WO2017177591A1 - Method for analyzing source and destination of internet traffic - Google Patents
Method for analyzing source and destination of internet traffic Download PDFInfo
- Publication number
- WO2017177591A1 WO2017177591A1 PCT/CN2016/095672 CN2016095672W WO2017177591A1 WO 2017177591 A1 WO2017177591 A1 WO 2017177591A1 CN 2016095672 W CN2016095672 W CN 2016095672W WO 2017177591 A1 WO2017177591 A1 WO 2017177591A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- log
- source
- dns
- domain
- domain name
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Abstract
Description
Claims (9)
- 一种互联网流量来源去向的分析方法,其特征在于,通过处理DNS日志来获得互联网流量的来源与去向,包括如下步骤:An analysis method for the destination of Internet traffic sources, characterized in that the source and destination of Internet traffic are obtained by processing DNS logs, including the following steps:日志过滤步骤,过滤无法反映用户真实访问路径的DNS日志;The log filtering step filters the DNS logs that do not reflect the user's real access path.日志切分步骤,对日志过滤步骤后获得的DNS日志根据源IP、根据时间戳之差以及根据中心域依次进行切分,获得切分后的访问路径;以及The log segmentation step is performed by dividing the DNS logs obtained after the log filtering step according to the source IP, the difference according to the timestamp, and the central domain according to the central domain to obtain the access path after the segmentation;数据汇总步骤,将所有所述切分后的访问路径进行汇总。A data summary step that summarizes all of the segmented access paths.
- 根据权利要求1所述的分析方法,其特征在于,日志过滤步骤通过设置黑白名单保留包含重点关注的域名请求的DNS日志以及去除包含服务器产生的非人为的域名请求的DNS日志。The analysis method according to claim 1, wherein the log filtering step retains a DNS log containing a domain name request of a focused domain name by setting a black and white list and removing a DNS log including a non-human domain name request generated by the server.
- 根据权利要求2所述的分析方法,其特征在于,去除DNS日志进一步包括去除企业IP访问的日志以及去除没有解析IP的日志。The analysis method according to claim 2, wherein the removing the DNS log further comprises removing the log of the enterprise IP access and removing the log without the resolved IP.
- 根据权利要求3所述的分析方法,其特征在于,根据源IP对DNS日志进行切分是获得一段时间内相同源IP的连续的DNS日志。The analysis method according to claim 3, wherein the segmentation of the DNS log according to the source IP is to obtain a continuous DNS log of the same source IP for a period of time.
- 根据权利要求4所述的分析方法,其特征在于,所述根据时间戳之差对日志进行切分是对根据源IP切分后的日志再根据DNS日志的时间戳之间的差进行切分,如果两个DNS日志的时间戳之间的差大于规定时间长度,则切开所述两个DNS日志。The analysis method according to claim 4, wherein the segmenting the log according to the difference of the timestamps is performed by dividing the log after the source IP segmentation according to the difference between the timestamps of the DNS logs. If the difference between the time stamps of the two DNS logs is greater than the specified length of time, the two DNS logs are cut.
- 根据权利要求5所述的分析方法,其特征在于,所述规定时间长度为3秒。The analysis method according to claim 5, wherein the predetermined length of time is 3 seconds.
- 根据权利要求6所述的分析方法,其特征在于,根据时间戳之差对DNS日志进行切分步骤后还包括合并步骤,对切分获得的访问路径中的域名转化成域,并将连续相同的域合并,以获得所述源IP的路径。The analysis method according to claim 6, wherein the step of dividing the DNS log according to the difference of the timestamps further comprises the step of merging, converting the domain name in the access path obtained by the segmentation into a domain, and continuing the same The fields are merged to obtain the path of the source IP.
- 根据权利要求7所述的分析方法,其特征在于,所述根据中心域进行切分是以中心域为基准对所述源IP的路径进行切分,切分后获得的访问路径为:The analysis method according to claim 7, wherein the segmentation according to the central domain is performed by dividing the path of the source IP based on the central domain, and the access path obtained after the segmentation is:来源域名n+…+来源域名1+中心域名+去向域名1+…+去向域名n,Source domain name n+...+Source domain name 1+Center domain name+Go to domain name 1+...+Go to domain name n,其中,所述中心域是根据用户/系统需求确定要重点分析的域。The central domain is a domain that is to be analyzed according to user/system requirements.
- 根据权利要求8所述的分析方法,其特征在于,所述数据汇总步骤中,对根据所述中心域切分步骤后获得的所述源IP的所有访问路径进行汇总。 The analysis method according to claim 8, wherein in the data aggregation step, all access paths of the source IP obtained according to the central domain segmentation step are summarized.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2018139991A RU2702048C1 (en) | 2016-04-14 | 2016-08-17 | Method of analyzing a source and destination of internet traffic |
GB1816212.3A GB2564057A (en) | 2016-04-14 | 2016-08-17 | Method for analyzing source and destination of internet traffic |
JP2018554481A JP7075348B2 (en) | 2016-04-14 | 2016-08-17 | How to analyze the source and destination of Internet traffic |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610231212.X | 2016-04-14 | ||
CN201610231212.XA CN105704260B (en) | 2016-04-14 | 2016-04-14 | A kind of analysis method of internet traffic source whereabouts |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017177591A1 true WO2017177591A1 (en) | 2017-10-19 |
Family
ID=56216713
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/095672 WO2017177591A1 (en) | 2016-04-14 | 2016-08-17 | Method for analyzing source and destination of internet traffic |
Country Status (5)
Country | Link |
---|---|
JP (1) | JP7075348B2 (en) |
CN (1) | CN105704260B (en) |
GB (1) | GB2564057A (en) |
RU (1) | RU2702048C1 (en) |
WO (1) | WO2017177591A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10834214B2 (en) | 2018-09-04 | 2020-11-10 | At&T Intellectual Property I, L.P. | Separating intended and non-intended browsing traffic in browsing history |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105704260B (en) * | 2016-04-14 | 2019-05-21 | 上海牙木通讯技术有限公司 | A kind of analysis method of internet traffic source whereabouts |
CN105763633B (en) * | 2016-04-14 | 2019-05-21 | 上海牙木通讯技术有限公司 | A kind of correlating method of domain name and website visiting behavior |
CN107846480B (en) * | 2016-09-19 | 2021-04-20 | 贵州白山云科技股份有限公司 | NXDOMAIN response packet processing method and device |
CN107707545B (en) * | 2017-09-29 | 2021-06-04 | 深信服科技股份有限公司 | Abnormal webpage access fragment detection method, device, equipment and storage medium |
CN109150819B (en) * | 2018-01-15 | 2019-06-11 | 北京数安鑫云信息技术有限公司 | A kind of attack recognition method and its identifying system |
CN110138684B (en) * | 2019-04-01 | 2022-04-29 | 贵州力创科技发展有限公司 | Traffic monitoring method and system based on DNS log |
CN111526065A (en) * | 2020-04-13 | 2020-08-11 | 苏宁云计算有限公司 | Website page flow analysis method and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030188119A1 (en) * | 2002-03-26 | 2003-10-02 | Clark Lubbers | System and method for dynamically managing memory allocated to logging in a storage area network |
CN102004883A (en) * | 2010-12-03 | 2011-04-06 | 中国软件与技术服务股份有限公司 | Trace tracking method for electronic files |
CN105357054A (en) * | 2015-11-26 | 2016-02-24 | 上海晶赞科技发展有限公司 | Website traffic analysis method and apparatus, and electronic equipment |
CN105704260A (en) * | 2016-04-14 | 2016-06-22 | 上海牙木通讯技术有限公司 | Method for analyzing where Internet traffic comes from and goes to |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1290853A2 (en) * | 2000-05-26 | 2003-03-12 | Akamai Technologies, Inc. | Global load balancing across mirrored data centers |
EP2245837B1 (en) * | 2008-02-11 | 2011-12-28 | Dolby Laboratories Licensing Corporation | Dynamic DNS system for private networks |
US8380870B2 (en) * | 2009-08-05 | 2013-02-19 | Verisign, Inc. | Method and system for filtering of network traffic |
RU105758U1 (en) * | 2010-11-23 | 2011-06-20 | Валентина Владимировна Глазкова | ANALYSIS AND FILTRATION SYSTEM FOR INTERNET TRAFFIC BASED ON THE CLASSIFICATION METHODS OF MULTI-DIMENSIONAL DOCUMENTS |
-
2016
- 2016-04-14 CN CN201610231212.XA patent/CN105704260B/en active Active
- 2016-08-17 RU RU2018139991A patent/RU2702048C1/en active
- 2016-08-17 GB GB1816212.3A patent/GB2564057A/en not_active Withdrawn
- 2016-08-17 JP JP2018554481A patent/JP7075348B2/en active Active
- 2016-08-17 WO PCT/CN2016/095672 patent/WO2017177591A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030188119A1 (en) * | 2002-03-26 | 2003-10-02 | Clark Lubbers | System and method for dynamically managing memory allocated to logging in a storage area network |
CN102004883A (en) * | 2010-12-03 | 2011-04-06 | 中国软件与技术服务股份有限公司 | Trace tracking method for electronic files |
CN105357054A (en) * | 2015-11-26 | 2016-02-24 | 上海晶赞科技发展有限公司 | Website traffic analysis method and apparatus, and electronic equipment |
CN105704260A (en) * | 2016-04-14 | 2016-06-22 | 上海牙木通讯技术有限公司 | Method for analyzing where Internet traffic comes from and goes to |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10834214B2 (en) | 2018-09-04 | 2020-11-10 | At&T Intellectual Property I, L.P. | Separating intended and non-intended browsing traffic in browsing history |
US11228655B2 (en) | 2018-09-04 | 2022-01-18 | At&T Intellectual Property I, L.P. | Separating intended and non-intended browsing traffic in browsing history |
US11652900B2 (en) | 2018-09-04 | 2023-05-16 | At&T Intellectual Property I, L.P. | Separating intended and non-intended browsing traffic in browsing history |
Also Published As
Publication number | Publication date |
---|---|
GB2564057A (en) | 2019-01-02 |
CN105704260A (en) | 2016-06-22 |
JP7075348B2 (en) | 2022-05-25 |
RU2702048C1 (en) | 2019-10-03 |
CN105704260B (en) | 2019-05-21 |
JP2019514303A (en) | 2019-05-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017177591A1 (en) | Method for analyzing source and destination of internet traffic | |
CN109905288B (en) | Application service classification method and device | |
CN103888490A (en) | Automatic WEB client man-machine identification method | |
CN102065147A (en) | Method and device for obtaining user login information based on enterprise application system | |
CN104579773A (en) | Domain name system analysis method and device | |
Bhargav et al. | Pattern discovery and users classification through web usage mining | |
Rogers et al. | National Web studies: The case of Iran online | |
Sardar et al. | Detection and confirmation of web robot requests for cleaning the voluminous web log data | |
CN110929185A (en) | Website directory detection method and device, computer equipment and computer storage medium | |
KR101055871B1 (en) | Apparatus and method for extracting user session information through real-time analysis of web logs | |
WO2017177590A1 (en) | Method for associating domain name with website access behavior | |
Patel et al. | Improve heuristics for user session identification through web server log in web usage mining | |
US10594809B2 (en) | Aggregation of web interactions for personalized usage | |
WO2016173327A1 (en) | Method and device for detecting website attack | |
Latib et al. | Analysing log files for web intrusion investigation using hadoop | |
Shrivastava et al. | Extracting knowledge from user access logs | |
Verma et al. | Web Usage mining framework for Data Cleaning and IP address Identification | |
Dharmarajan et al. | Discovering User Pattern Analysis from Web Log Data using Weblog Expert | |
Shu-yue et al. | The study on the preprocessing in web log mining | |
Ganibardi et al. | Weblog Data Structuration: A Stream-centric approach for improving session reconstruction quality | |
WO2014161454A1 (en) | Data search method and device for semi-closed data environment | |
JP5061316B1 (en) | Communication packet analyzer | |
Maheswari et al. | Algorithm for Tracing Visitors' On-Line Behaviors for Effective Web Usage Mining | |
Chitraa et al. | Web log data cleaning for enhancing mining process | |
TWI579717B (en) | Dynamic Web site HTTP network packet and database packet auditing system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 201816212 Country of ref document: GB Kind code of ref document: A Free format text: PCT FILING DATE = 20160817 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1816212.3 Country of ref document: GB |
|
ENP | Entry into the national phase |
Ref document number: 2018554481 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16898406 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16898406 Country of ref document: EP Kind code of ref document: A1 |