in the target bucket.
  • the solution combines the total traffic mapped to all the elements in the bucket and the upper bound of the traffic of the single object in the mapped bucket to identify whether an object is an abnormal object, which can effectively avoid the prior art, because only the mapping is utilized.
  • the total traffic to all elements in the bucket identifies whether an object is an anomalous object that erroneously identifies these small traffic objects as large traffic objects, thereby improving recognition accuracy.
  • the transmitting unit in FIG. 8 may be a transmitter, the receiving unit may be a receiver, and the transmitter and receiver may be integrated to form a transceiver; other units other than the storage unit may be in hardware form.
  • the processor embedded in or independent of the working node may also be stored in the memory of the working node in software, so that the processor calls to perform operations corresponding to the above modules, and the processor may be a central processing unit (CPU). , microprocessors, microcontrollers, etc.
  • a working node 9 is provided for performing the method for identifying an abnormal IP data flow shown in FIG. 1, the working node 9 includes: a memory 91, a processor 92, and a receiving The device 93 and the bus system 94.
  • the memory 91, the processor 92 and the receiver 93 are coupled together by a bus system 94.
  • the bus system 94 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 94 in the figure.
  • the memory 91 is configured to store a set of codes for controlling the processor 92 and the receiver 93 to perform corresponding actions, specifically:
  • the receiver 93 is configured to receive, in the current time interval, Y elements sent by the data collection node, where Y ⁇ 1, Y is an integer;
  • the processor 92 is configured to perform the following actions:
  • mapping the Y elements into N buckets according to a mapping algorithm wherein N ⁇ 1, N is an integer
  • the type of the preset abnormal object is a large traffic object
  • the processor 92 is specifically configured to: when the r1 traffic upper bounds in the r traffic upper bounds in the current time interval are greater than or equal to the second threshold, determine that the first object is a large traffic object; wherein, r ⁇ r1 ⁇ 1.
  • the type of the preset abnormal object is a large change object; the processor 92 is further configured to: acquire the r buckets that the first object is mapped in the previous time interval of the current time interval r traffic upper bounds;
  • the processor 92 is specifically configured to:
  • an element for the first object is distributed on d working nodes including the working node, d ⁇ 2, and d is an integer, and the d working nodes identify d abnormal object sets, each The working node recognizes one set of abnormal objects;
  • the receiver 93 is further configured to: receive d-1 exception object sets sent by other d-1 working nodes, and determine, when the d1 exception object sets in the d exception object sets all include the first object, determine The first object is a target abnormal object; wherein d ⁇ d1 ⁇ 1;
  • the working node 9 further includes: a transmitter 94 for controlling Sending, by the node, the set of exception objects identified by the working node, so that the control node determines the first object when the d2 exception object sets in the d exception object sets all include the first object Is the target anomaly object; where d ⁇ d2 ⁇ 1.
  • the processor 92 is specifically configured to: map, according to a mapping algorithm, any element of the Y elements to the first object into a first bucket; wherein the first bucket refers to Determining, in the first object, any bucket that the mapping algorithm can map to;
  • the processor 92 is further configured to: update the record information included in the first bucket; the record information includes: a total traffic and an auxiliary queue mapped to all elements in the first bucket; wherein the auxiliary queue is used Determining a traffic upper bound of each object mapped by the first bucket in the first bucket.
  • the auxiliary queue is composed of an object total traffic mapped to an object in the first bucket, where the first element includes a traffic value v of the first object, where the first element is for the The element of the first object; the processor 92 is specifically configured to:
  • auxiliary queue When the auxiliary queue does not include the total object traffic of the first object, adding the total object traffic of the first object to the auxiliary queue, and assigning the v to the object of the first object Total flow.
  • the auxiliary queue is composed of an object total traffic mapped to an object in the first bucket, where the first element includes a traffic value v of the first object, where the first element is for the An element of the first object;
  • the record information further includes a maximum allowable capacity of the auxiliary queue;
  • the processor 92 is specifically configured to: if a value of a current capacity of the auxiliary queue is less than a value of the maximum allowable capacity, When the auxiliary queue does not include the total object traffic of the first object, adding the total object traffic of the first object to the auxiliary queue, and assigning the v to the object of the first object Total flow.
  • the record information further includes a maximum allowable capacity of the auxiliary queue,
  • the value of the current capacity of the auxiliary queue is greater than or equal to the value of the maximum allowed capacity of the auxiliary queue;
  • the processor 92 is further configured to: when the value of the maximum allowable capacity of the auxiliary queue meets a preset expansion condition, The storage space corresponding to the value of the maximum allowable capacity is expanded to a storage space corresponding to the value of the expanded capacity; and the value of the expanded capacity is assigned to the maximum allowable capacity.
  • the auxiliary queue does not include the total object traffic of the first object
  • the record information further includes a maximum allowable capacity of the auxiliary queue and an object traffic estimation error of the first bucket, where the accessory The value of the maximum allowable capacity of the queue does not satisfy the preset expansion condition, and the first element includes the flow value v of the first object; wherein the first element is an element for the first object; the first bucket The object traffic estimation error is used to determine an upper bound of the traffic mapped to the object in the first bucket in the first bucket;
  • the processor 92 is further configured to determine a minimum value of values of the total flow of objects of the object in the v and the auxiliary queue;
  • the processor 92 is specifically configured to: subtract the value of the total object traffic of each object in the auxiliary queue by the minimum value, and superimpose the minimum value on the value of the object flow estimation error of the first bucket. .
  • processor 92 is further configured to:
  • the auxiliary queue contains the total traffic of the object with a value of zero, the total traffic of the object whose value is zero is deleted;
  • the v is assigned to the total traffic of the object of the first object.
  • the processor 92 is further configured to delete the first element when the auxiliary queue does not include the total traffic of the object with a value of zero.
  • the processor 92 is further configured to: determine whether the value L of the maximum allowable capacity of the auxiliary queue meets a preset expansion condition; specifically:
  • the value of the expansion capacity is (k+1)(k+2)-1.
  • the ⁇ refers to a preset total target flow threshold value of the first object; the ⁇ is a constant, and 0 ⁇ 1.
  • the first element is an element of the Y elements for the first object, specifically a last element for the first object, and the processor 92 is specifically configured to acquire the The upper limit of the flow rate of the first object in the first bucket; specifically for:
  • the value of the total object traffic of the first object is used as the lower bound of the traffic of the first object in the first bucket, when When the total object traffic of the first object is not in the auxiliary queue, a zero value is used as a lower bound of the traffic of the first object in the first bucket;
  • the working node 7 may specifically be a server or a device such as a PC.
  • the working node obtained by the embodiment of the present invention obtains the bucket of the target bucket whose total traffic of all the elements mapped in the current time interval is greater than or equal to the first threshold, and further obtains the bucket according to the type of the preset abnormal object.
  • the first object identifies the object as an abnormal object in the r traffic upper bounds in the r buckets to which it is mapped;
  • the first object is mapped to any object in the target bucket.
  • the solution combines the total traffic mapped to all the elements in the bucket and the upper bound of the traffic of the single object in the mapped bucket to identify whether an object is an abnormal object, which can effectively avoid the prior art, because only the mapping to the bucket is utilized.
  • the total traffic of all the elements in the identification of whether an object is an abnormal object causes the problem of erroneously identifying these small traffic objects as large traffic objects, thereby improving recognition accuracy.
  • the embodiment of the present invention further provides a system for identifying an abnormal IP data stream, including: one or more data collection nodes, and one or more working nodes, wherein the working node may be any one of the foregoing embodiments.
  • the functions of the data collection node/work node and the actions performed to implement the function may refer to relevant parts of the foregoing embodiments, and details are not described herein again.
  • FIG. 11 is a system block diagram of identifying an abnormal IP data flow according to an embodiment of the present invention.
  • the system may further include a control node, where the function of the control node and the action performed by the function may be referred to the relevant parts of the foregoing embodiment, and details are not described herein again.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the unit described as a separate component may or may not be physically divided
  • the components displayed as the unit may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium.
  • the software functional units described above are stored in a storage medium and include instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform portions of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, and the program code can be stored. Medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例公开了一种识别异常IP数据流的方法、装置和系统,涉及通信领域,用以提高识别准确度。本发明实施例提供的方法包括:在当前时间区间内,接收数据收集节点发送的Y个元素;按照映射算法将Y个元素映射到N个桶中;获取N个桶中的、所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶;获取当前时间区间内第一对象在所映射到的r个桶中的r个流量上界;其中,第一对象为映射到目标桶中的任一对象,r个桶中的每个桶中包含针对第一对象的1个流量上界;根据预设的异常对象的类型和当前时间区间内的r个流量上界识别第一对象是否为异常对象;预设的异常对象的类型为大流量对象或大变化对象。

Description

一种识别异常IP数据流的方法、装置和系统 技术领域
本发明涉及通信领域,尤其涉及一种识别异常IP数据流的方法、装置和系统。
背景技术
互联网(Internet)和MBB(Mobile Broadband,移动宽带)的结合,以及智能终端、平板电脑等智能设备的大规模推广和应用,使得MBB数据网络流量大幅度增长;与此同时,带来了新的问题:各种网络异常频发。其中,网络异常包括:异常流量、网络攻击、病毒等,异常流量包括大流量对象(heavy hitters)和大变化对象(heavy changers)。这对网络利用率、网络性能和用户体验带来很大的负面影响,同时也带来关键信息泄露、系统和终端损坏等风险。
在各种网络异常中,大流量对象和大变化对象是最为重要的两类网络异常。大流量对象是指网络中频繁出现的数据流,本文中将其定义为整体流量很大的数据流;大变化对象是指在给定时间段内,主要特征(包括大小、端口号、协议号等)发生很大变化的数据流。其中,由IP(Internet Protocol,Internet协议)包的五元组(包括:源IP、目的IP、源端口、目的端口、协议号)定义一个IP数据流对象(下文中称为“对象”)。
目前,识别网络异常流量的方法包括:1)数据收集节点将收集到的针对不同对象的元素随机发送到一个或者多个工作节点上;其中,对象和元素的关系可以表示为“元素(对象,值),即元素(key,value)”;元素包含的“值”可以为该元素的流量值、或者能够表示该元素的流量值的信息(例如,该元素包含的数据包的个数等);2)工作节点按照映射算法将接收到的元素映射到由多个桶构成的数据结构表中,并在每个时间区 间结束时,向控制节点汇报该时间区间内映射到每个桶中的元素的总流量;其中,针对同一对象的元素一般被映射到同一个桶中,另外,由于对象的数目很大,为了节省数据结构表占用的存储空间,可以将不同对象映射到同一个桶中;3)控制节点对各工作节点汇报的信息进行汇总,当针对某一类对象的所有桶所映射的元素的总流量大于一阈值时,将这类对象均识别为大流量对象,其中,该类对象是指在同一工作节点中被映射到同一个桶中的对象。
在上述方法中,当针对某一类对象的所有桶所映射的元素的总流量大于一阈值时,即认为这类对象均为大流量对象,但是,造成针对某一类对象的所有桶所映射的元素的总流量大于一阈值的原因可能是:该类对象由很多个小流量对象构成。因此,利用上述方法进行识别,会错误地将这些小流量对象识别为大流量对象,也就是说上述方法的识别准确度低。
发明内容
本发明实施例提供一种识别异常IP数据流的方法、装置和系统,用以提高识别准确度。
为达到上述目的,本发明的实施例采用如下技术方案:
第一方面,提供一种识别异常IP数据流的方法,应用于工作节点中,所述方法包括:
在当前时间区间内,接收数据收集节点发送的Y个元素;其中,Y≥1,Y为整数;
按照映射算法将所述Y个元素映射到N个桶中;其中,N≥1,N为整数;
获取所述N个桶中的、所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶;
获取所述当前时间区间内第一对象在所映射到的r个桶中的r个流量上界;其中,所述第一对象为映射到所述目标桶中的任一对象,所述r个桶中的每个桶中包含针对所述第一对象的1个流量上 界,r≥1,r为整数;
根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象;所述预设的异常对象的类型为大流量对象或大变化对象。
结合第一方面,在第一种可能的实现方式中,所述预设的异常对象的类型为大流量对象;所述根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象,包括:
当所述当前时间区间内的r个流量上界中的r1个流量上界均大于或者等于第二阈值时,确定所述第一对象为大流量对象;其中,r≥r1≥1。
结合第一方面或第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述预设的异常对象的类型为大变化对象;所述方法还包括:
获取所述当前时间区间的前一个时间区间内所述第一对象在所映射到的r个桶中的r个流量上界;
所述根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象,包括:
根据所述当前时间区间内的r个流量上界和所述前一个时间区间内的r个流量上界,获取r个流量上界的变化量;
当所述r个流量上界的变化量中的r2个流量上界的变化量均大于或者等于第三阈值时,确定所述第一对象为大变化对象;其中,r≥r2≥1。
结合第一方面、第一方面的第一种可能的实现方式或第二种可能的实现方式任一种,在第三种可能的实现方式中,针对所述第一对象的元素分布在包括所述工作节点的d个工作节点上,d≥2,d为整数,所述d个工作节点识别得到d个异常对象集合,每个工作 节点识别得到1个异常对象集合;在所述根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象之后,所述方法还包括:
接收其他d-1个工作节点发送的d-1个异常对象集合,当所述d个异常对象集合中的d1个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d1≥1;
或者,向控制节点发送所述工作节点识别得到的异常对象集合,以使得所述控制节点在所述d个异常对象集合中的d2个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d2≥1。
结合第一方面、第一方面的第一种可能的实现方式或第三种可能的实现方式任一种,在第四种可能的实现方式中,所述按照映射算法将所述Y个元素映射到N个桶中,包括:
按照映射算法将所述Y个元素中的、针对所述第一对象的任一元素映射到第一桶中;其中,所述第一桶是指所述第一对象按照所述映射算法能够映射到的任一桶;
所述方法还包括:
更新所述第一桶包含的记录信息;所述记录信息包括:映射到所述第一桶中的所有元素的总流量和附属队列;其中,所述附属队列用于确定所述第一桶所映射的各对象在所述第一桶中的流量上界。
结合第一方面的第四种可能的实现方式,在第五种可能的实现方式中,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述更新所述第一桶包含的记录信息包括:
当所述附属队列中包含所述第一对象的对象总流量时,将所述v 叠加到所述第一对象的对象总流量的值上;或者,
当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
结合第一方面的第四种可能的实现方式,在第六种可能的实现方式中,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述记录信息还包括所述附属队列的最大允许容量;所述更新所述第一桶包含的记录信息包括:
在所述附属队列的当前容量的值小于所述最大允许容量的值的情况下,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
结合第一方面的第五种可能的实现方式,在第七种可能的实现方式中,所述记录信息还包括所述附属队列的最大允许容量,所述附属队列的当前容量的值大于或者等于所述附属队列的最大允许容量的值;在所述附属队列中添加所述第一对象的对象总流量之前,所述方法还包括:
当所述附属队列的最大允许容量的值满足预设扩张条件时,将所述最大允许容量的值对应的存储空间扩张为扩张容量的值对应的存储空间;
所述更新所述第一桶包含的记录信息,还包括:
将所述扩张容量的值赋值给所述最大允许容量。
结合第一方面的第四种可能的实现方式至第七种可能的实现方式任一种,在第八种可能的实现方式中,所述附属队列中不包含所述第一对象的对象总流量,所述记录信息还包括所述附属队列的最大允许容量和所述第一桶的对象流量估计误差,所述附属队列的最 大允许容量的值不满足预设扩张条件,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述第一桶的对象流量估计误差用于确定映射到所述第一桶中的对象在所述第一桶中的流量上界;在所述更新所述第一桶包含的记录信息之前,所述方法还包括:
确定所述v与所述附属队列中各对象的对象总流量的值中的最小值;
所述更新所述第一桶包含的记录信息,包括:
将所述附属队列中各对象的对象总流量的值均减去所述最小值,并将所述最小值叠加到所述第一桶的对象流量估计误差的值上。
结合第一方面的第八种可能的实现方式,在第九种可能的实现方式中,当所述附属队列中包含值为零的对象总流量时,所述更新所述第一桶包含的记录信息,还包括:
删除所述值为零的对象总流量;
在所述附属队列中添加所述第一对象的对象总流量;
将所述v赋值给所述第一对象的对象总流量。
结合第一方面的第八种可能的实现方式或第九种可能的实现方式,在第十种可能的实现方式中,当所述附属队列中不包含值为零的对象总流量时,所述方法还包括:
删除所述第一元素。
结合第一方面的第七种可能的实现方式或第八种可能的实现方式,在第十一种可能的实现方式中,所述方法还包括:
确定所述附属队列的最大允许容量的值L是否满足预设扩张条件;具体包括:
确定当前扩张轮数k;
当(k+1)(k+2)-1>L时,确定所述附属队列的最大允许容量的值满足预设扩张条件;
当(k+1)(k+2)-1≤L时,确定所述附属队列的最大允许容量的值不满足预设扩张条件;
所述扩张容量的值为(k+1)(k+2)-1。
结合第一方面的第十一种可能的实现方式,在第十二种可能的实现方式中,所述确定当前扩张轮数k,包括:
根据公式
Figure PCTCN2014089939-appb-000001
确定所述当前扩张轮数k;其中,所述W是指将所述第一元素映射到所述第一桶中后得到的、映射到所述第一桶中的所有元素的总流量,所述T是指动态扩张参数;当所述预设的异常对象的类型为大流量对象时,T=φ;或者,当所述预设的异常对象的类型为大变化对象时,T=εφ;其中,所述φ是指预设的所述第一对象的对象总流量阈值;所述ε为常数,0<ε≤1。
结合第一方面的第八种可能的实现方式,在第十三种可能的实现方式中,所述第一元素为所述Y个元素中的、针对所述第一对象的元素,具体为针对所述第一对象的最后一个元素;
所述获取所述当前时间区间内第一对象在所映射到的r个桶中的r个流量上界,包括:
获取所述第一对象在所述第一桶中的流量上界;具体包括:
当所述第一对象的对象总流量在所述附属队列中时,将所述第一对象的对象总流量的值作为所述第一对象在所述第一桶中的流量下界,当所述第一对象的对象总流量不在所述附属队列中时,将零值作为所述第一对象在所述第一桶中的流量下界;
将所述第一对象在所述第一桶中的流量下界与所述第一桶的对象流量估计误差的和,作为所述第一对象在所述第一桶中的流量上界。
第二方面,提供一种工作节点,包括:
接收单元,用于在当前时间区间内,接收数据收集节点发送的 Y个元素;其中,Y≥1,Y为整数;
映射单元,用于按照映射算法将所述Y个元素映射到N个桶中;其中,N≥1,N为整数;
第一获取单元,用于获取所述N个桶中的、所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶;
第二获取单元,用于获取所述当前时间区间内第一对象在所映射到的r个桶中的r个流量上界;其中,所述第一对象为映射到所述目标桶中的任一对象,所述r个桶中的每个桶中包含针对所述第一对象的1个流量上界,r≥1,r为整数;
识别单元,用于根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象;所述预设的异常对象的类型为大流量对象或大变化对象。
结合第二方面,在第一种可能的实现方式中,所述预设的异常对象的类型为大流量对象;
所述识别单元具体用于,当所述当前时间区间内的r个流量上界中的r 1个流量上界均大于或者等于第二阈值时,确定所述第一对象为大流量对象;其中,r≥r1≥1。
结合第二方面或第二方面的第一种可能的实现方式,在第二种可能的实现方式中,所述预设的异常对象的类型为大变化对象;所述工作节点还包括:
第三获取单元,用于获取所述当前时间区间的前一个时间区间内所述第一对象在所映射到的r个桶中的r个流量上界;
所述识别单元具体用于:根据所述当前时间区间内的r个流量上界和所述前一个时间区间内的r个流量上界,获取r个流量上界的变化量;当所述r个流量上界的变化量中的r2个流量上界的变化量均大于或者等于第三阈值时,确定所述第一对象为大变化对象;其中,r≥r2≥1。
结合第二方面、第二方面的第一种可能的实现方式或第二种可能的实现方式任一种,在第三种可能的实现方式中,针对所述第一对象的元素分布在包括所述工作节点的d个工作节点上,d≥2,d为整数,所述d个工作节点识别得到d个异常对象集合,每个工作节点识别得到1个异常对象集合;
所述接收单元还用于,接收其他d-1个工作节点发送的d-1个异常对象集合,当所述d个异常对象集合中的d1个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d1≥1;
或者,所述工作节点还包括:发送单元,用于向控制节点发送所述工作节点识别得到的异常对象集合,以使得所述控制节点在所述d个异常对象集合中的d2个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d2≥1。
结合第二方面、第二方面的第一种可能的实现方式或第三种可能的实现方式任一种,在第四种可能的实现方式中,
所述映射单元具体用于,按照映射算法将所述Y个元素中的、针对所述第一对象的任一元素映射到第一桶中;其中,所述第一桶是指所述第一对象按照所述映射算法能够映射到的任一桶;
所述工作节点还包括:更新单元,用于更新所述第一桶包含的记录信息;所述记录信息包括:映射到所述第一桶中的所有元素的总流量和附属队列;其中,所述附属队列用于确定所述第一桶所映射的各对象在所述第一桶中的流量上界。
结合第二方面的第四种可能的实现方式,在第五种可能的实现方式中,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对第一对象的元素;
所述更新单元具体用于:当所述附属队列中包含所述第一对象 的对象总流量时,将所述v叠加到所述第一对象的对象总流量的值上;或者,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
结合第二方面的第四种可能的实现方式,在第六种可能的实现方式中,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述记录信息还包括所述附属队列的最大允许容量;
所述更新单元具体用于:在所述附属队列的当前容量的值小于所述最大允许容量的值的情况下,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
结合第二方面的第五种可能的实现方式,在第七种可能的实现方式中,所述记录信息还包括所述附属队列的最大允许容量,所述附属队列的当前容量的值大于或者等于所述附属队列的最大允许容量的值;所述工作节点还包括:
扩张单元,用于当所述附属队列的最大允许容量的值满足预设扩张条件时,将所述最大允许容量的值对应的存储空间扩张为扩张容量的值对应的存储空间;
所述更新单元具体用于,将所述扩张容量的值赋值给所述最大允许容量。
结合第二方面的第四种可能的实现方式至第七种可能的实现方式任一种,在第八种可能的实现方式中,所述附属队列中不包含所述第一对象的对象总流量,所述记录信息还包括所述附属队列的最大允许容量和所述第一桶的对象流量估计误差,所述附属队列的最大允许容量的值不满足预设扩张条件,第一元素包含所述第一对象 的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述第一桶的对象流量估计误差用于确定映射到所述第一桶中的对象在所述第一桶中的流量上界;所述工作节点还包括:
第一确定单元,用于确定所述v与所述附属队列中各对象的对象总流量的值中的最小值;
所述更新单元具体用于,将所述附属队列中各对象的对象总流量的值均减去所述最小值,并将所述最小值叠加到所述第一桶的对象流量估计误差的值上。
结合第二方面的第八种可能的实现方式,在第九种可能的实现方式中,当所述附属队列中包含值为零的对象总流量时,所述更新单元还用于:
删除所述值为零的对象总流量;
在所述附属队列中添加所述第一对象的对象总流量;
将所述v赋值给所述第一对象的对象总流量。
结合第二方面的第八种可能的实现方式或第九种可能的实现方式,在第十种可能的实现方式中,所述工作节点还包括:
删除单元,用于当所述附属队列中不包含值为零的对象总流量时,删除所述第一元素。
结合第二方面的第七种可能的实现方式或第八种可能的实现方式,在第十一种可能的实现方式中,所述工作节点还包括:
第二确定单元,用于确定所述附属队列的最大允许容量的值L是否满足预设扩张条件;具体用于:
确定当前扩张轮数k;
当(k+1)(k+2)-1>L时,确定所述附属队列的最大允许容量的值满足预设扩张条件;
当(k+1)(k+2)-1≤L时,确定所述附属队列的最大允许容量的值不满足预设扩张条件;
所述扩张容量的值为(k+1)(k+2)-1。
结合第二方面的第十一种可能的实现方式,在第十二种可能的实现方式中,所述第二确定单元具体用于:根据公式
Figure PCTCN2014089939-appb-000002
确定所述当前扩张轮数k;其中,所述W是指将所述第一元素映射到所述第一桶中后得到的、映射到所述第一桶中的所有元素的总流量,所述T是指动态扩张参数;当所述预设的异常对象的类型为大流量对象时,T=φ;或者,当所述预设的异常对象的类型为大变化对象时,T=εφ;其中,所述φ是指预设的所述第一对象的对象总流量阈值;所述ε为常数,0<ε≤1。
结合第二方面的第八种可能的实现方式,在第十三种可能的实现方式中,所述第一元素为所述Y个元素中的、针对所述第一对象的元素,具体为针对所述第一对象的最后一个元素;
所述第二获取单元具体用于:获取所述第一对象在所述第一桶中的流量上界;具体用于:
当所述第一对象的对象总流量在所述附属队列中时,将所述第一对象的对象总流量的值作为所述第一对象在所述第一桶中的流量下界,当所述第一对象的对象总流量不在所述附属队列中时,将零值作为所述第一对象在所述第一桶中的流量下界;
将所述第一对象在所述第一桶中的流量下界与所述第一桶的对象流量估计误差的和,作为所述第一对象在所述第一桶中的流量上界。
第三方面,提供一种识别异常IP数据流的系统,包括:数据收集节点和上述第二方面提供的任一种工作节点,其中所述数据收集节点用于发送所述Y个元素。
本发明实施例提供的识别异常IP数据流的方法、装置和系统,通过获取当前时间区间内所映射的所有元素的总流量大于或者等于第一阈值的目标桶的桶作为目标桶,并进一步根据预设异常对象的 类型和获取到的第一对象在所映射到的r个桶中的r个流量上界识别该对象是否为异常对象;其中,第一对象为映射到目标桶中的任一对象。本方案结合了映射到桶中的所有元素的总流量和单个对象在所映射到的桶中的流量上界识别一对象是否为异常对象,能够有效避免现有技术中,因只利用映射到桶中的所有元素的总流量识别一对象是否为异常对象导致的错误地将这些小流量对象识别为大流量对象的问题,从而提高了识别准确度。
附图说明
为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1为本发明实施例提供的一种识别异常IP数据流的方法的流程示意图;
图2为本发明实施例提供的一种元素分发及映射过程的流程示意图;
图3为本发明实施例提供的一种记录信息更新过程的流程示意图;
图4为本发明实施例提供的一种工作节点识别异常流量的过程的流程示意图;
图5为本发明实施例提供的一种控制节点识别异常流量的过程的流程示意图;
图6为本发明实施例提供的另一种工作节点识别异常流量的过程的流程示意图。
图7为本发明实施例提供的一种工作节点的结构示意图;
图8为本发明实施例提供的另一种工作节点的结构示意图;
图9为本发明实施例提供的另一种工作节点的结构示意图;
图10为本发明实施例提供的另一种工作节点的结构示意图;
图11为本发明实施例提供的一种识别异常IP数据流的系统框图;
图12为本发明实施例提供的另一种识别异常IP数据流的系统框图。
具体实施方式
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,均属于本发明保护的范围。
需要说明的是,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。本文中字符“/”,一般表示前后关联对象是一种“或”的关系。本文中的术语“多个”表示两个或者两个以上。
实施例一
如图1所示,为本发明实施例提供的一种识别异常IP数据流的方法,应用于工作节点中,所述方法包括:
101:在当前时间区间内,接收数据收集节点发送的Y个元素;其中,Y≥1,Y为整数。
其中,“工作节点”和“数据收集节点”均可以为:服务器或者PC(Personal Computer,个人计算机)等设备。另外,不同的工作节点和/或数据收集节点还可以分布在同一设备的不同CPU(Central Processing Unit,中央处理器)上。需要说明的是,为了方便描述,下文中均以不同的工作节点和/或数据收集节点分布在不同的设备 上为例进行说明。
每个服务器或者PC均可以作为工作节点或者数据收集节点,但是,在同一应用场景中,同一节点一般不同时作为工作节点和数据收集节点;这里的“应用场景”可以包含一个/多数量据收集节点以及一个/多个工作节点。
每个元素由对象和该对象所对应的值构成,可以将“元素”表示为:元素(对象,值),即(key,value);其中,元素包含的“值”可以为该元素的流量值或者能够表示该元素的流量值的信息。需要说明的是,在下文中,如果不加说明,元素包含的“值”均是指该元素的流量值。不同元素包含的对象可以相同也可以不同,不同元素包含的值可以相同也可以不同;例如:元素1(对象1,值1)、元素2(对象1,值2)、元素3(对象2,值3)、元素4(对象2、值1)等。
针对同一对象的不同元素一般来自同一个数据收集节点或者固定的几个数据收集节点。具体实现时,每个数据收集节点可以按照一定的分发规则将收集到的不同元素分发到预设的一个/多个工作节点上,本发明实施例对具体的分发规则不进行限定。其中,分发规则可以包括:预先在数据收集节点中设置每个对象所分布的工作节点,当数据收集节点获取到一元素时,根据该元素所针对的对象向预设的该对象所分布的其中一个工作节点发送该元素。
本发明实施例对“当前时间区间”的取值不进行限定。
102:按照映射算法将所述Y个元素映射到N个桶中;其中,N≥1,N为整数。
其中,为了清楚描述本发明实施例提供的技术,首先说明“数据结构表”。“数据结构表”存储在工作节点的存储单元中,由I行J列桶构成,其中,I≥1,J≥1,I、J为整数;数据结构表的每行对应一个哈希函数,哈希函数用于将工作节点接收到的元素映射到该行 的某一个桶中。数据结构表具体可以为sketch数据结构。“桶”是指用于存储I×J矩阵中每个元素的存储单元,其中,本领域技术人员应当理解,这里的“矩阵中的元素”与本文中其他地方描述的“元素”不为同一概念。具体实现时,I与J的取值与内存占用空间的大小有关,可以根据现有技术中的方法确定。
示例性的,该步骤102可以包括:工作节点按照数据结构表的每行对应的映射算法(即数据结构表的每行对应的哈希函数),将Y个元素分别映射到每行中。具体实现时,工作节点可以在接收到每个元素时,即按照数据结构表的每行对应的映射算法,将该元素映射到每行中。本发明实施例对具体的映射算法不进行限定,可以为现有技术中的映射算法。
由于映射算法是根据对象进行映射的,因此,在数据结构表的任一行中,针对同一对象的不同元素(即包含相同对象的不同元素)一般被映射到同一个桶中;针对不同对象的不同元素一般被映射到不同桶中。需要说明的是,具体实现时,一方面,由于桶的数量比较小,对象的数量比较大,因此,不同的对象往往需要被映射到同一个桶中;另一方面,由于存在不同的对象经映射算法进行映射后得到同一个值的情况,因此,在数据结构表的任一行中,针对不同对象的元素也可能被映射到同一个桶中。
103:获取所述N个桶中的、所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶。
其中,第一阈值,工作节点可以根据实际网络环境中工作节点的运算能力的大小确定第一阈值,所述工作节点的运算能力越大,所述第一阈值越小,所述工作节点的运算能力越小,所述第一阈值越大,所述第一阈值必须保证在所述N个桶中的、至少选择到一个目标桶;具体的,当用于实现某一功能的目标网络环境要求异常对象占总流量的百分比不超过一阈值时,工作节点可以根据该阈值和 实际网络环境确定第一阈值。需要说明的是,不同目标网络环境要求的异常流量占总流量的百分比可以相同也可以不同,可选的,异常流量占总流量的百分比可以为1%。目标桶的数量可以为一个或者多个。针对每个桶,工作节点可以记录映射到该桶的所有元素的总流量。
104:获取所述当前时间区间内第一对象在所映射到的r个桶中的r个流量上界;其中,所述第一对象为映射到所述目标桶中的任一对象,所述r个桶中的每个桶中包含针对所述第一对象的1个流量上界,r≥1,r为整数。
其中,“r个桶”可以为第一对象映射到的、任意r个桶,具体可以为第一对象映射到数据结构表的每行中的桶,即r=I。针对每个桶,工作节点可以记录映射到该桶的每个对象的流量上界。
可选的,步骤102可以包括:按照映射算法将所述Y个元素中的、针对所述第一对象的任一元素映射到所述M个桶中的第一桶中;其中,所述第一桶是指所述第一对象按照所述映射算法能够映射到的任一桶;该情况下,所述方法还包括:更新所述第一桶包含的记录信息;所述记录信息包括:映射到所述第一桶中的所有元素的总流量和附属队列;其中,所述附属队列用于确定所述第一桶所映射的各对象在所述第一桶中的流量上界。
示例性的,“工作节点可以在接收到Y个元素中的每个元素时,即对该元素所映射到的桶中包含的记录信息进行更新。“对象的对象流量值”是指针对该对象的所有元素的总流量。“附属队列”由映射到第一桶中的部分/全部对象的对象总流量构成;具体何种情况下由全部对象的对象总流量构成,何种情况下由部分对象的对象总流量构成,以及后者中由哪些对象的对象总流量构成等可参见下述具体的实施例。
可选的,第一元素包含所述第一对象的流量值v;其中,所述第 一元素为针对所述第一对象的元素,具体为Y个元素中的针对苏搜狐第一对象的任一元素;所述更新所述第一桶包含的记录信息可以包括:当所述附属队列中包含所述第一对象的对象总流量时,将所述v叠加到所述第一对象的对象总流量的值上;或者,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
需要说明的是,在该可选的方式中,“当前时间区间内第一对象在所映射到的某个桶中的流量上界”即为:工作节点在当前时间区间的结束时刻获取到的该桶中包含的记录信息中的第一对象的对象总流量的值。
可选的,可以通过设置附属队列的最大允许容量来限制数据结构表的存储空间的大小,以避免由于桶中的附属队列容量过大导致数据结构表的存储空间过大的问题。具体的:所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述记录信息还包括所述附属队列的最大允许容量;所述更新所述第一桶包含的记录信息包括:在所述附属队列的当前容量的值小于所述最大允许容量的值的情况下,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
可选的,在附属队列的当前容量的值大于或者等于附属队列的最大允许容量的值的情况下,本发明还提供了对附属队列所占的存储空间(即附属队列的最大允许容量的值对应的存储空间)进行适当扩张的实施例。具体的:所述记录信息还包括所述附属队列的最大允许容量,所述附属队列的当前容量的值大于或者等于所述附属队列的最大允许容量的值;在所述附属队列中添加所述第一对象的 对象总流量之前,所述方法还可以包括:当所述附属队列的最大允许容量的值满足预设扩张条件时,将所述最大允许容量的值对应的存储空间扩张为扩张容量的值对应的存储空间;该情况下,所述更新所述第一桶包含的记录信息,还包括:将所述扩张容量的值赋值给所述附属队列的最大允许容量。
示例性的,本发明实施例对“预设扩张条件”和“扩张容量的值”的具体内容及确定方式不进行限定,可以根据经验值进行确定。下面提供一种可选的实现方式:所述方法还可以包括:确定所述附属队列的最大允许容量的值L是否满足预设扩张条件;具体包括:确定当前扩张轮数k;当(k+1)(k+2)-1>L时,确定所述附属队列的最大允许容量的值满足预设扩张条件;当(k+1)(k+2)-1≤L时,确定所述附属队列的最大允许容量的值不满足预设扩张条件;该情况下,所述扩张容量的值为(k+1)(k+2)-1。另外,还可以根据其他经验值确定预设扩张条件及扩张容量的值。
示例性的,所述确定当前扩张轮数k,可以包括:根据公式
Figure PCTCN2014089939-appb-000003
确定所述当前扩张轮数k;其中,所述W是指将所述第一元素映射到所述第一桶中后得到的、映射到所述第一桶中的所有元素的总流量,所述T是指动态扩张参数;当所述预设的异常对象的类型为大流量对象时,T=φ;或者,当所述预设的异常对象的类型为大变化对象时,T=εφ;其中,所述φ是指预设的所述第一对象的对象总流量阈值;所述ε为常数,0<ε≤1。示例性的,不同对象的对象总流量阈值可以相同,也可以不同。
另外可选的,所述附属队列中不包含所述第一对象的对象总流量,所述记录信息还包括所述附属队列的最大允许容量和所述第一桶的对象流量估计误差,所述附属队列的最大允许容量的值不满足预设扩张条件,所述第一元素包含所述第一对象的流量值v;在所述 更新所述第一桶包含的记录信息之前,所述方法还可以包括:确定所述v与所述附属队列中各对象的对象总流量的值中的最小值;该情况下,所述更新所述第一桶包含的记录信息,包括:将所述附属队列中各对象的对象总流量的值均减去所述最小值,并将所述最小值叠加到所述第一桶的对象流量估计误差上。
示例性的,该可选的方式中的“预设扩张条件”及确定方式可以参考上文的描述。在该可选的方式下,当所述附属队列中包含值为零的对象总流量时,所述更新所述第一桶包含的记录信息,还可以包括:删除所述值为零的对象总流量;在所述附属队列中添加所述第一对象的对象总流量;将所述v赋值给所述第一对象的对象总流量。另外,当所述附属队列中不包含值为零的对象总流量时,所述方法还可以包括:删除所述第一元素。
需要说明的是,在该可选的方式中,“当前时间区间内第一对象在所映射到的某个桶中的流量上界”可以通过下述方式获得:
所述第一元素为所述Y个元素中的、针对所述第一对象的元素,具体为针对所述第一对象的最后一个元素;该情况下,步骤104可以包括:获取所述第一对象在所述第一桶中的流量上界;具体包括:当所述第一对象的对象总流量在所述附属队列中时,将所述第一对象的对象总流量的值作为所述第一对象在所述第一桶中的流量下界,当所述第一对象的对象总流量不在所述附属队列中时,将零值作为所述第一对象在所述第一桶中的流量下界;将所述第一对象在所述第一桶中的流量下界与所述第一桶的对象流量估计误差的和,作为所述第一对象在所述第一桶中的流量上界。
105:根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象;所述预设的异常对象的类型为大流量对象或大变化对象。
可选的,所述预设的异常对象的类型为大流量对象;该情况下, 步骤104可以包括:当所述当前时间区间内的r个流量上界中的r1个流量上界均大于或者等于第二阈值时,确定所述第一对象为大流量对象;其中,r≥r1≥1。
另外可选的,所述预设的异常对象的类型为大变化对象;该情况下,所述方法还可以包括:获取所述当前时间区间的前一个时间区间内第一对象在所映射到的r个桶中的r个流量上界;该情况下,步骤105可以包括:根据所述当前时间区间内的r个流量上界和所述当前时间区间的前一个时间区间内的r个流量上界,获取所述r个流量上界的变化量;当所述r个流量上界的变化量中的r2个流量上界的变化量均大于或者等于第三阈值时,确定所述第一对象为大变化对象;其中,r≥r2≥1。
其中,工作节点可以根据实际网络环境中工作节点的运算能力的大小确定第二阈值,所述工作节点的运算能力越大,所述第二阈值越小,所述工作节点的运算能力越小,所述第二阈值越大,所述第二阈值必须保证在针对所述Y个元素的对象中、至少选择到一个大流量对象。
其中,工作节点可以根据实际网络环境中工作节点的运算能力的大小确定第三阈值,所述工作节点的运算能力越大,所述第三阈值越小,所述工作节点的运算能力越小,所述第三阈值越大,所述第三阈值必须保证在针对所述Y个元素的对象中、至少选择到一个大变化对象。
具体实现时,第二阈值与第三阈值可以相同也可以不同。
可选的,针对所述第一对象的元素分布在包括所述工作节点的d个工作节点上,d≥2,d为整数,所述d个工作节点识别得到d个异常对象集合,每个工作节点识别得到1个异常对象集合;为了进一步提高识别的准确度,在步骤104之后,所述方法还可以包括以下三种实现方式中的任一种:
方式1:接收其他d-1个工作节点发送的d-1个异常对象集合,当所述d个异常对象集合中的d1个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d1≥1;
方式2:向控制节点发送所述工作节点识别得到的异常对象集合,以使得所述控制节点在所述d个异常对象集合中的d2个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d2≥1;
方式3:向其他d-1个工作节点中的任一工作节点发送所述工作节点识别得到的异常对象集合,以使得所述任一工作节点在所述d个异常对象集合中的d3个异常对象中均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d3≥1。
示例性的,为了清楚描述,引入“汇总节点”的概念,汇总节点用于对工作节点获得的异常对象集合进行汇总,以确定最终的异常对象(即目标异常对象);也就是说,汇总节点为上述方式1、2、3中确定目标异常对象的执行主体,即可以为任一个工作节点还可以为一独立于工作节点的节点(如上述“控制节点”)。工作节点中可以预先存储针对第一对象的汇总节点的标识,用于在一个时间区间结束时向汇总节点发送异常对象集合。其中,汇总节点的标识可以为在用户的指示下设置在汇总节点中,也可以为接收数据收集节点或者任意节点发送的信息得到的。
需要说明的是,“异常对象集合”是指由异常对象构成的集合,其中,各工作节点确定异常对象集合中的每个异常对象的方式可以参考上述步骤101-103中确定异常对象的方式。
本发明实施例提供的识别异常IP数据流的方法,工作节点通过获取当前时间区间内所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶,并进一步根据预设异常对象的类型和获取到的第一对象在所映射到的r个桶中的r个流量上界识别该对象是否为 异常对象;其中,第一对象为映射到目标桶中的任一对象。本方案结合了映射到桶中的所有元素的总流量和单个对象在所映射到的桶中的流量上界识别一对象是否为异常对象,能够有效避免现有技术中,因只利用映射到桶中的所有元素的总流量识别一对象是否为异常对象导致的错误地将这些小流量对象识别为大流量对象的问题,从而提高了识别准确度。
下面通过具体的实施例对上文描述的识别异常IP数据流的方法进行示例性说明。
需要说明的是,在下述两个实施例中,数据结构表中的任意一个桶包含的记录信息包括:映射到该桶的所有元素的总流量、附属队列、附属队列的最大允许容量和该桶的对象流量估计误差;在当前时间区间的开始时刻,映射到该桶的所有元素的总流量的值为0,该桶的对象流量估计误差的值0,最大允许容量的值L为预设阈值、附属队列中包含L个空对象的对象流量值。另外,控制节点与工作节点不为同一节点。下述两个实施例均包括:元素分发及映射过程、记录信息更新过程、工作节点识别过程、控制节点识别过程几部分。
实施例1
本实施例用于确定目标大流量对象,即预设的异常对象的类型为大流量对象。具体的,包括:
(一)元素分发及映射过程
在当前时间区间内,数据收集节点共获取到Y个元素,下面以元素(x,vx)为例对元素分发及映射过程进行说明;其中,x表示对象x,vx表示对象x的流量值。
如图2所示,元素分发及映射过程包括:
201:数据收集节点获取元素(x,vx)。
202:向预设的对象x所分布的d个工作节点中的其中一个工作节点发送该元素;其中,d≥1。
示例性的,数据收集节点可以预先存储每个对象所分布的工作节点,其中,不同对象所分布的工作节点的数目可以相同也可以不同,不同对象所分布的工作节点可以完全/部分相同,也可以均不同。当数据收集节点获取到一元素时,根据该元素所针对的对象,确定该对象所分布的d个工作节点,从而向该d个工作节点中的其中一个工作节点发送该元素。
需要说明的是,数据收集节点可以根据对象的属性特征确定对象所分布的工作节点,对象的属性特征可以包括对象的五元组。具体的,根据哈希(Hash)函数对每个对象的五元组信息进行运算,从而确定每个对象所分布的工作节点。由于Hash函数具有随机性质,因此可以保证划分的均匀性,进而保证系统的负载均衡(load balance)
203:接收该元素的工作节点按照数据结构表的每行对应的映射算法分别将该元素映射到每行中,其中,共映射到I个桶中,I是指数据结构表的行数,I≥1,I为整数。
示例性的,针对数据结构表中的每一行,接收该元素的工作节点按照该某行对应的映射算法将该元素映射到该行的一个桶中。
(二)记录信息更新过程
接收到元素(x,vx)的工作节点针对I个桶中的每个桶均执行记录信息更新过程,其中,针对I个桶中的每个桶的记录信息的更新过程可以先后执行,也可以同时执行。下面以针对第i个桶为例对记录信息更新过程进行说明,其中,1≤i≤I,i为整数。
如图3所示,更新过程包括:
301:将元素(x,vx)的流量值vx叠加到第i个桶中的所有元素的总流量的值上。
示例性的,该步骤301可以描述为:更新映射到第i个桶中的所有元素的总流量。
302:判断对象x的对象总流量A[x]是否在附属队列中。
若是,说明:当前时间区间内工作节点还未接收到针对对象x的元素或者将已删除接收到的针对对象x的所有元素,则执行步骤303;若否,说明:当前时间区间内工作节点已经接收到针对对象x的元素且未删除接收到的针对对象x的元素/未完全删除接收到的针对对象x的元素,则执行步骤304。
303:将元素(x,vx)的流量值vx叠加到对象x的对象总流量的值上。
示例性的,该步骤303可以描述为:更新对象x的对象总流量。
执行步骤303之后,针对元素(x,vx)的记录信息更新过程结束。该情况下,记录信息更新过程包括:更新第i个桶中的所有元素的总流量。
304:判断附属队列的当前容量的值是否小于L。
若是,说明:附属队列的当前容量还未达到最大允许容量,也就是说还可以向附属队列中添加针对某一对象的对象总流量,则执行步骤305;若否,说明:附属队列的当前容量已经达到最大允许容量,则执行步骤306。
示例性的,附属队列的当前容量的值是指,附属队列中包含的非空对象的对象总流量的数量。L是指该附属队列允许包含的所有对象总流量的数量,具体包括:非空对象的对象总流量的数量和/或空对象的对象总流量的数量。
305:在附属队列中添加对象x的对象总流量A[x],A[x]=vx
示例性的,“在附属队列中添加对象x的对象总流量A[x]”可以实现为:将附属队列中的一个空对象的对象总流量更新为对象x的对象总流量A[x]。“A[x]=vx”可以描述为:将vx赋值给A[x],即将vx作为A[x]的初始值。
执行步骤305之后,针对元素(x,vx)的记录信息更新过程结 束。该情况下,记录信息更新过程包括:更新第i个桶中的所有元素的总流量和附属队列。
306:根据公式
Figure PCTCN2014089939-appb-000004
确定当前扩张轮数k;其中,W是指当前时间区间内映射到第i个桶中的所有元素的总流量的值,T是指动态扩张参数,T=φ,φ是指预设的对象x的对象总流量阈值。
示例性的,可以根据以下方式预先设置对象x的对象总流量阈值:方式一:根据期望的大流量对象的数量确定,例如,期望的大流量对象的数量为100,已知网络在一定时间内的最大流量是S(带宽×时间),则对象x的对象总流量阈值可以为S÷100。方式二:利用自适应算法(如EWMA)估计每个时间区间内的总流量S′,并将对象x的对象总流量阈值设S′/100。
307:判断(k+1)(k+2)-1是否大于L。
若是,说明:k和L满足预设扩展条件,则执行步骤308;若否,说明:k和L不满足预设扩展条件,则执行步骤309。
308:将L对应的存储空间扩张为扩张容量的值对应的存储空间,将(k+1)(k+2)-1赋值给最大允许容量,在附属队列中添加对象x的对象总流量A[x],A[x]=vx
示例性的,“将L对应的存储空间扩张为扩张容量的值对应的存储空间”可以实现为:在附属队列中添加(k+1)(k+2)-1个空对象的对象总流量。“将(k+1)(k+2)-1赋值给最大允许容量”可以描述为:更新最大允许容量。
执行步骤308之后,针对元素(x,vx)的记录信息更新过程结束。该情况下,记录信息更新过程包括:更新第i个桶中的所有元素的总流量、附属队列和附属队列的最大允许容量。
309:确定vx与附属队列中各对象的对象总流量的值中的最小值。
310:将附属队列中各对象的对象总流量的值均减去该最小值, 将该最小值叠加到第i个桶的对象流量估计误差的值上。
示例性的,“将该最小值叠加到第i个桶的对象流量估计误差的值上”可以描述为:更新第i个桶的对象流量估计误差。需要说明的是,当第i个桶中还未映射任何一个元素时,第i个桶的对象流量估计误差的值为0。
311:判断附属队列中是否包含值为零的对象总流量。
若是,说明:步骤310中的“最小值”为附属队列中的一个/多个对象总流量的值,进一步地,当前时刻附属队列中不需要记录该值为零的对象总流量,需要记录对象x的对象总流量,则执行步骤312;若否,说明:步骤310中的“最小值”为vx,进一步地,当前时刻不需要记录对象x的对象总流量,则执行步骤313。
312:删除值为零的对象总流量,在附属队列中添加对象x的对象总流量A[x],A[x]=vx
示例性的,“删除值为零的对象总流量”可以实现为:将值为零的对象总流量设置为空对象的对象总流量。
执行步骤312之后,针对元素(x,vx)的记录信息更新过程结束。该情况下,记录信息更新过程包括:更新第i个桶中的所有元素的总流量、附属队列、附属队列的最大允许容量和第i个桶的对象流量估计误差。
313:删除该元素。
执行该步骤313之后,针对元素(x,vx)的记录信息更新过程结束。该情况下,附属队列中仍然不包含A[x]。该情况下,记录信息更新过程包括:更新第i个桶中的所有元素的总流量、附属队列、附属队列的最大允许容量、第i个桶的对象流量估计误差。
(三)工作节点识别过程
在当前时间区间的结束时刻,当前时间区间内接收到元素的每个工作节点均执行工作节点识别过程。此时,每个工作节点的数据 结构表中的每个桶中的记录信息均包含:更新后的映射到该桶的元素的总流量、更新后的附属队列、更新后的附属队列的最大允许容量和更新后的该桶的对象流量估计误差。
如图4所示,工作节点识别过程包括:
401:工作节点确定自身数据结构表中的、更新后的映射到该桶的元素的总流量大于或者等于第一阈值的桶作为目标桶,目标桶的数量为N个;其中,N≥1,N为整数。
需要说明的是,具体实现时,针对一个工作节点,当前时间区间内接收到元素的数量往往远大于数据结构表中桶的数量,因此,工作节点可以通过依次检测映射到每个桶的元素的总流量来确定目标桶,而不需要根据元素所针对的对象来确定目标桶。
402:确定第n个目标桶所映射的每个对象在当前时间区间内映射到的I个桶,其中,1≤n≤N,n为整数。
需要说明的是,针对N个目标桶中的每个目标桶均执行步骤402。
示例性的,假设数据结构表包含3×4个桶,即3行4列共12个桶,第n个目标桶在数据结构表中的位置为第1行第2列,即第n个目标桶可以表示为:桶12。映射到桶12中的对象包括:对象x1、对象x2、对象x3、对象x4,这4个对象所映射的桶可以如表1所示:
表1
对象 对象所映射的桶
x1 桶12、桶23、桶33
x2 桶12、桶21、桶31
x3 桶12、桶24、桶34
x4 桶12、桶24、桶31
下面以第n个桶所映射的第一对象为例对工作节点识别过程进行说明,具体包括步骤403-410。
403:确定第一对象的对象总流量是否在第i个桶中的附属队列中;其中,1≤i≤I,i为整数。
若是,说明:工作节点在执行记录信息更新过程时,删除了针对第一对象的所有元素,则执行步骤404;若否,说明:工作节点在执行记录信息更新过程时,未删除针对第一对象的元素或者删除了部分针对第一对象的元素,则执行步骤405。
需要说明的是,针对第n个桶中的每个对象均执行步骤403-410。
404:将第一对象在第i个桶中的对象总流量的值作为第一对象在第i个桶中的流量下界Sdown1
执行步骤404之后,则执行步骤406。
405:将零值作为第一对象在第i个桶中的流量下界Sdown1
406:Sup1=Sdown1+e;其中,Sup1是指当前时间区间内第一对象在第i个桶中的流量上界,e是指第i个桶的对象流量估计误差的值。
407:判断i是否大于或者等于I。
若否,则执行步骤408;若是,则执行步骤409。
408:i自加1。
执行步骤408之后,执行步骤403。
409:判断第一对象在I个桶中的流量上界是否均大于或者等于第二阈值。
若是,说明第一对象为大流量对象,则执行步骤410;若否,说明第一对象不为大流量对象,则结束。
410:将第一对象添加到该工作节点识别得到的大流量对象集合中。
执行步骤410之后,该工作节点针对第一对象的识别过程结束。
(四)控制节点识别过程
如图5所示,控制节点识别过程包括:
501:控制节点接收第一对象所分布的d个工作节点发送的d个大流量对象集合。
502:判断d个大流量对象集合中是否均包含第一对象。
若是,则执行步骤503;若否,则控制节点对第一对象的识别过程结束。
503:确定第一对象为目标大流量对象。
执行步骤503之后,控制节点对第一对象的识别过程结束。
本发明实施例提供的识别异常IP数据流的方法,工作节点通过获取当前时间区间内所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶,并进一步根据获取到的第一对象在所映射到的r个桶中的r个流量上界识别该对象是否为大流量对象,最后由控制节点对每个工作节点识别的大流量对象进行汇总,以确定目标大流量对象。本方案结合了映射到桶中的所有元素的总流量和单个对象在所映射到的桶中的流量上界识别一对象是否为异常对象,能够有效避免现有技术中,因只利用映射到桶中的所有元素的总流量识别一对象是否为异常对象导致的错误地将这些小流量对象识别为大流量对象的问题,从而提高了识别准确度。
实施例2
本实施例用于确定目标大变化对象,即预设的异常对象的类型为大变化对象。具体的,包括:
(一)元素分发及映射过程
该过程与实施例1中的“元素分发过程”相同。
(二)记录信息更新过程
该过程与实施例1中的“记录信息更新过程”的区别在于:上述步骤308中的动态扩张参数T在本实施例中,满足T=εφ;其中,ε为常数,0<ε≤1。其他步骤与实施例1中的“记录信息更新过程”相 同。
(三)工作节点识别过程
如图6所示,工作节点识别过程包括:
601-606:与上述步骤401-406相同。
607:获取当前时间区间的前一个时间区间内第一对象在所映射到第i个桶中的流量下界Sdown2和流量上界Sup2
示例性的,工作节点获得Sdown2和Sup2的具体实现方法可以参考上述获得Sdown1和Sup1的方法。
608:获取第一对象在第i个桶中的流量上界的变化量Di=max{Sup2-Sdown1,Sup1-Sdown2}。
609:判断i是否大于或者等于I。
若否,则执行步骤610;若是,则执行步骤611。
610:i自加1。
执行步骤610之后,执行步骤603。
611:判断第一对象在I个桶中的流量上界的变化量是否均大于或者等于第三阈值。其中,第一对象在I个桶中的流量上界的变化量包括:D1、D2、…、Di、…、DI、
若是,说明第一对象时大变化对象,则执行步骤612;若否,说明第一对象不为大变化对象,则结束。
612:将第一对象添加到该工作节点识别得到的大变化对象集合中。
执行步骤612之后,该工作节点针对第一对象的识别过程结束。
(四)控制节点识别过程
该过程与上述实施例一中的“控制节点识别过程”的区别在于:上述的“大流量对象集合”在本实施例中为“大变化对象集合”,上述的“目标大流量对象”在本实施例中为“目标大变化对象”。
由此可知,在上述实施例1提供的识别大流量对象的方法的基 础上作简单改变即可实现本实施例提供的识别大变化对象的方法,也就是说,本发明实施例提供的识别异常IP数据流的方法的构思既可应用于识别大流量对象的场景中,又可应用于识别大变化对象的场景中。解决了现有技术方案中,因没有预留时间区间保留位导致的识别大流量对象的方法不能同时适用于识别大变化对象的问题。
实施例二
如图7所示,为本发明实施例提供的一种工作节点7,用以执行图1所示的识别异常IP数据流的方法,该工作节点7包括:
接收单元71,用于在当前时间区间内,接收数据收集节点发送的Y个元素;其中,Y≥1,Y为整数;
映射单元72,用于按照映射算法将所述Y个元素映射到N个桶中;其中,N≥1,N为整数;
第一获取单元73,用于获取所述N个桶中的、所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶;
第二获取单元74,用于获取所述当前时间区间内第一对象在所映射到的r个桶中的r个流量上界;其中,所述第一对象为映射到所述目标桶中的任一对象,所述r个桶中的每个桶中包含针对所述第一对象的1个流量上界,r≥1,r为整数;
识别单元75,用于根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象;所述预设的异常对象的类型为大流量对象或大变化对象。
可选的,所述预设的异常对象的类型为大流量对象;
所述识别单元75具体用于,当所述当前时间区间内的r个流量上界中的r1个流量上界均大于或者等于第二阈值时,确定所述第一对象为大流量对象;其中,r≥r1≥1。
可选的,所述预设的异常对象的类型为大变化对象;如图8所示,所述工作节点7还包括:
第三获取单元76,用于获取所述当前时间区间的前一个时间区间内所述第一对象在所映射到的r个桶中的r个流量上界;
所述识别单元75具体用于:根据所述当前时间区间内的r个流量上界和所述前一个时间区间内的r个流量上界,获取r个流量上界的变化量;当所述r个流量上界的变化量中的r2个流量上界的变化量均大于或者等于第三阈值时,确定所述第一对象为大变化对象;其中,r≥r2≥1。
可选的,对所述第一对象的元素分布在包括所述工作节点7的d个工作节点上,d≥2,d为整数,所述d个工作节点识别得到d个异常对象集合,每个工作节点识别得到1个异常对象集合;
所述接收单元71还用于,接收其他d-1个工作节点发送的d-1个异常对象集合,当所述d个异常对象集合中的d1个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d1≥1;
或者,如图8所示,所述工作节点7还包括:发送单元77,用于向控制节点发送所述工作节点识别得到的异常对象集合,以使得所述控制节点在所述d个异常对象集合中的d2个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d2≥1。
可选的,所述映射单元72具体用于,按照映射算法将所述Y个元素中的、针对所述第一对象的任一元素映射到第一桶中;其中,所述第一桶是指所述第一对象按照所述映射算法能够映射到的任一桶;
如图8所示,所述工作节点7还包括:更新单元78,用于更新所述第一桶包含的记录信息;所述记录信息包括:映射到所述第一桶中的所有元素的总流量和附属队列;其中,所述附属队列用于确定所述第一桶所映射的各对象在所述第一桶中的流量上界。
可选的,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;
所述更新单元78具体用于:当所述附属队列中包含所述第一对象的对象总流量时,将所述v叠加到所述第一对象的对象总流量的值上;或者,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
可选的,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述记录信息还包括所述附属队列的最大允许容量;
所述更新单元78具体用于:在所述附属队列的当前容量的值小于所述最大允许容量的值的情况下,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
可选的,所述记录信息还包括所述附属队列的最大允许容量,所述附属队列的当前容量的值大于或者等于所述附属队列的最大允许容量的值;如图8所示,所述工作节点7还包括:
扩张单元79,用于当所述附属队列的最大允许容量的值满足预设扩张条件时,将所述最大允许容量的值对应的存储空间扩张为扩张容量的值对应的存储空间;
所述更新单元78具体用于,将所述扩张容量的值赋值给所述最大允许容量。
可选的,所述附属队列中不包含所述第一对象的对象总流量,所述记录信息还包括所述附属队列的最大允许容量和所述第一桶的对象流量估计误差,所述附属队列的最大允许容量的值不满足预设 扩张条件,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述第一桶的对象流量估计误差用于确定映射到所述第一桶中的对象在所述第一桶中的流量上界;
如图8所示,所述工作节点7还包括:
第一确定单元7A,用于确定所述v与所述附属队列中各对象的对象总流量的值中的最小值;
所述更新单元78具体用于,将所述附属队列中各对象的对象总流量的值均减去所述最小值,并将所述最小值叠加到所述第一桶的对象流量估计误差的值上。
可选的,当所述附属队列中包含值为零的对象总流量时,所述更新单元78还用于:
删除所述值为零的对象总流量;
在所述附属队列中添加所述第一对象的对象总流量;
将所述v赋值给所述第一对象的对象总流量。
可选的,如图8所示,所述工作节点7还包括:
删除单元7B,用于当所述附属队列中不包含值为零的对象总流量时,删除所述第一元素。
可选的,如图8所示,所述工作节点7还包括:
第二确定单元7C,用于确定所述附属队列的最大允许容量的值L是否满足预设扩张条件;具体用于:
确定当前扩张轮数k;
当(k+1)(k+2)-1>L时,确定所述附属队列的最大允许容量的值满足预设扩张条件;
当(k+1)(k+2)-1≤L时,确定所述附属队列的最大允许容量的值不满足预设扩张条件;
所述扩张容量的值为(k+1)(k+2)-1。
可选的,所述第二确定单元7C具体用于:根据公式
Figure PCTCN2014089939-appb-000005
确定所述当前扩张轮数k;其中,所述W是指将所述第一元素映射到所述第一桶中后得到的、映射到所述第一桶中的所有元素的总流量,所述T是指动态扩张参数;当所述预设的异常对象的类型为大流量对象时,T=φ;或者,当所述预设的异常对象的类型为大变化对象时,T=εφ;其中,所述φ是指预设的所述第一对象的对象总流量阈值;所述ε为常数,0<ε≤1。
可选的,所述第一元素为所述Y个元素中的、针对所述第一对象的元素,具体为针对所述第一对象的最后一个元素;
所述第二获取单元7C具体用于:获取所述第一对象在所述第一桶中的流量上界;具体用于:
当所述第一对象的对象总流量在所述附属队列中时,将所述第一对象的对象总流量的值作为所述第一对象在所述第一桶中的流量下界,当所述第一对象的对象总流量不在所述附属队列中时,将零值作为所述第一对象在所述第一桶中的流量下界;
将所述第一对象在所述第一桶中的流量下界与所述第一桶的对象流量估计误差的和,作为所述第一对象在所述第一桶中的流量上界。
示例性的,工作节点7具体可以为服务器或者P C等设备。
本发明实施例提供的工作节点,通过获取当前时间区间内所映射的所有元素的总流量大于或者等于第一阈值的目标桶的桶作为目标桶,并进一步根据预设异常对象的类型和获取到的第一对象在所映射到的r个桶中的r个流量上界识别该对象是否为异常对象;其中,第一对象为映射到目标桶中的任一对象。本方案结合了映射到桶中的所有元素的总流量和单个对象在所映射到的桶中的流量上界识别一对象是否为异常对象,能够有效避免现有技术中,因只利用映射 到桶中的所有元素的总流量识别一对象是否为异常对象导致的错误地将这些小流量对象识别为大流量对象的问题,从而提高了识别准确度。
实施例三
在硬件实现上,图8中的发送单元可以为发送器,接收单元可以为接收器,且该发送器和接收器可以集成在一起构成收发器;其他除存储单元之外的单元可以以硬件形式内嵌于或独立于工作节点的处理器中,也可以以软件形式存储于工作节点的存储器中,以便于处理器调用执行以上各个模块对应的操作,该处理器可以为中央处理单元(CPU)、微处理器、单片机等。
如图9所示,为本发明实施例提供的一种工作节点9,用以执行图1所示的识别异常IP数据流的方法,所述工作节点9包括:存储器91、处理器92、接收器93和总线系统94。
其中,存储器91、处理器92和接收器93之间是通过总线系统94耦合在一起的,其中总线系统94除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统94。
存储器91,用于存储一组代码,该代码用于控制处理器92和接收器93执行相应的动作,具体的:
接收器93,用于在当前时间区间内,接收数据收集节点发送的Y个元素;其中,Y≥1,Y为整数;
处理器92,用于执行以下动作:
按照映射算法将所述Y个元素映射到N个桶中;其中,N≥1,N为整数;
获取所述N个桶中的、所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶;
获取所述当前时间区间内第一对象在所映射到的r个桶中的r 个流量上界;其中,所述第一对象为映射到所述目标桶中的任一对象,所述r个桶中的每个桶中包含针对所述第一对象的1个流量上界,r≥1,r为整数;
根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象;所述预设的异常对象的类型为大流量对象或大变化对象。
可选的,所述预设的异常对象的类型为大流量对象;
处理器92具体用于:当所述当前时间区间内的r个流量上界中的r1个流量上界均大于或者等于第二阈值时,确定所述第一对象为大流量对象;其中,r≥r1≥1。
可选的,所述预设的异常对象的类型为大变化对象;处理器92还用于:获取所述当前时间区间的前一个时间区间内所述第一对象在所映射到的r个桶中的r个流量上界;
处理器92具体用于:
根据所述当前时间区间内的r个流量上界和所述前一个时间区间内的r个流量上界,获取r个流量上界的变化量;
当所述r个流量上界的变化量中的r2个流量上界的变化量均大于或者等于第三阈值时,确定所述第一对象为大变化对象;其中,r≥r2≥1。
可选的,针对所述第一对象的元素分布在包括所述工作节点的d个工作节点上,d≥2,d为整数,所述d个工作节点识别得到d个异常对象集合,每个工作节点识别得到1个异常对象集合;
接收器93还用于:接收其他d-1个工作节点发送的d-1个异常对象集合,当所述d个异常对象集合中的d1个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d1≥1;
或者,如图10所示,工作节点9还包括:发送器94,用于向控 制节点发送所述工作节点识别得到的异常对象集合,以使得所述控制节点在所述d个异常对象集合中的d2个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d2≥1。
可选的,处理器92具体用于:按照映射算法将所述Y个元素中的、针对所述第一对象的任一元素映射到第一桶中;其中,所述第一桶是指所述第一对象按照所述映射算法能够映射到的任一桶;
处理器92还用于,更新所述第一桶包含的记录信息;所述记录信息包括:映射到所述第一桶中的所有元素的总流量和附属队列;其中,所述附属队列用于确定所述第一桶所映射的各对象在所述第一桶中的流量上界。
可选的,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;处理器92具体用于:
当所述附属队列中包含所述第一对象的对象总流量时,将所述v叠加到所述第一对象的对象总流量的值上;或者,
当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
可选的,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述记录信息还包括所述附属队列的最大允许容量;处理器92具体用于:在所述附属队列的当前容量的值小于所述最大允许容量的值的情况下,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
可选的,所述记录信息还包括所述附属队列的最大允许容量, 所述附属队列的当前容量的值大于或者等于所述附属队列的最大允许容量的值;处理器92还用于,当所述附属队列的最大允许容量的值满足预设扩张条件时,将所述最大允许容量的值对应的存储空间扩张为扩张容量的值对应的存储空间;将所述扩张容量的值赋值给所述最大允许容量。
可选的,所述附属队列中不包含所述第一对象的对象总流量,所述记录信息还包括所述附属队列的最大允许容量和所述第一桶的对象流量估计误差,所述附属队列的最大允许容量的值不满足预设扩张条件,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述第一桶的对象流量估计误差用于确定映射到所述第一桶中的对象在所述第一桶中的流量上界;
处理器92还用于,确定所述v与所述附属队列中各对象的对象总流量的值中的最小值;
处理器92具体用于,将所述附属队列中各对象的对象总流量的值均减去所述最小值,并将所述最小值叠加到所述第一桶的对象流量估计误差的值上。
可选的,处理器92还用于:
当所述附属队列中包含值为零的对象总流量时,删除所述值为零的对象总流量;
在所述附属队列中添加所述第一对象的对象总流量;
将所述v赋值给所述第一对象的对象总流量。
可选的,处理器92还用于,当所述附属队列中不包含值为零的对象总流量时,删除所述第一元素。
可选的,处理器92还用于,确定所述附属队列的最大允许容量的值L是否满足预设扩张条件;具体用于:
确定当前扩张轮数k;
当(k+1)(k+2)-1>L时,确定所述附属队列的最大允许容量 的值满足预设扩张条件;
当(k+1)(k+2)-1≤L时,确定所述附属队列的最大允许容量的值不满足预设扩张条件;
所述扩张容量的值为(k+1)(k+2)-1。
可选的,处理器92具体用于,根据公式
Figure PCTCN2014089939-appb-000006
确定所述当前扩张轮数k;其中,所述W是指将所述第一元素映射到所述第一桶中后得到的、映射到所述第一桶中的所有元素的总流量,所述T是指动态扩张参数;当所述预设的异常对象的类型为大流量对象时,T=φ;或者,当所述预设的异常对象的类型为大变化对象时,T=εφ;其中,所述φ是指预设的所述第一对象的对象总流量阈值;所述ε为常数,0<ε≤1。
可选的,所述第一元素为所述Y个元素中的、针对所述第一对象的元素,具体为针对所述第一对象的最后一个元素;处理器92具体用于,获取所述第一对象在所述第一桶中的流量上界;具体用于:
当所述第一对象的对象总流量在所述附属队列中时,将所述第一对象的对象总流量的值作为所述第一对象在所述第一桶中的流量下界,当所述第一对象的对象总流量不在所述附属队列中时,将零值作为所述第一对象在所述第一桶中的流量下界;
将所述第一对象在所述第一桶中的流量下界与所述第一桶的对象流量估计误差的和,作为所述第一对象在所述第一桶中的流量上界。
示例性的,工作节点7具体可以为服务器或者PC等设备。
本发明实施例提供的工作节点,通过获取当前时间区间内所映射的所有元素的总流量大于或者等于第一阈值的目标桶的桶作为目标桶,并进一步根据预设异常对象的类型和获取到的第一对象在所映射到的r个桶中的r个流量上界识别该对象是否为异常对象;其中, 第一对象为映射到目标桶中的任一对象。本方案结合了映射到桶中的所有元素的总流量和单个对象在所映射到的桶中的流量上界识别一对象是否为异常对象,能够有效避免现有技术中,因只利用映射到桶中的所有元素的总流量识别一对象是否为异常对象导致的错误地将这些小流量对象识别为大流量对象的问题,从而提高了识别准确度。
另外,本发明实施例还提供一种识别异常IP数据流的系统,包括:一个/多个数据收集节点,以及一个/多个工作节点,其中,工作节点可为上述实施例提供的任一种工作节点7或工作节点9。需要说明的是,数据收集节点/工作节点的功能及实现该功能所执行的动作可以参考上述实施例的相关部分,此处不再赘述。如图11所示,为本发明实施例提供的一种识别异常IP数据流的系统框图。可选的,如图12所示,该系统还可以包括控制节点,其中,控制节点的功能及实现该功能所执行的动作可以参考上述实施例的相关部分,此处不再赘述。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分 开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理包括,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。
上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,简称ROM)、随机存取存储器(Random Access Memory,简称RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。

Claims (29)

  1. 一种识别异常IP数据流的方法,其特征在于,应用于工作节点中,所述方法包括:
    在当前时间区间内,接收数据收集节点发送的Y个元素;其中,Y≥1,Y为整数;
    按照映射算法将所述Y个元素映射到N个桶中;其中,N≥1,N为整数;
    获取所述N个桶中的、所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶;
    获取所述当前时间区间内第一对象在所映射到的r个桶中的r个流量上界;其中,所述第一对象为映射到所述目标桶中的任一对象,所述r个桶中的每个桶中包含针对所述第一对象的1个流量上界,r≥1,r为整数;
    根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象;所述预设的异常对象的类型为大流量对象或大变化对象。
  2. 根据权利要求1所述的方法,其特征在于,所述预设的异常对象的类型为大流量对象;所述根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象,包括:
    当所述当前时间区间内的r个流量上界中的r1个流量上界均大于或者等于第二阈值时,确定所述第一对象为大流量对象;其中,r≥r1≥1。
  3. 根据权利要求1或2所述的方法,其特征在于,所述预设的异常对象的类型为大变化对象;所述方法还包括:
    获取所述当前时间区间的前一个时间区间内所述第一对象在所映射到的r个桶中的r个流量上界;
    所述根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象,包括:
    根据所述当前时间区间内的r个流量上界和所述前一个时间区间内的r个流量上界,获取r个流量上界的变化量;
    当所述r个流量上界的变化量中的r2个流量上界的变化量均大于或者等于第三阈值时,确定所述第一对象为大变化对象;其中,r≥r2≥1。
  4. 根据权利要求1至3任一项所述的方法,其特征在于,针对所述第一对象的元素分布在包括所述工作节点的d个工作节点上,d≥2,d为整数,所述d个工作节点识别得到d个异常对象集合,每个工作节点识别得到1个异常对象集合;在所述根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象之后,所述方法还包括:
    接收其他d-1个工作节点发送的d-1个异常对象集合,当所述d个异常对象集合中的d1个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d1≥1;
    或者,向控制节点发送所述工作节点识别得到的异常对象集合,以使得所述控制节点在所述d个异常对象集合中的d2个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d2≥1。
  5. 根据权利要求1至4任一项所述的方法,其特征在于,所述按照映射算法将所述Y个元素映射到N个桶中,包括:
    按照映射算法将所述Y个元素中的、针对所述第一对象的任一元素映射到第一桶中;其中,所述第一桶是指所述第一对象按照所述映射算法能够映射到的任一桶;
    所述方法还包括:
    更新所述第一桶包含的记录信息;所述记录信息包括:映射到所 述第一桶中的所有元素的总流量和附属队列;其中,所述附属队列用于确定所述第一桶所映射的各对象在所述第一桶中的流量上界。
  6. 根据权利要求5所述的方法,其特征在于,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述更新所述第一桶包含的记录信息包括:
    当所述附属队列中包含所述第一对象的对象总流量时,将所述v叠加到所述第一对象的对象总流量的值上;或者,
    当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
  7. 根据权利要求5所述的方法,其特征在于,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述记录信息还包括所述附属队列的最大允许容量;所述更新所述第一桶包含的记录信息包括:
    在所述附属队列的当前容量的值小于所述最大允许容量的值的情况下,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
  8. 根据权利要求6所述的方法,其特征在于,所述记录信息还包括所述附属队列的最大允许容量,所述附属队列的当前容量的值大于或者等于所述附属队列的最大允许容量的值;在所述附属队列中添加所述第一对象的对象总流量之前,所述方法还包括:
    当所述附属队列的最大允许容量的值满足预设扩张条件时,将所述最大允许容量的值对应的存储空间扩张为扩张容量的值对应的存储空间;
    所述更新所述第一桶包含的记录信息,还包括:
    将所述扩张容量的值赋值给所述最大允许容量。
  9. 根据权利要求5-8任一项所述的方法,其特征在于,所述附属队列中不包含所述第一对象的对象总流量,所述记录信息还包括所述附属队列的最大允许容量和所述第一桶的对象流量估计误差,所述附属队列的最大允许容量的值不满足预设扩张条件,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述第一桶的对象流量估计误差用于确定映射到所述第一桶中的对象在所述第一桶中的流量上界;在所述更新所述第一桶包含的记录信息之前,所述方法还包括:
    确定所述v与所述附属队列中各对象的对象总流量的值中的最小值;
    所述更新所述第一桶包含的记录信息,包括:
    将所述附属队列中各对象的对象总流量的值均减去所述最小值,并将所述最小值叠加到所述第一桶的对象流量估计误差的值上。
  10. 根据权利要求9所述的方法,其特征在于,当所述附属队列中包含值为零的对象总流量时,所述更新所述第一桶包含的记录信息,还包括:
    删除所述值为零的对象总流量;
    在所述附属队列中添加所述第一对象的对象总流量;
    将所述v赋值给所述第一对象的对象总流量。
  11. 根据权利要求9或10所述的方法,其特征在于,当所述附属队列中不包含值为零的对象总流量时,所述方法还包括:
    删除所述第一元素。
  12. 根据权利要求8或9所述的方法,其特征在于,所述方法还包括:
    确定所述附属队列的最大允许容量的值L是否满足预设扩张条 件;具体包括:
    确定当前扩张轮数k;
    当(k+1)(k+2)-1>L时,确定所述附属队列的最大允许容量的值满足预设扩张条件;
    当(k+1)(k+2)-1≤L时,确定所述附属队列的最大允许容量的值不满足预设扩张条件;
    所述扩张容量的值为(k+1)(k+2)-1。
  13. 根据权利要求12所述的方法,其特征在于,所述确定当前扩张轮数k,包括:
    根据公式
    Figure PCTCN2014089939-appb-100001
    确定所述当前扩张轮数k;其中,所述W是指将所述第一元素映射到所述第一桶中后得到的、映射到所述第一桶中的所有元素的总流量,所述T是指动态扩张参数;当所述预设的异常对象的类型为大流量对象时,T=φ;或者,当所述预设的异常对象的类型为大变化对象时,T=εφ;其中,所述φ是指预设的所述第一对象的对象总流量阈值;所述ε为常数,0<ε≤1。
  14. 根据权利要求9所述的方法,其特征在于,所述第一元素为所述Y个元素中的、针对所述第一对象的元素,具体为针对所述第一对象的最后一个元素;
    所述获取所述当前时间区间内第一对象在所映射到的r个桶中的r个流量上界,包括:
    获取所述第一对象在所述第一桶中的流量上界;具体包括:
    当所述第一对象的对象总流量在所述附属队列中时,将所述第一对象的对象总流量的值作为所述第一对象在所述第一桶中的流量下界,当所述第一对象的对象总流量不在所述附属队列中时,将零值作为所述第一对象在所述第一桶中的流量下界;
    将所述第一对象在所述第一桶中的流量下界与所述第一桶的对 象流量估计误差的和,作为所述第一对象在所述第一桶中的流量上界。
  15. 一种工作节点,其特征在于,包括:
    接收单元,用于在当前时间区间内,接收数据收集节点发送的Y个元素;其中,Y≥1,Y为整数;
    映射单元,用于按照映射算法将所述Y个元素映射到N个桶中;其中,N≥1,N为整数;
    第一获取单元,用于获取所述N个桶中的、所映射的所有元素的总流量大于或者等于第一阈值的桶作为目标桶;
    第二获取单元,用于获取所述当前时间区间内第一对象在所映射到的r个桶中的r个流量上界;其中,所述第一对象为映射到所述目标桶中的任一对象,所述r个桶中的每个桶中包含针对所述第一对象的1个流量上界,r≥1,r为整数;
    识别单元,用于根据预设的异常对象的类型和所述当前时间区间内的r个流量上界识别所述第一对象是否为异常对象;所述预设的异常对象的类型为大流量对象或大变化对象。
  16. 根据权利要求15所述的工作节点,其特征在于,所述预设的异常对象的类型为大流量对象;
    所述识别单元具体用于,当所述当前时间区间内的r个流量上界中的r1个流量上界均大于或者等于第二阈值时,确定所述第一对象为大流量对象;其中,r≥r1≥1。
  17. 根据权利要求15或16所述的工作节点,其特征在于,所述预设的异常对象的类型为大变化对象;所述工作节点还包括:
    第三获取单元,用于获取所述当前时间区间的前一个时间区间内所述第一对象在所映射到的r个桶中的r个流量上界;
    所述识别单元具体用于:根据所述当前时间区间内的r个流量上界和所述前一个时间区间内的r个流量上界,获取r个流量上界的变 化量;当所述r个流量上界的变化量中的r2个流量上界的变化量均大于或者等于第三阈值时,确定所述第一对象为大变化对象;其中,r≥r2≥1。
  18. 根据权利要求15至17任一项所述的工作节点,其特征在于,针对所述第一对象的元素分布在包括所述工作节点的d个工作节点上,d≥2,d为整数,所述d个工作节点识别得到d个异常对象集合,每个工作节点识别得到1个异常对象集合;
    所述接收单元还用于,接收其他d-1个工作节点发送的d-1个异常对象集合,当所述d个异常对象集合中的d1个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d1≥1;
    或者,所述工作节点还包括:发送单元,用于向控制节点发送所述工作节点识别得到的异常对象集合,以使得所述控制节点在所述d个异常对象集合中的d2个异常对象集合均包含所述第一对象时,确定所述第一对象为目标异常对象;其中,d≥d2≥1。
  19. 根据权利要求15至18任一项所述的工作节点,其特征在于,
    所述映射单元具体用于,按照映射算法将所述Y个元素中的、针对所述第一对象的任一元素映射到第一桶中;其中,所述第一桶是指所述第一对象按照所述映射算法能够映射到的任一桶;
    所述工作节点还包括:更新单元,用于更新所述第一桶包含的记录信息;所述记录信息包括:映射到所述第一桶中的所有元素的总流量和附属队列;其中,所述附属队列用于确定所述第一桶所映射的各对象在所述第一桶中的流量上界。
  20. 根据权利要求19所述的工作节点,其特征在于,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;
    所述更新单元具体用于:当所述附属队列中包含所述第一对象的对象总流量时,将所述v叠加到所述第一对象的对象总流量的值上;或者,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
  21. 根据权利要求19所述的工作节点,其特征在于,所述附属队列由映射到所述第一桶中的对象的对象总流量构成,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第一对象的元素;所述记录信息还包括所述附属队列的最大允许容量;
    所述更新单元具体用于:在所述附属队列的当前容量的值小于所述最大允许容量的值的情况下,当所述附属队列中不包含所述第一对象的对象总流量时,在所述附属队列中添加所述第一对象的对象总流量,并将所述v赋值给所述第一对象的对象总流量。
  22. 根据权利要求20所述的工作节点,其特征在于,所述记录信息还包括所述附属队列的最大允许容量,所述附属队列的当前容量的值大于或者等于所述附属队列的最大允许容量的值;所述工作节点还包括:
    扩张单元,用于当所述附属队列的最大允许容量的值满足预设扩张条件时,将所述最大允许容量的值对应的存储空间扩张为扩张容量的值对应的存储空间;
    所述更新单元具体用于,将所述扩张容量的值赋值给所述最大允许容量。
  23. 根据权利要求19-22任一项所述的工作节点,其特征在于,所述附属队列中不包含所述第一对象的对象总流量,所述记录信息还包括所述附属队列的最大允许容量和所述第一桶的对象流量估计误差,所述附属队列的最大允许容量的值不满足预设扩张条件,第一元素包含所述第一对象的流量值v;其中,所述第一元素为针对所述第 一对象的元素;所述第一桶的对象流量估计误差用于确定映射到所述第一桶中的对象在所述第一桶中的流量上界;所述工作节点还包括:
    第一确定单元,用于确定所述v与所述附属队列中各对象的对象总流量的值中的最小值;
    所述更新单元具体用于,将所述附属队列中各对象的对象总流量的值均减去所述最小值,并将所述最小值叠加到所述第一桶的对象流量估计误差的值上。
  24. 根据权利要求23所述的工作节点,其特征在于,当所述附属队列中包含值为零的对象总流量时,所述更新单元还用于:
    删除所述值为零的对象总流量;
    在所述附属队列中添加所述第一对象的对象总流量;
    将所述v赋值给所述第一对象的对象总流量。
  25. 根据权利要求23或24所述的工作节点,其特征在于,所述工作节点还包括:
    删除单元,用于当所述附属队列中不包含值为零的对象总流量时,删除所述第一元素。
  26. 根据权利要求22或23所述的工作节点,其特征在于,所述工作节点还包括:
    第二确定单元,用于确定所述附属队列的最大允许容量的值L是否满足预设扩张条件;具体用于:
    确定当前扩张轮数k;
    当(k+1)(k+2)-1>L时,确定所述附属队列的最大允许容量的值满足预设扩张条件;
    当(k+1)(k+2)-1≤L时,确定所述附属队列的最大允许容量的值不满足预设扩张条件;
    所述扩张容量的值为(k+1)(k+2)-1。
  27. 根据权利要求26所述的工作节点,其特征在于,所述第二确 定单元具体用于:根据公式
    Figure PCTCN2014089939-appb-100002
    确定所述当前扩张轮数k;其中,所述W是指将所述第一元素映射到所述第一桶中后得到的、映射到所述第一桶中的所有元素的总流量,所述T是指动态扩张参数;当所述预设的异常对象的类型为大流量对象时,T=φ;或者,当所述预设的异常对象的类型为大变化对象时,T=εφ;其中,所述φ是指预设的所述第一对象的对象总流量阈值;所述ε为常数,0<ε≤1。
  28. 根据权利要求23所述的工作节点,其特征在于,所述第一元素为所述Y个元素中的、针对所述第一对象的元素,具体为针对所述第一对象的最后一个元素;
    所述第二获取单元具体用于:获取所述第一对象在所述第一桶中的流量上界;具体用于:
    当所述第一对象的对象总流量在所述附属队列中时,将所述第一对象的对象总流量的值作为所述第一对象在所述第一桶中的流量下界,当所述第一对象的对象总流量不在所述附属队列中时,将零值作为所述第一对象在所述第一桶中的流量下界;
    将所述第一对象在所述第一桶中的流量下界与所述第一桶的对象流量估计误差的和,作为所述第一对象在所述第一桶中的流量上界。
  29. 一种识别异常IP数据流的系统,其特征在于,包括:数据收集节点和上述权利要求15-28任一项所述的工作节点,其中所述数据收集节点用于发送所述Y个元素。
PCT/CN2014/089939 2014-04-28 2014-10-30 一种识别异常ip数据流的方法、装置和系统 WO2015165229A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/798,811 US9923794B2 (en) 2014-04-28 2015-07-14 Method, apparatus, and system for identifying abnormal IP data stream

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410175828.0 2014-04-28
CN201410175828.0A CN105099732B (zh) 2014-04-28 2014-04-28 一种识别异常ip数据流的方法、装置和系统

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/798,811 Continuation US9923794B2 (en) 2014-04-28 2015-07-14 Method, apparatus, and system for identifying abnormal IP data stream

Publications (1)

Publication Number Publication Date
WO2015165229A1 true WO2015165229A1 (zh) 2015-11-05

Family

ID=54358106

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/089939 WO2015165229A1 (zh) 2014-04-28 2014-10-30 一种识别异常ip数据流的方法、装置和系统

Country Status (2)

Country Link
CN (1) CN105099732B (zh)
WO (1) WO2015165229A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111124844A (zh) * 2018-10-30 2020-05-08 安碁资讯股份有限公司 检测作业系统的异常操作的异常检测的方法及装置

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112544059B (zh) * 2018-07-27 2024-05-31 诺基亚通信公司 用于网络流量分析的方法、设备和系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014075A (zh) * 2010-12-21 2011-04-13 杭州华三通信技术有限公司 流量监管方法和装置
CN102130800A (zh) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 基于数据流行为分析的网络访问异常检测装置及方法
CN103532776A (zh) * 2013-09-30 2014-01-22 广东电网公司电力调度控制中心 业务流量检测方法及系统

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100362507C (zh) * 2003-07-23 2008-01-16 华为技术有限公司 一种服务器负载均衡方法
US8199641B1 (en) * 2007-07-25 2012-06-12 Xangati, Inc. Parallel distributed network monitoring
CN101459560B (zh) * 2009-01-09 2011-04-13 中国人民解放军信息工程大学 长流的识别方法、数据流量的测量方法及其设备
CN103023801B (zh) * 2012-12-03 2016-02-24 复旦大学 一种基于流量特征分析的网络中间节点缓存优化方法
CN103491018B (zh) * 2013-09-04 2016-04-20 华中科技大学 一种大规模行为模拟应用中的负载均衡方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014075A (zh) * 2010-12-21 2011-04-13 杭州华三通信技术有限公司 流量监管方法和装置
CN102130800A (zh) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 基于数据流行为分析的网络访问异常检测装置及方法
CN103532776A (zh) * 2013-09-30 2014-01-22 广东电网公司电力调度控制中心 业务流量检测方法及系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111124844A (zh) * 2018-10-30 2020-05-08 安碁资讯股份有限公司 检测作业系统的异常操作的异常检测的方法及装置
CN111124844B (zh) * 2018-10-30 2023-07-21 安碁资讯股份有限公司 检测作业系统的异常操作的异常检测的方法及装置

Also Published As

Publication number Publication date
CN105099732B (zh) 2018-11-20
CN105099732A (zh) 2015-11-25

Similar Documents

Publication Publication Date Title
RU2523917C2 (ru) Система управления связью и способ управления связью
JP6237397B2 (ja) 制御装置、および、通信方法
KR20210013207A (ko) 데이터 메시지 검출 방법, 디바이스 및 시스템
US10425273B2 (en) Data processing system and data processing method
JP6277853B2 (ja) 制御装置、通信装置、および、通信方法
US10050895B2 (en) Terminal device, terminal-device control method, and terminal-device control program
US9923794B2 (en) Method, apparatus, and system for identifying abnormal IP data stream
CN104580107A (zh) 恶意攻击检测方法及控制器
CN114338510B (zh) 控制和转发分离的数据转发方法和系统
CN116233018A (zh) 报文处理方法、装置、电子设备及存储介质
EP3136666B1 (en) Flow switch, controller and relay apparatus
WO2015165229A1 (zh) 一种识别异常ip数据流的方法、装置和系统
JP5957318B2 (ja) ネットワークシステム、情報中継装置、及びパケット配信方法
US20150263990A1 (en) Network device, control method, and program
CN113922972B (zh) 基于md5标识码的数据转发方法和装置
CN107870925B (zh) 一种字符串过滤方法和相关装置
KR20160089772A (ko) 자가 적응 IoT 디바이스 및 시스템
US20150281077A1 (en) Control apparatus and method for supplying switch with entry
JP2007221522A (ja) ポーリング装置及び端末装置及びポーリング方法及びプログラム
WO2016056210A1 (ja) サーバ、フロー制御方法および仮想スイッチ用プログラム
US20210320899A1 (en) Notification device and notification method
CN114518833A (zh) 用于存储管理的方法、电子设备和计算机程序产品
US20160242074A1 (en) Terminal device, terminal-device control method, and terminal-device control program
US9729445B2 (en) Communication device and communication control method
CN115242733B (zh) 报文组播方法、组播网关、电子设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14890552

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14890552

Country of ref document: EP

Kind code of ref document: A1