WO2020000744A1 - Deduplication traffic prompting method and apparatus, and server and storage medium - Google Patents

Deduplication traffic prompting method and apparatus, and server and storage medium Download PDF

Info

Publication number
WO2020000744A1
WO2020000744A1 PCT/CN2018/108475 CN2018108475W WO2020000744A1 WO 2020000744 A1 WO2020000744 A1 WO 2020000744A1 CN 2018108475 W CN2018108475 W CN 2018108475W WO 2020000744 A1 WO2020000744 A1 WO 2020000744A1
Authority
WO
WIPO (PCT)
Prior art keywords
deduplication
traffic
target
equal
threshold
Prior art date
Application number
PCT/CN2018/108475
Other languages
French (fr)
Chinese (zh)
Inventor
赵吉
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020000744A1 publication Critical patent/WO2020000744A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the present application relates to the field of computer technology, and in particular, to a method, a device, a server, and a storage medium for prompting deduplication traffic.
  • an alarm message is usually output when it is determined that a certain de-duplication traffic hits a preset traffic rule.
  • the number of deduplication values may be tens of thousands. In this case, if all deduplication values are taken out in the time period to be counted, the io will be too high, and the calculation efficiency will be low, which will reduce the prompt. effectiveness.
  • the embodiments of the present application provide a method, a device, a server and a storage medium for prompting deduplication traffic, which can reduce the number of deduplication values obtained in the time period to be counted, improve the calculation efficiency, and help to prompt the user to perform risk control more efficiently.
  • an embodiment of the present application provides a deduplication flow recording method, which includes:
  • a plurality of targets for calculating the target deduplication traffic are determined according to the preset traffic rule and the current system time.
  • Determining a deduplication threshold value for calculating the target deduplication traffic according to the preset traffic rule, and obtaining a quantity equal to the deduplication traffic data in each of the target time windows in the multiple target time windows The deduplication value of the deduplication threshold, to obtain the deduplication value set corresponding to each target time window;
  • an embodiment of the present application provides a deduplication flow prompting device, and the deduplication flow prompting device includes a unit for executing the method in the first aspect.
  • an embodiment of the present application provides a server.
  • the server includes a processor, a network interface, and a memory.
  • the processor, the network interface, and the memory are connected to each other.
  • the network interface is controlled by the processor.
  • the memory is configured to receive and send messages, and the memory is configured to store a computer program that supports a server to execute the foregoing method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
  • an embodiment of the present application provides a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause all the The processor executes the method of the first aspect.
  • the number of deduplication values in the target time window can be reduced, the calculation efficiency can be improved, and it is helpful to prompt the user to perform risk control more efficiently.
  • FIG. 1 is a schematic flowchart of a method for prompting deduplication traffic according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of another method for prompting deduplication traffic according to an embodiment of the present application
  • FIG. 3 is a schematic diagram of an operation interface for configuring a traffic rule according to an embodiment of the present application
  • FIG. 4 is a schematic block diagram of a deduplication traffic prompting device according to an embodiment of the present application.
  • FIG. 5 is a schematic block diagram of a server according to an embodiment of the present application.
  • FIG. 1 is a schematic flowchart of a method for prompting deduplication traffic according to an embodiment of the present application. As shown in the figure, the method for prompting deduplication traffic may include:
  • the server determines whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule.
  • the user can pre-configure the traffic rule (that is, a preset traffic rule) through the traffic rule configuration page.
  • the purpose of the configuration is to determine what kind of traffic to execute the traffic rule, and the statistical duration for executing the traffic rule. Wait, this application mainly configures deduplication traffic rules and implements the traffic rules for deduplication traffic.
  • deduplication traffic is traffic that focuses on different deduplication values, and the deduplication value can be a unique identifier, such as a device number, ID number, account number, and so on.
  • a traffic is the number of transactions of different users with the same device number, where the unique identifier of the user can be a user account, then the user account is a deduplication value. This traffic focuses on different users (that is, deduplication values). To de-duplicate traffic.
  • the server can parse the field point information of the fixed packet. If the field point information is parsed to determine that the traffic corresponding to the packet is the same as the pre-configured traffic rule (that is, a preset rule) ) Match, it can be determined that the traffic rule corresponding to the message needs to be executed, that is, the traffic corresponding to the message is the target deduplication traffic.
  • the pre-configured traffic rule that is, a preset rule
  • the server determines that the traffic corresponding to the packet is a target deduplication traffic that matches a preset traffic rule, then determines multiple target time windows for calculating the target deduplication traffic according to the preset traffic rule and the current system time. .
  • the multiple target time windows are classified by time granularity, and each target time window has a priority, such as: second level> minute level> hour level> day level> week level> month level.
  • the preset traffic rule also predefines the statistical duration of the target deduplication traffic. After the server determines that the traffic corresponding to the packet is the target deduplication traffic that matches the preset traffic rule, it can analyze The preset traffic rule determines the statistical duration of the statistical target deduplication traffic and the time granularity corresponding to the statistical duration, and determines the statistical time period for calculating the target deduplication traffic according to the statistical duration and the current system time. Multiple target time windows matching the time granularity for calculating the target deduplication traffic are determined within the time period.
  • the target deduplication traffic is a piece of traffic from device D.
  • the user's predefined statistics duration on the traffic rule configuration page is 10 minutes.
  • the statistical duration corresponds to the time granularity of minutes.
  • the current system time is 2018-05-04T10. : 08: 34.
  • the server will determine the time period of the target deduplicated traffic by the current system time of 10 minutes, that is, the target deduplicated traffic statistics time period is 2018-05-04T09: 58: 34—2018-05-04T10: 08: 34.
  • a plurality of target time windows with a time granularity of minutes regarding the device D are determined within the statistical time period.
  • the multiple target time windows are the following 10-minute time windows:
  • the server obtains deduplication traffic data corresponding to multiple target time windows, and the deduplication traffic data is used to record deduplication values of historical deduplication traffic.
  • historical deduplication traffic (that is, deduplication traffic data) is recorded under each target time window, and the recording form is to record the number of times that the deduplication value corresponding to each historical deduplication traffic appears in each target time window.
  • the target time window g the recorded data can be: device D-2018-05-04T10: 02: 00 ⁇ [(U101,1)], where U101 is the deduplication value, 1 indicates that the deduplication value U101 is at the target
  • the time window g appears once.
  • the server determines multiple target time windows for counting the target deduplication traffic, it can obtain the deduplication traffic data recorded under each target time window.
  • the server determines a deduplication threshold used to calculate the target deduplication traffic according to a preset traffic rule, and obtains a number of deduplication traffic data equal to the deduplication threshold from the deduplication traffic data of each target time window in multiple target time windows. Re-evaluation to obtain the de-duplication value set corresponding to each target time window.
  • the server When the server needs to determine the deduplication threshold required to calculate the target deduplication traffic, it can parse the preset traffic rule, determine the target operator and the feature threshold corresponding to the target operator, and based on the preset value rule To determine the deduplication threshold required to calculate the target deduplication traffic that matches the target operator and feature threshold.
  • the target operator may include at least one of greater than, less than, equal to, greater than or equal to, and less than or equal to. Which operator is selected is determined according to a preset traffic rule. For example, if the preset traffic rule is "the number of successful transactions of different users on the same device is greater than 10 times within 10 minutes", then the server can determine the target operator as "greater than” by parsing the preset traffic rule, and corresponding the target operator The feature threshold is determined as "10".
  • the server may identify the target operator, and when the target operator is greater than, equal to, or less than or equal to, the value after the feature threshold is increased by 1 is determined as the deduplication threshold for calculating the target deduplication traffic. When the target operator is greater than or equal to or less than, the value corresponding to the feature threshold is determined as the deduplication threshold used to calculate the target deduplication traffic.
  • the server after the server determines the deduplication threshold required to calculate the target deduplication traffic, it can obtain deduplication values equal to the deduplication threshold in the deduplication traffic data for each target time window that can be obtained. , Each fetch will return a fetch result, the fetch result is a set of deduplication values.
  • the server determines that the deduplication threshold required to calculate the target deduplication traffic is 11, and in step 103, the corresponding deduplication traffic data records obtained in multiple target time windows are as follows:
  • the server can only try to take 11 (that is, the feature threshold) deduplication values under each target time window. Then for the 10 minute target time window of aj, take 11 deduplication values.
  • the result, that is, the set of deduplication values corresponding to each time target time window is:
  • the server determines whether the deduplication traffic hits a preset traffic rule according to the number of deduplication values in the corresponding deduplication value set corresponding to each target time window. If the deduplication traffic hits a preset traffic rule, it outputs a prompt message.
  • the server may parse the deduplication value set corresponding to each target time window, obtain a target deduplication value set that is not an empty set from each deduplication value set, and traverse each target deduplication value set. The number of deduplication values. If the number matches the preset traffic rule, a prompt message is output to notify the user that there is an abnormality in the deduplication traffic.
  • the server may determine a deduplication threshold required to calculate the target deduplication traffic according to a preset traffic rule, and obtain a quantity equal to the deduplication traffic data of each target time window in multiple target time windows.
  • the threshold deduplication value is obtained to obtain the set of deduplication values corresponding to each target time window, and then based on the number of deduplication values in the set of deduplication values corresponding to each target time window, it is determined whether the target deduplication traffic hits the preset. Traffic rule. If it hits, it will output a prompt message.
  • the number of deduplication values in the target time window can be reduced, the calculation efficiency can be improved, and the user can be prompted more effectively to perform risk control.
  • FIG. 2 is a schematic flowchart of another deduplication flow prompting method provided by an embodiment of the present application.
  • the deduplication flow prompting method may include:
  • the server determines whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule.
  • the server may parse the message to obtain field point information of the message, and determine whether the traffic corresponding to the message is a target matching a preset traffic rule according to the field point information. Remove heavy traffic.
  • the user can configure the deduplication traffic in advance through the traffic rule configuration page shown in Figure 3.
  • the purpose of the configuration is to determine the type of deduplication traffic to implement the traffic rule, and to execute the traffic rule.
  • Statistics duration and so on It can be seen that the specific content configured through the traffic rule configuration page shown in FIG. 3 (that is, the preset traffic rule) may include: a traffic rule of different users with the same device number that is greater than 10 in 10 minutes, and 10 The statistic duration is minutes.
  • the server receives a transaction message with the following contents:
  • Event id "001"
  • transaction success status code 001 indicates success
  • 002 indicates failure
  • the server parses each field point of the message. From the field point "user name" of the message, it can be determined that this traffic focuses on different numbers of users (that is, deduplication values). It is a target that matches the preset traffic rule. To de-duplicate traffic, traffic rules must be enforced.
  • the server determines that the traffic corresponding to the packet is the target deduplication traffic that matches the preset traffic rule, then determines multiple target time windows for calculating the target deduplication traffic according to the preset traffic rule and the current system time. .
  • the server obtains deduplication traffic data corresponding to multiple target time windows, and the deduplication traffic data is used to record deduplication values of historical deduplication traffic.
  • the server parses the preset traffic rule, determines a target operator and a feature threshold corresponding to the target operator, and determines, based on the preset value rule, a match for the target operator and the feature threshold for calculating the target deduplication traffic.
  • Re-threshold and obtain a number of de-duplication values equal to the de-duplication threshold from the de-duplication traffic data of each target time window in multiple target time windows, and obtain a set of de-duplication values corresponding to each target time window.
  • steps 202-204 For specific implementations of steps 202-204, reference may be made to the description of steps 102-104 in the foregoing embodiment, and details are not described herein again.
  • the server parses each deduplication value set corresponding to each target time window, obtains a target deduplication value set that is not an empty set from each deduplication value set, and traverses the number of deduplication values in each target deduplication value set. .
  • the server determines that the quantity in any target deduplication value set is greater than or equal to the deduplication threshold, it determines that the target deduplication traffic hits a preset traffic rule, and outputs a prompt information.
  • the server determines that the quantity in any target deduplication value set is greater than or equal to the deduplication threshold, determining that the target deduplication traffic does not hit a preset traffic rule, And output a prompt message.
  • the server executes step 204 to obtain The corresponding set of deduplication values for each target time window is:
  • each deduplicated value set that is, the empty set
  • the target deduplicated value set whose number of deduplicated values is greater than 0.
  • the target deduplicated value set and its corresponding target time are recorded as follows:
  • i-device D-2018-05-04T10 00: 00 [(U1,1), (U2,1) ... (U11,1)]
  • the preset traffic rule is that the number of successful transactions of different accounts with the same device number is greater than 10 times in the past 10 minutes.
  • the target deduplication value set records corresponding to the gj target time windows are the same as above.
  • the deduplication threshold is set to 11, that is, the preset traffic rule is adjusted to "same device.”
  • the number of successful transactions in different accounts is equal to 10 in the past 10 minutes.
  • the server traverses the number of deduplication values in the target deduplication value set from g to j, and determines that the number of deduplication values in the target deduplication value set corresponding to i and j is greater than or equal to 11, then it can be determined Heavy traffic does not hit the preset traffic rule that "the number of successful transactions in different accounts with the same device number is equal to 10 in the past 10 minutes".
  • the target deduplication value set records corresponding to the gj target time windows are the same as above.
  • the deduplication threshold is set to 11, that is, the preset traffic rule is adjusted to "same The number of successful transactions in different accounts with device numbers was less than or equal to 10 in the past 10 minutes.
  • the server traverses the number of deduplication values in the target deduplication value set from g to j, and determines that the number of deduplication values in the target deduplication value set corresponding to i and j is greater than or equal to 11, then it can be determined Heavy traffic does not hit the preset traffic rule of "the number of successful transactions in different accounts with the same device number is less than or equal to 10 times in the past 10 minutes”.
  • the target deduplication value set records corresponding to the target time windows of gj are the same as above.
  • the deduplication threshold is set to 10
  • the preset traffic rule is adjusted to "same The number of successful transactions in different accounts of the device number is greater than or equal to 10 times in the past 10 minutes.
  • the server traverses the number of deduplication values in the target deduplication value set from g to j, and determines that the number of deduplication values in the target deduplication value set corresponding to h, i, and j is greater than or equal to 10.
  • This deduplication traffic hits the preset traffic rule of “the number of successful transactions in different accounts with the same device number is greater than or equal to 10 in the past 10 minutes”.
  • the target deduplication value set records corresponding to the gj target time windows are the same as above.
  • the deduplication threshold is set to 10
  • the preset traffic rule is adjusted to "same device.”
  • the number of successful transactions in different accounts was less than 10 in the past 10 minutes.
  • the server traverses the number of deduplication values in the target deduplication value set from g to j, and determines that the number of deduplication values in the target deduplication value set corresponding to h, i, and j is greater than or equal to 10.
  • This deduplication flow does not hit the preset flow rule that "the number of successful transactions in different accounts with the same device number is less than 10 in the past 10 minutes".
  • the server determines that the number of deduplication values for each target deduplication set is less than the deduplication threshold, the deduplication values under each target deduplication set are merged, and the target operator is greater than If the number of merged deduplication values is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic hits a preset traffic rule. In the case where the target operator is equal to, less than or equal to, or less than, if the number of combined deduplication values is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic does not hit a preset traffic rule.
  • the preset traffic rule becomes: the number of successful transactions of different accounts with the same device number is greater than 100 in the past 10 minutes, it can be determined that the target operator is greater than, the deduplication threshold is 101, and the target deduplication determined in step 205 is performed.
  • the value set and the corresponding target time are recorded as follows:
  • i-device D-2018-05-04T10 00: 00 [(U1,1), (U2,1) ... (U11,1)]
  • the server traverses the deduplication values under each target deduplication value set of gj are less than 101, and can merge the deduplication values under each target deduplication value set.
  • there is a total of 101 U1 to U101 that need to be merged. Value that is, it is determined that the number of merged deduplication values 101 is equal to the deduplication threshold 101, then it is determined that the target deduplication traffic hits the preset traffic rule of "the number of successful transactions in the same account with different account number is greater than 100 in the past 10 minutes" .
  • the server when the server determines that the target deduplication traffic hits a preset traffic rule, it can output prompt information. After the operation and maintenance personnel sees the prompt information, it can process it in time to achieve risk control of deduplication traffic. .
  • the server after the server determines that the target deduplication traffic hits a preset traffic rule, it can also obtain account information corresponding to the target deduplication traffic and add identification information to the account information, where the identification information is used to identify the The target account corresponding to the account information has historical abnormal behavior. Further, the server may distribute the account information after adding the identification information to other servers, prompting other server target accounts for historical abnormal behavior. In this way, any other server that receives the account information can send an early warning notification when it detects that the target account is logged in, notifying the target account of historical abnormal behavior, and further improving risk control.
  • the account information may include a device number, a user ID, an IP address, a login account, and the like, and the identification information may be a mark symbol.
  • the identification information may further include a history time when the target deduplication traffic hits a preset traffic rule, and a preset traffic rule.
  • other servers may store the account information in the memory.
  • another server detects that the target account corresponding to the account information is logged in, it may obtain pre-stored account information and output an early warning notification based on the account information.
  • the early warning notification includes the historical time when the target deduplication traffic hits a preset traffic rule. And preset traffic rules.
  • the operation and maintenance personnel can view the specific historical abnormal behavior of the target account, and then perform subsequent operations.
  • the specific historical abnormal behavior of the target account may be that the target account hits a preset rule at a certain point in time.
  • the target operator if it is determined that the quantity in any target deduplication value set is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic hits a preset traffic Rules, and output prompt information; or, if the target operator is equal to, less than or equal to, or less than, if it is determined that the number of any target deduplication value set is greater than or equal to the deduplication threshold, determine whether the target deduplication traffic is not Hit the preset traffic rule and output a prompt message.
  • the number of deduplication values in the target time window can be reduced, the calculation efficiency can be improved, and it is helpful to prompt the user to perform risk control more efficiently.
  • An embodiment of the present application further provides a deduplication traffic prompting device, which is configured to execute a module of the method described in FIG. 1 or FIG. 2.
  • a deduplication traffic prompting device which is configured to execute a module of the method described in FIG. 1 or FIG. 2.
  • FIG. 4 it is a schematic block diagram of a deduplication traffic prompting device provided by an embodiment of the present application.
  • the device for prompting deduplication traffic in this embodiment includes a determining module 40, a determining module 41, an obtaining module 42, and an output module 43.
  • a judging module 40 configured to judge, if a message is received, whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule;
  • the determining module 41 determines that the traffic corresponding to the packet is a target deduplication traffic that matches a preset traffic rule, then determines the method for calculating the traffic according to the preset traffic rule and the current system time. Multiple target time windows for target deduplication traffic;
  • An obtaining module 42 is configured to obtain respective deduplication traffic data corresponding to the multiple target time windows, where the deduplication traffic data is used to record deduplication values of historical deduplication traffic;
  • the obtaining module 42 is further configured to determine a deduplication threshold for calculating the target deduplication traffic according to the preset traffic rule, and the deduplication in each of the multiple time windows. Obtaining a number of deduplication values equal to the deduplication threshold in the traffic data, and obtaining a set of deduplication values corresponding to each time window;
  • the determining module 40 is further configured to determine whether the target deduplication traffic hits the preset traffic rule according to the number of deduplication values in the deduplication value set corresponding to each target time window;
  • An output module 43 is configured to output a prompt message if the determination module determines that the target deduplication traffic hits the preset traffic rule.
  • the determining module 41 is specifically configured to: parse the preset traffic rule to determine a target operator and a characteristic threshold corresponding to the target operator; and determine a value corresponding to the target operator based on the preset value rule.
  • the target operator and the feature threshold match the deduplication threshold used to calculate the target deduplication traffic.
  • the target operator includes at least one of greater than, equal to, less than or equal to, greater than or equal to, and less than, and the determining module 41 is specifically configured to identify the target operator, and If it is greater than, equal to, or less than or equal to, the value after the feature threshold is increased by 1 is determined as the deduplication threshold used to calculate the target deduplication traffic; when the target operator is greater than or equal to or less than Next, a value corresponding to the characteristic threshold is determined as a deduplication threshold used to calculate the target deduplication traffic.
  • the judging module 40 is specifically configured to: parse the deduplication value sets corresponding to the respective target time windows, and obtain a target deduplication value that is not an empty set from each of the deduplication value sets. Set, and iterate over the number of deduplication values in each of the target deduplication value sets; if the target operator is greater than or greater than or equal to, if the number in any target deduplication value set is greater than or Is equal to the deduplication threshold, it is determined that the target deduplication traffic hits the preset traffic rule; if the target operator is equal to, less than, or less than, if any of the target deduplication values in the set If the number is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic does not hit the preset traffic rule.
  • the apparatus further includes: a merging module 44, wherein:
  • a merging module 44 for merging the deduplication values in each of the target deduplication sets if the number of deduplications in each of the target deduplication sets is less than the deduplication threshold;
  • the judging module 40 is further configured to determine the target deduplication traffic if the number of the deduplication values after merging is greater than or equal to the deduplication threshold when the target operator is greater than or greater than or equal to Hit the preset traffic rule;
  • the judging module 40 is further configured to determine, when the target operator is equal to, less than or equal to, or less than the number of the deduplication values after the merge is greater than or equal to the deduplication threshold, determining the target deduplication value. Heavy traffic does not hit the preset traffic rule.
  • the judging module 40 is specifically configured to: parse the message to obtain field point information of the message; and determine whether the traffic corresponding to the message is the same as the pre-planned traffic according to the field point information. Set the target to match the traffic rules to deduplicate the traffic.
  • the determining module 41 is specifically configured to: analyze the preset traffic rule to determine a statistical duration for counting the target deduplication traffic and a time granularity corresponding to the statistical duration; according to the statistical duration and Determining a statistical time period for counting the target deduplication traffic at the current system time; and determining multiple target time windows for counting the target deduplication traffic that match the time granularity within the statistical time period .
  • FIG. 5 is a schematic block diagram of a server according to an embodiment of the present application.
  • the server includes a processor 501, a memory 502, and a network interface 503.
  • the processor 501, the memory 502, and the network interface 503 may be connected through a bus or in other manners.
  • connection through a bus is taken as an example.
  • the network interface 503 is controlled by the processor to send and receive messages, and the memory 502 is used to store a computer program.
  • the computer program includes program instructions, and the processor 501 is configured to execute the program instructions stored in the memory 502.
  • the processor 501 is configured to call the program instruction to execute: if a message is received, determine whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule; if it is determined that The traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule, and a plurality of target time windows for calculating the target deduplication traffic are determined according to the preset traffic rule and the current system time; Acquiring respective deduplication traffic data corresponding to the multiple target time windows, where the deduplication traffic data is used to record deduplication values of historical deduplication traffic; and determined to be used to calculate the target according to the preset traffic rule A deduplication threshold of deduplication traffic, and obtaining a deduplication value equal to the deduplication threshold from the deduplication traffic data of each target time window in the multiple target time windows, to obtain each target time The set of deduplication values corresponding to each window; and according to the number of deduplication values in the set of deduplication values corresponding to
  • the processor 501 may be a Central Processing Unit (CPU), and the processor 501 may also be another general-purpose processor or a digital signal processor (Digital Signal Processor, DSP). ), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the memory 502 may include a read-only memory and a random access memory, and provide instructions and data to the processor 501. A part of the memory 502 may further include a non-volatile random access memory. For example, the memory 502 may also store information of a device type.
  • the processor 501, the memory 502, and the network interface 503 described in the embodiment of the present application may execute the implementation manner described in the method embodiment shown in FIG. 1 or FIG. 2 provided by the embodiment of the present application, and may also execute The implementation manner of the deduplication traffic prompting device described in the embodiment of the present application is not repeated here.
  • a computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions are implemented when executed by a processor: When a message is received, determine whether the traffic corresponding to the message is the target deduplication traffic that matches the preset traffic rule; if it is determined that the traffic corresponding to the message is the destination that matches the preset traffic rule Heavy traffic, determining a plurality of target time windows for calculating the target deduplication traffic according to the preset traffic rule and the current system time; obtaining respective deduplication traffic data corresponding to the multiple target time windows, The deduplication traffic data is used to record the deduplication value of historical deduplication traffic; a deduplication threshold value used to calculate the target deduplication traffic is determined according to the preset traffic rule, and within the multiple target time windows Obtaining a deduplication value equal to the deduplication threshold in the deduplication traffic data of each target time window in each of the target time windows, to obtain each of the target time
  • the computer-readable storage medium may be an internal storage unit of the server according to any of the foregoing embodiments, such as a hard disk or a memory of the server.
  • the computer-readable storage medium may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), and a Secure Digital (SD) card provided on the server. , Flash card (Flash card) and so on.
  • the computer-readable storage medium may further include both an internal storage unit of the server and an external storage device.
  • the computer-readable storage medium is used to store the computer program and other programs and data required by the server.
  • the computer-readable storage medium may also be used to temporarily store data that has been or will be output.
  • the program can be stored in a computer-readable storage medium.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random, Access Memory, RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed are a deduplication traffic prompting method and apparatus, and a server and a storage medium. The method comprises: where it is determined that traffic corresponding to a message is target deduplication traffic, determining deduplication traffic data used for recording deduplication values of historical deduplication traffic, respectively corresponding to a plurality of target time windows and required when the target deduplication traffic is calculated, and determining, according to a pre-set traffic rule, a deduplication threshold value for calculating the target deduplication traffic; acquiring deduplication values, the quantity of which is equal to the deduplication threshold value, from the deduplication traffic data of target time windows to obtain deduplication value sets respectively corresponding to the target time windows; and then determining, according to the quantity of deduplication values in the deduplication value sets, whether the target deduplication traffic meets the pre-set traffic rule, and if so, outputting prompting information. Applying the present application can reduce the quantity of deduplication values to be acquired in a target time window, increase calculation efficiency and facilitate prompting a user to perform risk control more efficiently.

Description

一种去重流量提示方法、装置、服务器及存储介质Method, device, server and storage medium for prompting deduplication traffic
本申请要求于2018年06月30日提交中国专利局、申请号为201810704335.X、申请名称为“一种去重流量提示方法、装置、服务器及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed on June 30, 2018 with the Chinese Patent Office, application number 201810704335.X, and application name "A Method, Device, Server, and Storage Medium for Deduplication Traffic Alert" The entire contents are incorporated herein by reference.
技术领域Technical field
本申请涉及计算机技术领域,尤其涉及一种去重流量提示方法、装置、服务器及存储介质。The present application relates to the field of computer technology, and in particular, to a method, a device, a server, and a storage medium for prompting deduplication traffic.
背景技术Background technique
目前,为了加强风险控制,通常会在判断出某条去重流量命中预设流量规则时,输出告警信息。但是,当确定某条去重流量是否命中流量规则时,通常需要将该条去重流量对应待统计时间段内的所有去重值均取出来进行计算,进而根据取出的去重值数量来判断该条去重流量是否命中规则。当遇到极端规则时,去重值数量可能成千上万,这种情况,如果把待统计时间段内的所有去重值均取出,会造成io过高,且计算效率低下,降低了提示效率。At present, in order to strengthen risk control, an alarm message is usually output when it is determined that a certain de-duplication traffic hits a preset traffic rule. However, when determining whether a certain deduplication flow hits the traffic rule, it is usually necessary to take out all deduplication values corresponding to the time period to be counted for calculation, and then judge based on the number of deduplication values taken out. Whether the deduplication traffic hits the rule. When encountering extreme rules, the number of deduplication values may be tens of thousands. In this case, if all deduplication values are taken out in the time period to be counted, the io will be too high, and the calculation efficiency will be low, which will reduce the prompt. effectiveness.
发明内容Summary of the invention
本申请实施例提供了一种去重流量提示方法、装置、服务器及存储介质,可以减少获取待统计时间段内去重值的数量,提高计算效率,有利于更高效提示用户进行风险控制。The embodiments of the present application provide a method, a device, a server and a storage medium for prompting deduplication traffic, which can reduce the number of deduplication values obtained in the time period to be counted, improve the calculation efficiency, and help to prompt the user to perform risk control more efficiently.
第一方面,本申请实施例提供了一种去重流量记录方法,该方法包括:In a first aspect, an embodiment of the present application provides a deduplication flow recording method, which includes:
在接收到报文的情况下,判断所述报文对应的流量是否为与预设流量规则匹配的目标去重流量;If a message is received, determining whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule;
若判断出所述报文对应的流量为与预设流量规则匹配的目标去重流量,则根据所述预设流量规则和当前系统时间确定出用于计算所述目标去重流量的多个目标时间窗口;If it is determined that the traffic corresponding to the packet is a target deduplication traffic that matches a preset traffic rule, a plurality of targets for calculating the target deduplication traffic are determined according to the preset traffic rule and the current system time. Time window
获取所述多个目标时间窗口下各自对应的去重流量数据,所述去重流量数据用于记录历史去重流量的去重值;Obtaining respective deduplication traffic data corresponding to the multiple target time windows, where the deduplication traffic data is used to record deduplication values of historical deduplication traffic;
根据所述预设流量规则确定出用于计算所述目标去重流量的去重阈值,并在所述多个目标时间窗口中的各个目标时间窗口的所述去重流量数据中获取数量等于所述去重阈值的去重值,得到所述各个目标时间窗口各自对应的去重值集合;Determining a deduplication threshold value for calculating the target deduplication traffic according to the preset traffic rule, and obtaining a quantity equal to the deduplication traffic data in each of the target time windows in the multiple target time windows The deduplication value of the deduplication threshold, to obtain the deduplication value set corresponding to each target time window;
根据所述各个目标时间窗口各自对应的所述去重值集合中去重值的数量,确定所述目标去重流量是否命中所述预设流量规则,若命中,则输出提示信息。Determining whether the target deduplication traffic hits the preset traffic rule according to the number of deduplication values in the deduplication value set corresponding to each target time window, and if it hits, outputting a prompt message.
第二方面,本申请实施例提供了一种去重流量提示装置,该去重流量提示装置包括用于执行上述第一方面的方法的单元。In a second aspect, an embodiment of the present application provides a deduplication flow prompting device, and the deduplication flow prompting device includes a unit for executing the method in the first aspect.
第三方面,本申请实施例提供了一种服务器,该服务器包括处理器、网络接口和存储器,所述处理器、网络接口和存储器相互连接,其中,所述网络接口受所述处理器的控制用于收发消息,所述存储器用于存储支持服务器执行上述方法的计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行上述第一方面的方法。In a third aspect, an embodiment of the present application provides a server. The server includes a processor, a network interface, and a memory. The processor, the network interface, and the memory are connected to each other. The network interface is controlled by the processor. The memory is configured to receive and send messages, and the memory is configured to store a computer program that supports a server to execute the foregoing method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
第四方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所 述处理器执行上述第一方面的方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium. The computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause all the The processor executes the method of the first aspect.
采用本申请,可以减少获取目标时间窗口内去重值的数量,提高计算效率,有利于更高效地提示用户进行风险控制。By adopting this application, the number of deduplication values in the target time window can be reduced, the calculation efficiency can be improved, and it is helpful to prompt the user to perform risk control more efficiently.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本申请实施例提供的一种去重流量提示方法的流程示意图;FIG. 1 is a schematic flowchart of a method for prompting deduplication traffic according to an embodiment of the present application; FIG.
图2是本申请实施例提供的另一种去重流量提示方法的流程示意图;FIG. 2 is a schematic flowchart of another method for prompting deduplication traffic according to an embodiment of the present application; FIG.
图3是本申请实施例提供的一种流量规则配置操作界面的示意图;3 is a schematic diagram of an operation interface for configuring a traffic rule according to an embodiment of the present application;
图4是本申请实施例提供的一种去重流量提示装置的示意性框图;4 is a schematic block diagram of a deduplication traffic prompting device according to an embodiment of the present application;
图5是本申请实施例提供的一种服务器的示意性框图。FIG. 5 is a schematic block diagram of a server according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of this application.
参见图1,图1是本申请实施例提供的一种去重流量提示方法的流程示意图,如图所示,该去重流量提示方法可包括:Referring to FIG. 1, FIG. 1 is a schematic flowchart of a method for prompting deduplication traffic according to an embodiment of the present application. As shown in the figure, the method for prompting deduplication traffic may include:
101、服务器在接收到报文的情况下,判断该报文对应的流量是否为与预设流量规则匹配的目标去重流量。101. In the case of receiving a message, the server determines whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule.
在一个实施例中,用户可以通过流量规则配置页面预先对流量规则进行配置(即预设流量规则),配置的目的是为了确定对何种流量执行流量规则,以及执行该流量规则的统计时长等等,本申请主要是配置去重流量规则,对去重流量执行流量规则。其中,去重流量为关注不同去重值的流量,该去重值可以为一个唯一标识,如设备号、ID号、账号等等。例如,一条流量为同设备号不同用户交易次数,其中,该用户的唯一标识可以为用户账号,那么该用户账号则为去重值,这条流量关注不同的用户(即去重值),则为去重流量。In one embodiment, the user can pre-configure the traffic rule (that is, a preset traffic rule) through the traffic rule configuration page. The purpose of the configuration is to determine what kind of traffic to execute the traffic rule, and the statistical duration for executing the traffic rule. Wait, this application mainly configures deduplication traffic rules and implements the traffic rules for deduplication traffic. Among them, deduplication traffic is traffic that focuses on different deduplication values, and the deduplication value can be a unique identifier, such as a device number, ID number, account number, and so on. For example, a traffic is the number of transactions of different users with the same device number, where the unique identifier of the user can be a user account, then the user account is a deduplication value. This traffic focuses on different users (that is, deduplication values). To de-duplicate traffic.
这种情况下,服务器接收到报文后,可以解析该定报文的各字段点信息,如果通过解析字段点信息确定出该报文对应的流量为与预先配置的流量规则(即预设规则)匹配,则可以确定需要对该报文对应的流量执行流量规则,也即该报文对应的流量为目标去重流量。In this case, after receiving the packet, the server can parse the field point information of the fixed packet. If the field point information is parsed to determine that the traffic corresponding to the packet is the same as the pre-configured traffic rule (that is, a preset rule) ) Match, it can be determined that the traffic rule corresponding to the message needs to be executed, that is, the traffic corresponding to the message is the target deduplication traffic.
102、若服务器判断出该报文对应的流量为与预设流量规则匹配的目标去重流量,则根据预设流量规则和当前系统时间确定出用于计算目标去重流量的多个目标时间窗口。102. If the server determines that the traffic corresponding to the packet is a target deduplication traffic that matches a preset traffic rule, then determines multiple target time windows for calculating the target deduplication traffic according to the preset traffic rule and the current system time. .
其中,上述多个目标时间窗口是以时间粒度进行分类的,每个时间粒度的目标时间窗口存在优先级,例如:秒钟级别>分钟级别>小时级别>天级别>周级别>月级别。The multiple target time windows are classified by time granularity, and each target time window has a priority, such as: second level> minute level> hour level> day level> week level> month level.
在一个实施例中,上述预设流量规则还预定义了统计该目标去重流量的统计时长,服务器判断出该报文对应的流量为与预设流量规则匹配的目标去重流量后,可以解析该预设流量规则,确定出统计目标去重流量的统计时长以及统计时长对应的时间粒度,并根据统计时长和当前系统时间确定出计算该目标去重流量的统计时间段,进而在该待统计时间段内确定出与时间粒度匹配的用于计算该目标去重流量的多个目标时间窗口。In one embodiment, the preset traffic rule also predefines the statistical duration of the target deduplication traffic. After the server determines that the traffic corresponding to the packet is the target deduplication traffic that matches the preset traffic rule, it can analyze The preset traffic rule determines the statistical duration of the statistical target deduplication traffic and the time granularity corresponding to the statistical duration, and determines the statistical time period for calculating the target deduplication traffic according to the statistical duration and the current system time. Multiple target time windows matching the time granularity for calculating the target deduplication traffic are determined within the time period.
示例性的,目标去重流量为来自设备D的一条流量,用户在流量规则配置页面预先定义的统计时长为10分钟,该统计时长对应的时间粒度为分钟,当前系统时间为2018-05-04T10:08:34。这种情况下,服务器将以当前系统时间倒推10分钟的这一时间段确定为该目标去重流量的统计时间段,也即该目标去重流量的统计时间段为2018-05-04T09:58:34—2018-05-04T10:08:34。进一步地,在该统计时间段内确定出关于设备D的,且时间粒度为分钟的多个目标时间窗口。该多个目标时间窗口则为以下10个分钟级 别的时间窗口:Exemplarily, the target deduplication traffic is a piece of traffic from device D. The user's predefined statistics duration on the traffic rule configuration page is 10 minutes. The statistical duration corresponds to the time granularity of minutes. The current system time is 2018-05-04T10. : 08: 34. In this case, the server will determine the time period of the target deduplicated traffic by the current system time of 10 minutes, that is, the target deduplicated traffic statistics time period is 2018-05-04T09: 58: 34—2018-05-04T10: 08: 34. Further, a plurality of target time windows with a time granularity of minutes regarding the device D are determined within the statistical time period. The multiple target time windows are the following 10-minute time windows:
a设备D-2018-05-04T10:08:00a device D-2018-05-04T10: 08: 00
b设备D-2018-05-04T10:07:00b device D-2018-05-04T10: 07: 00
c设备D-2018-05-04T10:06:00c device D-2018-05-04T10: 06: 00
d设备D-2018-05-04T10:05:00d device D-2018-05-04T10: 05: 00
e设备D-2018-05-04T10:04:00e device D-2018-05-04T10: 04: 00
f设备D-2018-05-04T10:03:00f device D-2018-05-04T10: 03: 00
g设备D-2018-05-04T10:02:00g device D-2018-05-04T10: 02: 00
h设备D-2018-05-04T10:01:00h device D-2018-05-04T10: 01: 00
i设备D-2018-0.5-04T10:00:00i device D-2018-0.5-04T10: 00: 00
j设备D-2018-05-04T9:59:00jDevice D-2018-05-04T9: 59: 00
103、服务器获取多个目标时间窗口下各自对应的去重流量数据,该去重流量数据用于记录历史去重流量的去重值。103. The server obtains deduplication traffic data corresponding to multiple target time windows, and the deduplication traffic data is used to record deduplication values of historical deduplication traffic.
在一个实施例中,每个目标时间窗口下均记录了历史去重流量(即去重流量数据),记录的形式为记录各个历史去重流量对应去重值在各个目标时间窗口出现的次数,如目标时间窗口g,记录的数据可以为:设备D-2018-05-04T10:02:00→[(U101,1)],其中U101即为去重值,1表征该去重值U101在目标时间窗口g出现了1次。这种情况下,服务器确定出统计该目标去重流量的多个目标时间窗口后,可以获取各个目标时间窗口下各自记录的去重流量数据。In one embodiment, historical deduplication traffic (that is, deduplication traffic data) is recorded under each target time window, and the recording form is to record the number of times that the deduplication value corresponding to each historical deduplication traffic appears in each target time window. For example, the target time window g, the recorded data can be: device D-2018-05-04T10: 02: 00 → [(U101,1)], where U101 is the deduplication value, 1 indicates that the deduplication value U101 is at the target The time window g appears once. In this case, after the server determines multiple target time windows for counting the target deduplication traffic, it can obtain the deduplication traffic data recorded under each target time window.
104、服务器根据预设流量规则确定出用于计算该目标去重流量的去重阈值,并在多个目标时间窗口中的各个目标时间窗口的去重流量数据中获取数量等于去重阈值的去重值,得到各个目标时间窗口各自对应的去重值集合。104. The server determines a deduplication threshold used to calculate the target deduplication traffic according to a preset traffic rule, and obtains a number of deduplication traffic data equal to the deduplication threshold from the deduplication traffic data of each target time window in multiple target time windows. Re-evaluation to obtain the de-duplication value set corresponding to each target time window.
其中,服务器需要确定出计算该目标去重流量所需的去重阈值时,可以解析预设流量规则,确定出目标操作符以及所述目标操作符对应的特征阈值,并基于预设取值规则,确定出与目标操作符以及特征阈值匹配的计算目标去重流量所需的去重阈值。When the server needs to determine the deduplication threshold required to calculate the target deduplication traffic, it can parse the preset traffic rule, determine the target operator and the feature threshold corresponding to the target operator, and based on the preset value rule To determine the deduplication threshold required to calculate the target deduplication traffic that matches the target operator and feature threshold.
其中,该目标操作符可以包括大于、小于、等于、大于等于和小于等于中的至少一种。具体选择何种操作符,是根据预设流量规则确定的。例如,预设流量规则为“同设备不同用户交易成功次数10分钟内大于10次”,那么服务器则可以通过解析该预设流量规则,将目标操作符确定为“大于”,将目标操作符对应的特征阈值确定为“10”。The target operator may include at least one of greater than, less than, equal to, greater than or equal to, and less than or equal to. Which operator is selected is determined according to a preset traffic rule. For example, if the preset traffic rule is "the number of successful transactions of different users on the same device is greater than 10 times within 10 minutes", then the server can determine the target operator as "greater than" by parsing the preset traffic rule, and corresponding the target operator The feature threshold is determined as "10".
在一个实施例中,服务器可以识别目标操作符,在目标操作符为大于、等于或者小于等于的情况下,将特征阈值增加1后的数值确定为用于计算目标去重流量的去重阈值。在目标操作符为大于等于或者小于的情况下,将特征阈值对应的数值确定为用于计算目标去重流量的去重阈值。In one embodiment, the server may identify the target operator, and when the target operator is greater than, equal to, or less than or equal to, the value after the feature threshold is increased by 1 is determined as the deduplication threshold for calculating the target deduplication traffic. When the target operator is greater than or equal to or less than, the value corresponding to the feature threshold is determined as the deduplication threshold used to calculate the target deduplication traffic.
具体地,假设目标操作符对应的特征阈值为x,如何根据目标操作符以及特征阈值确定出计算目标去重流量所需的去重阈值,主要可以分为以下几种情况:Specifically, assuming that the feature threshold corresponding to the target operator is x, how to determine the deduplication threshold required to calculate the target deduplication traffic according to the target operator and the feature threshold can be divided into the following cases:
1)目标操作符为“>”“=”“<=”,去重阈值取“x+1”,之所以这么取的逻辑是由于:如果待统计时间段内的时间窗口下的去重值已经大于或者等于“x+1”,那么当前的这条目标去重流量必定命中“>x”这条规则;“=x”这条规则必定不命中;“<=x”这条规则必定也不命中;1) The target operator is ">" "=" "<=", and the deduplication threshold is "x + 1". The logic for this is because: if the deduplication value is within the time window within the time period to be counted If it is greater than or equal to "x + 1", then the current target deduplication traffic must hit the rule "> x"; the rule "= x" must not hit; the rule "<= x" must also Missed
2)目标操作符为“>=”“<”,去重阈值取“x”,之所以这么取的逻辑是由于:如果待统计时间段内的时间窗口下的去重值已经大于或者等于“x”,那么当前的这条目标去重流量必定命中“>=x”这条规则;“<x”这条规则必定不命中。2) The target operator is "> =" "<", and the deduplication threshold is "x". The reason for this is because if the deduplication value in the time window within the time period to be counted is greater than or equal to " x ", then the current target deduplication traffic must hit the"> = x "rule; the" <x "rule must not hit.
在一个实施例中,当服务器确定出计算该目标去重流量所需的去重阈值后,可以获取到的每个目标时间窗口的去重流量数据中去获取数量等于去重阈值的去重值,每次获取均 会返回一个获取结果,该获取结果为一个去重值集合。示例性地,服务器确定出计算该目标去重流量所需的去重阈值为11,步骤103获取到多个目标时间窗口下各自对应的去重流量数据记录如下:In one embodiment, after the server determines the deduplication threshold required to calculate the target deduplication traffic, it can obtain deduplication values equal to the deduplication threshold in the deduplication traffic data for each target time window that can be obtained. , Each fetch will return a fetch result, the fetch result is a set of deduplication values. Exemplarily, the server determines that the deduplication threshold required to calculate the target deduplication traffic is 11, and in step 103, the corresponding deduplication traffic data records obtained in multiple target time windows are as follows:
a设备D-2018-05-04T10:08:00□[][]表示没有空,没有流量a device D-2018-05-04T10: 08: 00 □ [] [] means there is no air, no traffic
b设备D-2018-05-04T10:07:00□[]b device D-2018-05-04T10: 07: 00 □ []
c设备D-2018-05-04T10:06:00□[]c device D-2018-05-04T10: 06: 00 □ []
d设备D-2018-05-04T10:05:00□[]d equipment D-2018-05-04T10: 05: 00 □ []
e设备D-2018-05-04T10:04:00□[]e device D-2018-05-04T10: 04: 00 □ []
f设备D-2018-05-04T10:03:00□[]f device D-2018-05-04T10: 03: 00 □ []
g设备D-2018-05-04T10:02:00□[(U101,1)]g device D-2018-05-04T10: 02: 00 □ [(U101,1)]
h设备D-2018-05-04T10:01:00□[(U1,1),(U2,1)……(U10,1)]  有10个用户被记录下来h Device D-2018-05-04T10: 01: 00 □ [(U1,1), (U2,1) ... (U10,1)] 10 users were recorded
i.设备D-2018-0.5-04T10:00:00□[(U1,1),(U2,1)……(U11,1)]  有11个用户被记录下来i. Device D-2018-0.5-04T10: 00: 00 □ [(U1,1), (U2,1) ... (U11,1)] 11 users were recorded
j设备D-2018-05-04T9:59:00□[(U1,1),(U2,1)……(U100,1)]  有100个用户被记录下来j Device D-2018-05-04T9: 59: 00 □ [(U1,1), (U2,1) ... (U100,1)] 100 users have been recorded
这种情况下,服务器可以只在每个目标时间窗口下尝试着取11(即特征阈值)个去重值,那么对于a-j的这10个分钟级的目标时间窗口,取11个去重值后的结果,也即得到的各个时间目标时间窗口各自对应的去重值集合分别为:In this case, the server can only try to take 11 (that is, the feature threshold) deduplication values under each target time window. Then for the 10 minute target time window of aj, take 11 deduplication values. The result, that is, the set of deduplication values corresponding to each time target time window is:
a设备D-2018-05-04T10:08:00□窗口没有去重值,返回空集a Device D-2018-05-04T10: 08: 00 □ There is no duplicate value in the window, and an empty set is returned.
b设备D-2018-05-04T10:07:00□同上b Device D-2018-05-04T10: 07: 00
c设备D-2018-05-04T10:06:00□同上c device D-2018-05-04T10: 06: 00
d设备D-2018-05-04T10:05:00□同上d equipment D-2018-05-04T10: 05: 00
e设备D-2018-05-04T10:04:00□同上e device D-2018-05-04T10: 04: 00
f设备D-2018-05-04T10:03:00□同上f device D-2018-05-04T10: 03: 00
g设备D-2018-05-04T10:02:00□共一个去重值,全部返回后得到去重值集合[(U101,1)]g device D-2018-05-04T10: 02: 00 □ a total of deduplication values, after all return to get the deduplication value set [(U101, 1)]
h设备D-2018-05-04T10:01:00□共10个去重值,全部返回后得到去重值集合[(U1,1),(U2,1)……(U10,1)]h device D-2018-05-04T10: 01: 00 □ A total of 10 deduplication values. After returning all, we get the deduplication value set [(U1,1), (U2,1) ... (U10,1)]
i.设备D-2018-0.5-04T10:00:00□刚好11个去重值,全部返回得到去重值集合[(U1,1),(U2,1)……(U11,1)]i. Device D-2018-0.5-04T10: 00: 00 □ Just 11 deduplication values, all returned to get the deduplication value set [(U1,1), (U2,1) ... (U11,1)]
j设备D-2018-05-04T9:59:00□取前11个去重值,返回后得到去重值集合[(U1,1),(U2,1)……(U11,1)]jDevice D-2018-05-04T9: 59: 00 □ Take the first 11 deduplication values and get the deduplication value set after returning [(U1,1), (U2,1) ... (U11,1)]
105、服务器根据各个目标时间窗口各自对应的去重值集合中去重值的数量,确定去重流量是否命中预设流量规则,若命中,则输出提示信息。105. The server determines whether the deduplication traffic hits a preset traffic rule according to the number of deduplication values in the corresponding deduplication value set corresponding to each target time window. If the deduplication traffic hits a preset traffic rule, it outputs a prompt message.
在一个实施例中,服务器可以解析各个目标时间窗口各自对应的去重值集合,从各个去重值集合中获取不为空集的目标去重值集合,并遍历每个目标去重值集合中去重值的数量,如果该数量命中预设流量规则,则输出提示信息,用于提示用户该条去重流量存在异常。In one embodiment, the server may parse the deduplication value set corresponding to each target time window, obtain a target deduplication value set that is not an empty set from each deduplication value set, and traverse each target deduplication value set. The number of deduplication values. If the number matches the preset traffic rule, a prompt message is output to notify the user that there is an abnormality in the deduplication traffic.
本申请实施例中,服务器可以根据预设流量规则确定出计算目标去重流量所需的去重阈值,并在多个目标时间窗口中的各个目标时间窗口的去重流量数据中获取数量等于去重阈值的去重值,得到各个目标时间窗口各自对应的去重值集合,进而根据各个目标时间窗口各自对应的去重值集合中去重值的数量,确定目标去重流量是否命中该预设流量规则,若命中,则输出提示信息。采用本申请,可以减少获取目标时间窗口内去重值的数量,提 高计算效率,有利于更高效地提示用户进行风险控制。In the embodiment of the present application, the server may determine a deduplication threshold required to calculate the target deduplication traffic according to a preset traffic rule, and obtain a quantity equal to the deduplication traffic data of each target time window in multiple target time windows. The threshold deduplication value is obtained to obtain the set of deduplication values corresponding to each target time window, and then based on the number of deduplication values in the set of deduplication values corresponding to each target time window, it is determined whether the target deduplication traffic hits the preset. Traffic rule. If it hits, it will output a prompt message. By adopting the present application, the number of deduplication values in the target time window can be reduced, the calculation efficiency can be improved, and the user can be prompted more effectively to perform risk control.
参见图2,图2是本申请实施例提供的另一种去重流量提示方法的流程示意图,如图所示,该去重流量提示方法可包括:Referring to FIG. 2, FIG. 2 is a schematic flowchart of another deduplication flow prompting method provided by an embodiment of the present application. As shown in the figure, the deduplication flow prompting method may include:
201、服务器在接收到报文的情况下,判断该报文对应的流量是否为与预设流量规则匹配的目标去重流量。201. In the case of receiving a message, the server determines whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule.
在一个实施例中,服务器接收到该报文后,可以解析该报文得到该报文的字段点信息,并根据该字段点信息判断报文对应的流量是否为与预设流量规则匹配的目标去重流量。In one embodiment, after receiving the message, the server may parse the message to obtain field point information of the message, and determine whether the traffic corresponding to the message is a target matching a preset traffic rule according to the field point information. Remove heavy traffic.
示例性,用户可以通过如图3所示的流量规则配置页面预先对去重流量进行配置,配置的目的是为了配置的目的是为了确定对何种去重流量执行流量规则,以及执行该流量规则的统计时长等等。可以看出,通过如图3所示的流量规则配置页面配置的具体内容(即预设流量规则)可包括:同设备号不同用户交易成功次数10分钟内大于10次这一流量规则,以及10分钟这一统计时长。For example, the user can configure the deduplication traffic in advance through the traffic rule configuration page shown in Figure 3. The purpose of the configuration is to determine the type of deduplication traffic to implement the traffic rule, and to execute the traffic rule. Statistics duration and so on. It can be seen that the specific content configured through the traffic rule configuration page shown in FIG. 3 (that is, the preset traffic rule) may include: a traffic rule of different users with the same device number that is greater than 10 in 10 minutes, and 10 The statistic duration is minutes.
这种情况下,服务器接收到一个交易报文,该报文内容如下:In this case, the server receives a transaction message with the following contents:
{{
“event timestamp”:“2018-05-04T10:08:34”,//业务发生时间"Event timestamp": "2018-05-04T10: 08: 34", // business occurrence time
“event id”:“001”,//交易成功状态码001表示成功002表示失败"Event id": "001", // transaction success status code 001 indicates success 002 indicates failure
“user name”:“U1”,//用户名可能是U1U2U3"User name": "U1", // user name may be U1U2U3
“ip”:“D”,//ip或者设备号地址,比如上面提到的设备D"Ip": "D", // ip or device number address, such as device D mentioned above
....//其他字段.... // Other fields
}}
服务器则对报文的各个字段点进行解析,从这个报文的字段点“user name”可以确定这条流量关注不同的用户数(即去重值),是一条与预设流量规则匹配的目标去重流量,须执行流量规则。The server parses each field point of the message. From the field point "user name" of the message, it can be determined that this traffic focuses on different numbers of users (that is, deduplication values). It is a target that matches the preset traffic rule. To de-duplicate traffic, traffic rules must be enforced.
202、若服务器判断出该报文对应的流量为与预设流量规则匹配的目标去重流量,则根据预设流量规则和当前系统时间确定出用于计算目标去重流量的多个目标时间窗口。202. If the server determines that the traffic corresponding to the packet is the target deduplication traffic that matches the preset traffic rule, then determines multiple target time windows for calculating the target deduplication traffic according to the preset traffic rule and the current system time. .
203、服务器获取多个目标时间窗口下各自对应的去重流量数据,该去重流量数据用于记录历史去重流量的去重值。203. The server obtains deduplication traffic data corresponding to multiple target time windows, and the deduplication traffic data is used to record deduplication values of historical deduplication traffic.
204、服务器解析预设流量规则,确定出目标操作符以及目标操作符对应的特征阈值,并基于预设取值规则确定出与目标操作符以及特征阈值匹配的用于计算目标去重流量的去重阈值,并在多个目标时间窗口中的各个目标时间窗口的去重流量数据中获取数量等于去重阈值的去重值,得到各个目标时间窗口各自对应的去重值集合。204. The server parses the preset traffic rule, determines a target operator and a feature threshold corresponding to the target operator, and determines, based on the preset value rule, a match for the target operator and the feature threshold for calculating the target deduplication traffic. Re-threshold, and obtain a number of de-duplication values equal to the de-duplication threshold from the de-duplication traffic data of each target time window in multiple target time windows, and obtain a set of de-duplication values corresponding to each target time window.
其中,步骤202-204的具体实施方式,可以参见上述实施例中步骤102-步骤104的相关描述,此处不再赘述。For specific implementations of steps 202-204, reference may be made to the description of steps 102-104 in the foregoing embodiment, and details are not described herein again.
205、服务器解析各个目标时间窗口各自对应的去重值集合,从各个去重值集合中获取不为空集的目标去重值集合,并遍历每个目标去重值集合中去重值的数量。205. The server parses each deduplication value set corresponding to each target time window, obtains a target deduplication value set that is not an empty set from each deduplication value set, and traverses the number of deduplication values in each target deduplication value set. .
206、在目标操作符为大于或者大于等于的情况下,若服务器确定出任一目标去重值集合中的数量大于或者等于去重阈值,则确定目标去重流量命中预设流量规则,并输出提示信息。206. In the case where the target operator is greater than or greater than or equal to, if the server determines that the quantity in any target deduplication value set is greater than or equal to the deduplication threshold, it determines that the target deduplication traffic hits a preset traffic rule, and outputs a prompt information.
207、在目标操作符为等于、小于等于或者小于的情况下,若服务器确定出任一目标去重值集合中的数量大于或者等于去重阈值,则确定目标去重流量不命中预设流量规则,并输出提示信息。207. In the case where the target operator is equal to, less than or equal to, or less than, if the server determines that the quantity in any target deduplication value set is greater than or equal to the deduplication threshold, determining that the target deduplication traffic does not hit a preset traffic rule, And output a prompt message.
例如,配置的流量规则为“同设备号不同账户交易成功次数在过去10分钟内大于10次”,可以确定出目标操作符为“>”,去重阈值为“11”,服务器执行步骤204得到的各个目标时间窗口各自对应的去重值集合为:For example, if the configured traffic rule is "the number of successful transactions in different accounts with the same device number is greater than 10 in the past 10 minutes", it can be determined that the target operator is ">" and the deduplication threshold is "11". The server executes step 204 to obtain The corresponding set of deduplication values for each target time window is:
a设备D-2018-05-04T10:08:00□窗口没有去重值,返回空集a Device D-2018-05-04T10: 08: 00 □ There is no duplicate value in the window, and an empty set is returned.
b设备D-2018-05-04T10:07:00□同上b Device D-2018-05-04T10: 07: 00
c设备D-2018-05-04T10:06:00□同上c device D-2018-05-04T10: 06: 00
d设备D-2018-05-04T10:05:00□同上d equipment D-2018-05-04T10: 05: 00
e设备D-2018-05-04T10:04:00□同上e device D-2018-05-04T10: 04: 00
f设备D-2018-05-04T10:03:00□同上f device D-2018-05-04T10: 03: 00
g设备D-2018-05-04T10:02:00□共一个去重值,全部返回后得到去重值集合[(U101,1)]g device D-2018-05-04T10: 02: 00 □ a total of deduplication values, after all return to get the deduplication value set [(U101, 1)]
h设备D-2018-05-04T10:01:00□共10个去重值,全部返回后得到去重值集合[(U1,1),(U2,1)……(U10,1)]h device D-2018-05-04T10: 01: 00 □ A total of 10 deduplication values. After returning all, we get the deduplication value set [(U1,1), (U2,1) ... (U10,1)]
i.设备D-2018-0.5-04T10:00:00□刚好11个去重值,全部返回得到去重值集合[(U1,1),(U2,1)……(U11,1)]i. Device D-2018-0.5-04T10: 00: 00 □ Just 11 deduplication values, all returned to get the deduplication value set [(U1,1), (U2,1) ... (U11,1)]
j设备D-2018-05-04T9:59:00□取前11个去重值,返回后得到去重值集合[(U1,1),(U2,1)……(U11,1)]jDevice D-2018-05-04T9: 59: 00 □ Take the first 11 deduplication values and get the deduplication value set after returning [(U1,1), (U2,1) ... (U11,1)]
丢弃未取到值的各个去重值集合(即空集),只获取去重值数量大于0的目标去重值集合,目标去重值集合与各自对应的目标时间记录如下:Discard each deduplicated value set (that is, the empty set) for which no value is obtained, and only obtain the target deduplicated value set whose number of deduplicated values is greater than 0. The target deduplicated value set and its corresponding target time are recorded as follows:
g设备D-2018-05-04T10:02:00  [(U101,1)]g device D-2018-05-04T10: 02: 00 [(U101, 1)]
h设备D-2018-05-04T10:01:00  [(U1,1),(U2,1)……(U10,1)]h Device D-2018-05-04T10: 01: 00 [(U1,1), (U2,1) ... (U10,1)]
i设备D-2018-05-04T10:00:00  [(U1,1),(U2,1)……(U11,1)]i-device D-2018-05-04T10: 00: 00 [(U1,1), (U2,1) ... (U11,1)]
j设备D-2018-05-04T9:59:00  [(U1,1),(U2,1)……(U11,1)]jEquipment D-2018-05-04T9: 59: 00 [(U1,1), (U2,1) ... (U11,1)]
进一步地,遍历g到j的目标去重值集合下的去重值的数量,确定出i和j对应目标去重值集合下的去重值数量等于11,则可以确定本条去重流量命中“同设备号不同账户交易成功次数在过去10分钟内大于10次”这一预设流量规则。Further, by traversing the number of deduplication values in the target deduplication value set from g to j, and determining that the number of deduplication values in the target deduplication value set corresponding to i and j is equal to 11, it can be determined that this deduplication traffic hit " The preset traffic rule is that the number of successful transactions of different accounts with the same device number is greater than 10 times in the past 10 minutes.
再例如,g-j目标时间窗口各自对应的目标去重值集合记录同上,这种情况下,若目标操作符调整为“等于”,去重阈值取11,也即预设流量规则调整为“同设备号不同账户交易成功次数在过去10分钟内等于10次”。这种情况下,服务器遍历g到j的目标去重值集合下的去重值的数量,确定出i和j对应目标去重值集合下的去重值数量大于等于11,则可以确定本条去重流量不命中“同设备号不同账户交易成功次数在过去10分钟内等于10次”这一预设流量规则。For another example, the target deduplication value set records corresponding to the gj target time windows are the same as above. In this case, if the target operator is adjusted to "equal to", the deduplication threshold is set to 11, that is, the preset traffic rule is adjusted to "same device." The number of successful transactions in different accounts is equal to 10 in the past 10 minutes. " In this case, the server traverses the number of deduplication values in the target deduplication value set from g to j, and determines that the number of deduplication values in the target deduplication value set corresponding to i and j is greater than or equal to 11, then it can be determined Heavy traffic does not hit the preset traffic rule that "the number of successful transactions in different accounts with the same device number is equal to 10 in the past 10 minutes".
又例如,g-j目标时间窗口各自对应的目标去重值集合记录同上,这种情况下,若目标操作符调整为“小于等于”,去重阈值取11,也即预设流量规则调整为“同设备号不同账户交易成功次数在过去10分钟内小于等于10次”。这种情况下,服务器遍历g到j的目标去重值集合下的去重值的数量,确定出i和j对应目标去重值集合下的去重值数量大于等于11,则可以确定本条去重流量不命中“同设备号不同账户交易成功次数在过去10分钟内小于等于10次”这一预设流量规则。For another example, the target deduplication value set records corresponding to the gj target time windows are the same as above. In this case, if the target operator is adjusted to "less than or equal to", the deduplication threshold is set to 11, that is, the preset traffic rule is adjusted to "same The number of successful transactions in different accounts with device numbers was less than or equal to 10 in the past 10 minutes. " In this case, the server traverses the number of deduplication values in the target deduplication value set from g to j, and determines that the number of deduplication values in the target deduplication value set corresponding to i and j is greater than or equal to 11, then it can be determined Heavy traffic does not hit the preset traffic rule of "the number of successful transactions in different accounts with the same device number is less than or equal to 10 times in the past 10 minutes".
又例如,g-j目标时间窗口各自对应的目标去重值集合记录同上,这种情况下,若目标操作符调整为“大于等于”,去重阈值取10,也即预设流量规则调整为“同设备号不同账户交易成功次数在过去10分钟内大于等于10次”。这种情况下,服务器遍历g到j的目标去重值集合下的去重值的数量,确定出h、i和j对应目标去重值集合下的去重值数量大于等于10,则可以确定本条去重流量命中“同设备号不同账户交易成功次数在过去10分钟内大于等于10次”这一预设流量规则。For another example, the target deduplication value set records corresponding to the target time windows of gj are the same as above. In this case, if the target operator is adjusted to "greater than or equal to", the deduplication threshold is set to 10, that is, the preset traffic rule is adjusted to "same The number of successful transactions in different accounts of the device number is greater than or equal to 10 times in the past 10 minutes. " In this case, the server traverses the number of deduplication values in the target deduplication value set from g to j, and determines that the number of deduplication values in the target deduplication value set corresponding to h, i, and j is greater than or equal to 10. This deduplication traffic hits the preset traffic rule of “the number of successful transactions in different accounts with the same device number is greater than or equal to 10 in the past 10 minutes”.
又例如,g-j目标时间窗口各自对应的目标去重值集合记录同上,这种情况下,若目标操作符调整为“小于”,去重阈值取10,也即预设流量规则调整为“同设备号不同账户交易成功次数在过去10分钟内小于10次”。这种情况下,服务器遍历g到j的目标去重值集合下的去重值的数量,确定出h、i和j对应目标去重值集合下的去重值数量大于等于10,则可以确定本条去重流量不命中“同设备号不同账户交易成功次数在过去10分钟内小于10次”这一预设流量规则。For another example, the target deduplication value set records corresponding to the gj target time windows are the same as above. In this case, if the target operator is adjusted to "less than", the deduplication threshold is set to 10, that is, the preset traffic rule is adjusted to "same device." The number of successful transactions in different accounts was less than 10 in the past 10 minutes. " In this case, the server traverses the number of deduplication values in the target deduplication value set from g to j, and determines that the number of deduplication values in the target deduplication value set corresponding to h, i, and j is greater than or equal to 10. This deduplication flow does not hit the preset flow rule that "the number of successful transactions in different accounts with the same device number is less than 10 in the past 10 minutes".
在一个实施例中,若服务器确定出每个目标去重值集合下去重值的数量均小于去重阈值,则将每个目标去重集合下的去重值进行合并,在目标操作符为大于或者大于等于的情况下,若合并后的去重值的数量大于或者等于去重阈值,则确定目标去重流量命中预设流量规则。在目标操作符为等于、小于等于或者小于的情况下,若合并后的去重值的数量大于或者等于去重阈值,则确定目标去重流量不命中预设流量规则。In one embodiment, if the server determines that the number of deduplication values for each target deduplication set is less than the deduplication threshold, the deduplication values under each target deduplication set are merged, and the target operator is greater than If the number of merged deduplication values is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic hits a preset traffic rule. In the case where the target operator is equal to, less than or equal to, or less than, if the number of combined deduplication values is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic does not hit a preset traffic rule.
例如,预设流量规则变为:同设备号不同账户交易成功次数在过去10分钟内大于100次,可以确定出目标操作符为大于,去重阈值为101,执行步骤205确定出的目标去重值集合与各自对应的目标时间记录如下:For example, the preset traffic rule becomes: the number of successful transactions of different accounts with the same device number is greater than 100 in the past 10 minutes, it can be determined that the target operator is greater than, the deduplication threshold is 101, and the target deduplication determined in step 205 is performed. The value set and the corresponding target time are recorded as follows:
g设备D-2018-05-04T10:02:00  [(U101,1)]g device D-2018-05-04T10: 02: 00 [(U101, 1)]
h设备D-2018-05-04T10:01:00  [(U1,1),(U2,1)……(U10,1)]h Device D-2018-05-04T10: 01: 00 [(U1,1), (U2,1) ... (U10,1)]
i设备D-2018-05-04T10:00:00  [(U1,1),(U2,1)……(U11,1)]i-device D-2018-05-04T10: 00: 00 [(U1,1), (U2,1) ... (U11,1)]
j设备D-2018-05-04T9:59:00  [(U1,1),(U2,1)……(U100,1)]j Device D-2018-05-04T9: 59: 00 [(U1,1), (U2,1) ... (U100,1)]
此时,服务器遍历g-j每个目标去重值集合下的去重值均小于101,则可以将每个目标去重值集合下的去重值合并,这里的需要合并U1到U101一共有101个值,也即确定合并后的去重值数量101等于去重阈值101,则确定目标去重流量命中“同设备号不同账户交易成功次数在过去10分钟内大于100次”这一预设流量规则。At this time, the server traverses the deduplication values under each target deduplication value set of gj are less than 101, and can merge the deduplication values under each target deduplication value set. Here, there is a total of 101 U1 to U101 that need to be merged. Value, that is, it is determined that the number of merged deduplication values 101 is equal to the deduplication threshold 101, then it is determined that the target deduplication traffic hits the preset traffic rule of "the number of successful transactions in the same account with different account number is greater than 100 in the past 10 minutes" .
在一个实施例中,当服务器确定出目标去重流量命中预设流量规则后,可以输出提示信息,当运维人员查看到该提示信息后,则可以及时处理,进而实现去重流量的风险控制。In one embodiment, when the server determines that the target deduplication traffic hits a preset traffic rule, it can output prompt information. After the operation and maintenance personnel sees the prompt information, it can process it in time to achieve risk control of deduplication traffic. .
在一个实施例中,当服务器确定出目标去重流量命中预设流量规则后,还可以获取该目标去重流量对应的账号信息,并对该账号信息添加标识信息,该标识信息用于标识该账号信息对应的目标账户存在历史异常行为。进一步地,服务器可以将添加标识信息后的账号信息分发到其它服务器,提示其它服务器目标账号存在历史异常行为。采用这样的方式,任一个接收到该账号信息的其它服务器均可以在检测到目标账号登录时,发出预警通知,通知目标账号存在历史异常行为,进一步提高风险控制。其中,该账号信息可以包括设备号,用户ID、IP地址或者登录账号等等,该标识信息可以为一个标记符号。In one embodiment, after the server determines that the target deduplication traffic hits a preset traffic rule, it can also obtain account information corresponding to the target deduplication traffic and add identification information to the account information, where the identification information is used to identify the The target account corresponding to the account information has historical abnormal behavior. Further, the server may distribute the account information after adding the identification information to other servers, prompting other server target accounts for historical abnormal behavior. In this way, any other server that receives the account information can send an early warning notification when it detects that the target account is logged in, notifying the target account of historical abnormal behavior, and further improving risk control. The account information may include a device number, a user ID, an IP address, a login account, and the like, and the identification information may be a mark symbol.
其中,该标识信息还可以包括目标去重流量命中预设流量规则的历史时间,以及预设流量规则。这种情况下,其它服务器接收到添加标识信息后的账号信息后,可以将该账号信息存储在存储器中。当其它服务器检测到该账号信息对应的目标账号登录时,则可以获取预先存储的账号信息,并根据该账号信息输出预警通知,该预警通知包括目标去重流量命中预设流量规则的历史时间,以及预设流量规则。采用这样的方式,运维人员接收到预警通知后,可以查看目标账号具体的历史异常行为,进而执行后续的操作。例如,该目标账号具体的历史异常行为可以为目标账号在某一时间点命中了某一条预设规则。The identification information may further include a history time when the target deduplication traffic hits a preset traffic rule, and a preset traffic rule. In this case, after receiving the account information after adding the identification information, other servers may store the account information in the memory. When another server detects that the target account corresponding to the account information is logged in, it may obtain pre-stored account information and output an early warning notification based on the account information. The early warning notification includes the historical time when the target deduplication traffic hits a preset traffic rule. And preset traffic rules. In this way, after receiving the warning notification, the operation and maintenance personnel can view the specific historical abnormal behavior of the target account, and then perform subsequent operations. For example, the specific historical abnormal behavior of the target account may be that the target account hits a preset rule at a certain point in time.
本申请实施例中,服务器可以在目标操作符为大于或者大于等于的情况下,若确定出任一目标去重值集合中的数量大于或者等于去重阈值,则确定目标去重流量命中预设流量规则,并输出提示信息;或者,在目标操作符为等于、小于等于或者小于的情况下,若确定出任一目标去重值集合中的数量大于或者等于去重阈值,则确定目标去重流量不命中预设流量规则,并输出提示信息。采用本申请,可以减少获取目标时间窗口内去重值的数量,提高计算效率,有利于更高效地提示用户进行风险控制。In the embodiment of the present application, if the target operator is greater than or greater than or equal to, if it is determined that the quantity in any target deduplication value set is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic hits a preset traffic Rules, and output prompt information; or, if the target operator is equal to, less than or equal to, or less than, if it is determined that the number of any target deduplication value set is greater than or equal to the deduplication threshold, determine whether the target deduplication traffic is not Hit the preset traffic rule and output a prompt message. By adopting this application, the number of deduplication values in the target time window can be reduced, the calculation efficiency can be improved, and it is helpful to prompt the user to perform risk control more efficiently.
本申请实施例还提供了一种去重流量提示装置,该装置用于执行前述图1或者图2所述的方法的模块。具体地,参见图4,是本申请实施例提供的一种去重流量提示装置的示意框图。本实施例的去重流量提示装置包括:判断模块40、确定模块41、获取模块42以及输出模块43。An embodiment of the present application further provides a deduplication traffic prompting device, which is configured to execute a module of the method described in FIG. 1 or FIG. 2. Specifically, referring to FIG. 4, it is a schematic block diagram of a deduplication traffic prompting device provided by an embodiment of the present application. The device for prompting deduplication traffic in this embodiment includes a determining module 40, a determining module 41, an obtaining module 42, and an output module 43.
判断模块40,用于在接收到报文的情况下,判断所述报文对应的流量是否为与预设流量规则匹配的目标去重流量;A judging module 40, configured to judge, if a message is received, whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule;
确定模块41,若所述判断模块判断出所述报文对应的流量为与预设流量规则匹配的目标去重流量,则根据所述预设流量规则和当前系统时间确定出用于计算所述目标去重流量的多个目标时间窗口;The determining module 41, if the determining module determines that the traffic corresponding to the packet is a target deduplication traffic that matches a preset traffic rule, then determines the method for calculating the traffic according to the preset traffic rule and the current system time. Multiple target time windows for target deduplication traffic;
获取模块42,用于获取所述多个目标时间窗口下各自对应的去重流量数据,所述去重流量数据用于记录历史去重流量的去重值;An obtaining module 42 is configured to obtain respective deduplication traffic data corresponding to the multiple target time windows, where the deduplication traffic data is used to record deduplication values of historical deduplication traffic;
所述获取模块42,还用于根据所述预设流量规则确定出用于计算所述目标去重流量的去重阈值,并在所述多个时间窗口中的各个时间窗口的所述去重流量数据中获取数量等于所述去重阈值的去重值,得到所述各个时间窗口各自对应的去重值集合;The obtaining module 42 is further configured to determine a deduplication threshold for calculating the target deduplication traffic according to the preset traffic rule, and the deduplication in each of the multiple time windows. Obtaining a number of deduplication values equal to the deduplication threshold in the traffic data, and obtaining a set of deduplication values corresponding to each time window;
所述判断模块40,还用于根据所述各个目标时间窗口各自对应的所述去重值集合中去重值的数量,确定所述目标去重流量是否命中所述预设流量规则;The determining module 40 is further configured to determine whether the target deduplication traffic hits the preset traffic rule according to the number of deduplication values in the deduplication value set corresponding to each target time window;
输出模块43,用于若所述判断模块确定出所述目标去重流量命中所述预设流量规则,则输出提示信息。An output module 43 is configured to output a prompt message if the determination module determines that the target deduplication traffic hits the preset traffic rule.
在一个实施例中,确定模块41,具体用于:解析所述预设流量规则,确定出目标操作符以及所述目标操作符对应的特征阈值;基于预设取值规则,确定出与所述目标操作符以及所述特征阈值匹配的用于计算所述目标去重流量的去重阈值。In one embodiment, the determining module 41 is specifically configured to: parse the preset traffic rule to determine a target operator and a characteristic threshold corresponding to the target operator; and determine a value corresponding to the target operator based on the preset value rule. The target operator and the feature threshold match the deduplication threshold used to calculate the target deduplication traffic.
在一个实施例中,所述目标操作符包括大于、等于、小于等于、大于等于和小于中的至少一种,确定模块41,具体用于:识别所述目标操作符,在所述目标操作符为大于、等于或者小于等于的情况下,将所述特征阈值增加1后的数值确定为用于计算所述目标去重流量的去重阈值;在所述目标操作符为大于等于或者小于的情况下,将所述特征阈值对应的数值确定为用于计算所述目标去重流量的去重阈值。In an embodiment, the target operator includes at least one of greater than, equal to, less than or equal to, greater than or equal to, and less than, and the determining module 41 is specifically configured to identify the target operator, and If it is greater than, equal to, or less than or equal to, the value after the feature threshold is increased by 1 is determined as the deduplication threshold used to calculate the target deduplication traffic; when the target operator is greater than or equal to or less than Next, a value corresponding to the characteristic threshold is determined as a deduplication threshold used to calculate the target deduplication traffic.
在一个实施例中,判断模块40,具体用于:解析所述各个目标时间窗口各自对应的所述去重值集合,从各个所述去重值集合中获取不为空集的目标去重值集合,并遍历每个所述目标去重值集合中去重值的数量;在所述目标操作符为大于或者大于等于的情况下,若任一目标去重值集合中的所述数量大于或者等于所述去重阈值,则确定所述目标去重流量命中所述预设流量规则;在所述目标操作符为等于、小于等于或者小于的情况下,若任一目标去重值集合中的所述数量大于或者等于所述去重阈值,则确定所述目标去重流量不命中所述预设流量规则。In one embodiment, the judging module 40 is specifically configured to: parse the deduplication value sets corresponding to the respective target time windows, and obtain a target deduplication value that is not an empty set from each of the deduplication value sets. Set, and iterate over the number of deduplication values in each of the target deduplication value sets; if the target operator is greater than or greater than or equal to, if the number in any target deduplication value set is greater than or Is equal to the deduplication threshold, it is determined that the target deduplication traffic hits the preset traffic rule; if the target operator is equal to, less than, or less than, if any of the target deduplication values in the set If the number is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic does not hit the preset traffic rule.
在一个实施例中,所述装置还包括:合并模块44,其中:In one embodiment, the apparatus further includes: a merging module 44, wherein:
合并模块44,用于若每个所述目标去重值集合下去重值的数量均小于所述去重阈值,则将每个所述目标去重集合下的去重值进行合并;A merging module 44 for merging the deduplication values in each of the target deduplication sets if the number of deduplications in each of the target deduplication sets is less than the deduplication threshold;
判断模块40,还用于在所述目标操作符为大于或者大于等于的情况下,若合并后的所述去重值的数量大于或者等于所述去重阈值,则确定所述目标去重流量命中所述预设流量规则;The judging module 40 is further configured to determine the target deduplication traffic if the number of the deduplication values after merging is greater than or equal to the deduplication threshold when the target operator is greater than or greater than or equal to Hit the preset traffic rule;
判断模块40,还用于在所述目标操作符为等于、小于等于或者小于的情况下,若合并后的所述去重值的数量大于或者等于所述去重阈值,则确定所述目标去重流量不命中所述预设流量规则。The judging module 40 is further configured to determine, when the target operator is equal to, less than or equal to, or less than the number of the deduplication values after the merge is greater than or equal to the deduplication threshold, determining the target deduplication value. Heavy traffic does not hit the preset traffic rule.
在一个实施例中,判断模块40,具体用于:解析所述报文,得到所述报文的字段点信 息;根据所述字段点信息判断所述报文对应的流量是否为与所述预设流量规则匹配的目标去重流量。In one embodiment, the judging module 40 is specifically configured to: parse the message to obtain field point information of the message; and determine whether the traffic corresponding to the message is the same as the pre-planned traffic according to the field point information. Set the target to match the traffic rules to deduplicate the traffic.
在一个实施例中,确定模块41,具体用于:解析所述预设流量规则,确定出统计所述目标去重流量的统计时长以及所述统计时长对应的时间粒度;根据所述统计时长和所述当前系统时间确定出统计所述目标去重流量的统计时间段;在所述统计时间段内确定出与所述时间粒度匹配的用于统计所述目标去重流量的多个目标时间窗口。In one embodiment, the determining module 41 is specifically configured to: analyze the preset traffic rule to determine a statistical duration for counting the target deduplication traffic and a time granularity corresponding to the statistical duration; according to the statistical duration and Determining a statistical time period for counting the target deduplication traffic at the current system time; and determining multiple target time windows for counting the target deduplication traffic that match the time granularity within the statistical time period .
需要说明的是,本申请实施例所描述的去重流量提示装置的各功能模块的功能可根据图1或者图2所述的方法实施例中的方法具体实现,其具体实现过程可以参照图1或者图2的方法实施例的相关描述,此处不再赘述。It should be noted that the functions of the functional modules of the deduplication traffic prompting device described in the embodiments of the present application may be specifically implemented according to the method in the method embodiment described in FIG. 1 or FIG. 2. Or the related description of the method embodiment in FIG. 2 is not repeated here.
请参见图5,图5是本申请实施例提供的一种服务器的示意性框图,如图5所示,该服务器包括,处理器501、存储器502和网络接口503。上述处理器501、存储器502和网络接口503可通过总线或其他方式连接,在本申请实施例所示图5中以通过总线连接为例。其中,网络接口503受所述处理器的控制用于收发消息,存储器502用于存储计算机程序,所述计算机程序包括程序指令,处理器501用于执行存储器502存储的程序指令。其中,处理器501被配置用于调用所述程序指令执行:在接收到报文的情况下,判断所述报文对应的流量是否为与预设流量规则匹配的目标去重流量;若判断出所述报文对应的流量为与预设流量规则匹配的目标去重流量,则根据所述预设流量规则和当前系统时间确定出用于计算所述目标去重流量的多个目标时间窗口;获取所述多个目标时间窗口下各自对应的去重流量数据,所述去重流量数据用于记录历史去重流量的去重值;根据所述预设流量规则确定出用于计算所述目标去重流量的去重阈值,并在所述多个目标时间窗口中的各个目标时间窗口的所述去重流量数据中获取数量等于所述去重阈值的去重值,得到所述各个目标时间窗口各自对应的去重值集合;根据所述各个目标时间窗口各自对应的所述去重值集合中去重值的数量,确定所述目标去重流量是否命中所述预设流量规则,若命中,则输出提示信息。Please refer to FIG. 5, which is a schematic block diagram of a server according to an embodiment of the present application. As shown in FIG. 5, the server includes a processor 501, a memory 502, and a network interface 503. The processor 501, the memory 502, and the network interface 503 may be connected through a bus or in other manners. In FIG. 5 shown in the embodiment of the present application, connection through a bus is taken as an example. The network interface 503 is controlled by the processor to send and receive messages, and the memory 502 is used to store a computer program. The computer program includes program instructions, and the processor 501 is configured to execute the program instructions stored in the memory 502. Wherein, the processor 501 is configured to call the program instruction to execute: if a message is received, determine whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule; if it is determined that The traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule, and a plurality of target time windows for calculating the target deduplication traffic are determined according to the preset traffic rule and the current system time; Acquiring respective deduplication traffic data corresponding to the multiple target time windows, where the deduplication traffic data is used to record deduplication values of historical deduplication traffic; and determined to be used to calculate the target according to the preset traffic rule A deduplication threshold of deduplication traffic, and obtaining a deduplication value equal to the deduplication threshold from the deduplication traffic data of each target time window in the multiple target time windows, to obtain each target time The set of deduplication values corresponding to each window; and according to the number of deduplication values in the set of deduplication values corresponding to each of the target time windows, it is determined that the target deduplication traffic is Hit the preset flow rule, if hit, the system outputs.
应当理解,在本申请实施例中,所称处理器501可以是中央处理单元(Central Processing Unit,CPU),该处理器501还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present application, the processor 501 may be a Central Processing Unit (CPU), and the processor 501 may also be another general-purpose processor or a digital signal processor (Digital Signal Processor, DSP). ), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
该存储器502可以包括只读存储器和随机存取存储器,并向处理器501提供指令和数据。存储器502的一部分还可以包括非易失性随机存取存储器。例如,存储器502还可以存储设备类型的信息。The memory 502 may include a read-only memory and a random access memory, and provide instructions and data to the processor 501. A part of the memory 502 may further include a non-volatile random access memory. For example, the memory 502 may also store information of a device type.
具体实现中,本申请实施例中所描述的处理器501、存储器502和网络接口503可执行本申请实施例提供的图1或者图2所述的方法实施例所描述的实现方式,也可执行本申请实施例所描述的去重流量提示装置的实现方式,在此不再赘述。In specific implementation, the processor 501, the memory 502, and the network interface 503 described in the embodiment of the present application may execute the implementation manner described in the method embodiment shown in FIG. 1 or FIG. 2 provided by the embodiment of the present application, and may also execute The implementation manner of the deduplication traffic prompting device described in the embodiment of the present application is not repeated here.
在本申请的另一实施例中提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令被处理器执行时实现:在接收到报文的情况下,判断所述报文对应的流量是否为与预设流量规则匹配的目标去重流量;若判断出所述报文对应的流量为与预设流量规则匹配的目标去重流量,则根据所述预设流量规则和当前系统时间确定出用于计算所述目标去重流量的多个目标时间窗口;获取所述多个目标时间窗口下各自对应的去重流量数据,所述去重流量数据用于记录历史去重流量的去重值;根据所述预设流量规则确定出用于计算所述目标去重流量的去重阈值,并 在所述多个目标时间窗口中的各个目标时间窗口的所述去重流量数据中获取数量等于所述去重阈值的去重值,得到所述各个目标时间窗口各自对应的去重值集合;根据所述各个目标时间窗口各自对应的所述去重值集合中去重值的数量,确定所述目标去重流量是否命中所述预设流量规则,若命中,则输出提示信息。In another embodiment of the present application, a computer-readable storage medium is provided. The computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions are implemented when executed by a processor: When a message is received, determine whether the traffic corresponding to the message is the target deduplication traffic that matches the preset traffic rule; if it is determined that the traffic corresponding to the message is the destination that matches the preset traffic rule Heavy traffic, determining a plurality of target time windows for calculating the target deduplication traffic according to the preset traffic rule and the current system time; obtaining respective deduplication traffic data corresponding to the multiple target time windows, The deduplication traffic data is used to record the deduplication value of historical deduplication traffic; a deduplication threshold value used to calculate the target deduplication traffic is determined according to the preset traffic rule, and within the multiple target time windows Obtaining a deduplication value equal to the deduplication threshold in the deduplication traffic data of each target time window in each of the target time windows, to obtain each of the target time windows A corresponding deduplication value set; determining whether the target deduplication traffic hits the preset traffic rule according to the number of deduplication values in the deduplication value set corresponding to each target time window, and if it hits, then Output a prompt message.
所述计算机可读存储介质可以是前述任一实施例所述的服务器的内部存储单元,例如服务器的硬盘或内存。所述计算机可读存储介质也可以是所述服务器的外部存储设备,例如所述服务器上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,所述计算机可读存储介质还可以既包括所述服务器的内部存储单元也包括外部存储设备。所述计算机可读存储介质用于存储所述计算机程序以及所述服务器所需的其他程序和数据。所述计算机可读存储介质还可以用于暂时地存储已经输出或者将要输出的数据。The computer-readable storage medium may be an internal storage unit of the server according to any of the foregoing embodiments, such as a hard disk or a memory of the server. The computer-readable storage medium may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), and a Secure Digital (SD) card provided on the server. , Flash card (Flash card) and so on. Further, the computer-readable storage medium may further include both an internal storage unit of the server and an external storage device. The computer-readable storage medium is used to store the computer program and other programs and data required by the server. The computer-readable storage medium may also be used to temporarily store data that has been or will be output.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。Those of ordinary skill in the art can understand that all or part of the processes in the method of the foregoing embodiment can be implemented by using a computer program to instruct related hardware. The program can be stored in a computer-readable storage medium. When executed, the processes of the embodiments of the methods described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random, Access Memory, RAM).
以上所揭露的仅为本申请的部分实施例而已,当然不能以此来限定本申请之权利范围,本领域普通技术人员可以理解实现上述实施例的全部或部分流程,并依本申请权利要求所作的等同变化,仍属于发明所涵盖的范围。The above disclosure is only a part of the embodiments of this application, and of course, the scope of rights of this application cannot be limited by this. Those skilled in the art can understand all or part of the processes of implementing the above embodiments and make according to the claims of this application. The equivalent changes still fall within the scope of the invention.

Claims (20)

  1. 一种去重流量提示方法,其特征在于,包括:A method for prompting deduplication traffic, which comprises:
    在接收到报文的情况下,判断所述报文对应的流量是否为与预设流量规则匹配的目标去重流量;If a message is received, determining whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule;
    若判断出所述报文对应的流量为与预设流量规则匹配的目标去重流量,则根据所述预设流量规则和当前系统时间确定出用于计算所述目标去重流量的多个目标时间窗口;If it is determined that the traffic corresponding to the packet is a target deduplication traffic that matches a preset traffic rule, a plurality of targets for calculating the target deduplication traffic are determined according to the preset traffic rule and the current system time. Time window
    获取所述多个目标时间窗口下各自对应的去重流量数据,所述去重流量数据用于记录历史去重流量的去重值;Obtaining respective deduplication traffic data corresponding to the multiple target time windows, where the deduplication traffic data is used to record deduplication values of historical deduplication traffic;
    根据所述预设流量规则确定出用于计算所述目标去重流量的去重阈值,并在所述多个目标时间窗口中的各个目标时间窗口的所述去重流量数据中获取数量等于所述去重阈值的去重值,得到所述各个目标时间窗口各自对应的去重值集合;Determining a deduplication threshold value for calculating the target deduplication traffic according to the preset traffic rule, and obtaining a quantity equal to the deduplication traffic data in each of the target time windows in the multiple target time windows The deduplication value of the deduplication threshold, to obtain the deduplication value set corresponding to each target time window;
    根据所述各个目标时间窗口各自对应的所述去重值集合中去重值的数量,确定所述目标去重流量是否命中所述预设流量规则,若命中,则输出提示信息。Determining whether the target deduplication traffic hits the preset traffic rule according to the number of deduplication values in the deduplication value set corresponding to each target time window, and if it hits, outputting a prompt message.
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述预设流量规则确定出用于计算所述目标去重流量的去重阈值,包括:The method according to claim 1, wherein the determining a deduplication threshold for calculating the target deduplication traffic according to the preset traffic rule comprises:
    解析所述预设流量规则,确定出目标操作符以及所述目标操作符对应的特征阈值;Parse the preset traffic rule to determine a target operator and a feature threshold corresponding to the target operator;
    基于预设取值规则,确定出与所述目标操作符以及所述特征阈值匹配的用于计算所述目标去重流量的去重阈值。Based on a preset value selection rule, a deduplication threshold value that matches the target operator and the feature threshold and is used to calculate the target deduplication traffic is determined.
  3. 根据权利要求2所述的方法,其特征在于,所述目标操作符包括大于、等于、小于等于、大于等于和小于中的至少一种,所述基于预设取值规则,确定出与所述目标操作符以及所述特征阈值匹配的用于计算所述目标去重流量的去重阈值,包括:The method according to claim 2, wherein the target operator comprises at least one of greater than, equal to, less than or equal to, greater than or equal to, and less than, and the determining is based on the preset value rule, The target operator and the feature threshold matching the deduplication threshold used to calculate the target deduplication traffic include:
    识别所述目标操作符,在所述目标操作符为大于、等于或者小于等于的情况下,将所述特征阈值增加1后的数值确定为用于计算所述目标去重流量的去重阈值;Identifying the target operator, and in a case where the target operator is greater than, equal to, or less than or equal to, determining a value after the feature threshold is increased by 1 as a deduplication threshold used to calculate the target deduplication traffic;
    在所述目标操作符为大于等于或者小于的情况下,将所述特征阈值对应的数值确定为用于计算所述目标去重流量的去重阈值。When the target operator is greater than or equal to or less than, a value corresponding to the feature threshold is determined as a deduplication threshold used to calculate the target deduplication traffic.
  4. 根据权利要求2或3所述的方法,其特征在于,所述根据所述各个目标时间窗口各自对应的所述去重值集合中去重值的数量,确定所述目标去重流量是否命中所述预设流量规则,包括:The method according to claim 2 or 3, wherein, according to the number of deduplication values in the deduplication value set corresponding to each of the target time windows, determining whether the target deduplication traffic hits all Describe the default traffic rules, including:
    解析所述各个目标时间窗口各自对应的所述去重值集合,从各个所述去重值集合中获取不为空集的目标去重值集合,并遍历每个所述目标去重值集合中去重值的数量;Parse the deduplication value set corresponding to each target time window, obtain a target deduplication value set that is not an empty set from each of the deduplication value sets, and traverse each of the target deduplication value sets Number of deduplication values;
    在所述目标操作符为大于或者大于等于的情况下,若任一目标去重值集合中的所述数量大于或者等于所述去重阈值,则确定所述目标去重流量命中所述预设流量规则;In a case where the target operator is greater than or greater than or equal to, if the number in any target deduplication value set is greater than or equal to the deduplication threshold, determining that the target deduplication traffic hits the preset Traffic rules
    在所述目标操作符为等于、小于等于或者小于的情况下,若任一目标去重值集合中的所述数量大于或者等于所述去重阈值,则确定所述目标去重流量不命中所述预设流量规则。In a case where the target operator is equal to, less than or equal to, or less than, if the number in any target deduplication value set is greater than or equal to the deduplication threshold, determining that the target deduplication traffic does not hit the destination The default traffic rules are described.
  5. 根据权利要求4所述的方法,其特征在于,所述遍历每个所述目标去重值集合下去重值的数量之后,所述方法还包括:The method according to claim 4, wherein after traversing the number of deduplication values of each target deduplication set, the method further comprises:
    若每个所述目标去重值集合下去重值的数量均小于所述去重阈值,则将每个所述目标去重集合下的去重值进行合并;If the number of deduplication values of each target deduplication set is less than the deduplication threshold, combining the deduplication values of each of the target deduplication sets;
    在所述目标操作符为大于或者大于等于的情况下,若合并后的所述去重值的数量大于或者等于所述去重阈值,则确定所述目标去重流量命中所述预设流量规则;In a case where the target operator is greater than or greater than or equal to, if the number of merged deduplication values is greater than or equal to the deduplication threshold, determining that the target deduplication traffic hits the preset traffic rule ;
    在所述目标操作符为等于、小于等于或者小于的情况下,若合并后的所述去重值的数量大于或者等于所述去重阈值,则确定所述目标去重流量不命中所述预设流量规则。In a case where the target operator is equal to, less than or equal to, or less than, if the number of the deduplication values after being merged is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic does not hit the pre-deduplication flow. Set up traffic rules.
  6. 根据权利要求1-5任一项所述的方法,其特征在于,所述判断所述报文对应的流量是否为与预设流量规则匹配的目标去重流量,包括:The method according to any one of claims 1 to 5, wherein the determining whether the traffic corresponding to the packet is a target deduplication traffic that matches a preset traffic rule, comprises:
    解析所述报文,得到所述报文的字段点信息;Parse the message to obtain field point information of the message;
    根据所述字段点信息判断所述报文对应的流量是否为与所述预设流量规则匹配的目标去重流量。It is determined according to the field point information whether the traffic corresponding to the message is a target deduplication traffic that matches the preset traffic rule.
  7. 根据权利要求1-6任一项所述的方法,其特征在于,所述预设流量规则还预定义了统计所述目标去重流量的统计时长,所述根据所述预设流量规则和当前系统时间确定出用于计算所述目标去重流量的多个目标时间窗口,包括:The method according to any one of claims 1-6, wherein the preset traffic rule further predefines a statistical duration for counting the target deduplication traffic, and the according to the preset traffic rule and the current The system time determines a plurality of target time windows for calculating the target deduplication traffic, including:
    解析所述预设流量规则,确定出计算所述目标去重流量的统计时长以及所述统计时长对应的时间粒度;Parse the preset traffic rule to determine a statistical duration for calculating the target deduplication traffic and a time granularity corresponding to the statistical duration;
    根据所述统计时长和所述当前系统时间确定出计算所述目标去重流量的统计时间段;Determining a statistical time period for calculating the target deduplication traffic according to the statistical duration and the current system time;
    在所述统计时间段内确定出与所述时间粒度匹配的用于计算所述目标去重流量的多个目标时间窗口。A plurality of target time windows for calculating the target deduplication traffic matching the time granularity are determined within the statistical time period.
  8. 一种去重流量提示装置,其特征在于,包括:A deduplication flow prompting device, comprising:
    判断模块,用于在接收到报文的情况下,判断所述报文对应的流量是否为与预设流量规则匹配的目标去重流量;A judging module, configured to judge, if a message is received, whether the traffic corresponding to the message is a target deduplication traffic that matches a preset traffic rule;
    确定模块,若所述判断模块判断出所述报文对应的流量为与预设流量规则匹配的目标去重流量,则根据所述预设流量规则和当前系统时间确定出用于计算所述目标去重流量的多个目标时间窗口;A determining module, if the judging module determines that the traffic corresponding to the packet is a target deduplication traffic that matches a preset traffic rule, determining the target for calculating the target according to the preset traffic rule and the current system time Multiple target time windows for deduplication traffic;
    获取模块,用于获取所述多个目标时间窗口下各自对应的去重流量数据,所述去重流量数据用于记录历史去重流量的去重值;An obtaining module, configured to obtain respective deduplication traffic data corresponding to the multiple target time windows, where the deduplication traffic data is used to record deduplication values of historical deduplication traffic;
    所述获取模块,还用于根据所述预设流量规则确定出用于计算所述目标去重流量的去重阈值,并在所述多个时间窗口中的各个时间窗口的所述去重流量数据中获取数量等于所述去重阈值的去重值,得到所述各个时间窗口各自对应的去重值集合;The acquisition module is further configured to determine a deduplication threshold for calculating the target deduplication traffic according to the preset traffic rule, and the deduplication traffic in each of the multiple time windows. Obtaining a number of deduplication values equal to the deduplication threshold in the data, and obtaining a set of deduplication values corresponding to each time window;
    所述判断模块,还用于根据所述各个目标时间窗口各自对应的所述去重值集合中去重值的数量,确定所述目标去重流量是否命中所述预设流量规则;The judging module is further configured to determine whether the target deduplication traffic matches the preset traffic rule according to the number of deduplication values in the deduplication value set corresponding to each target time window;
    输出模块,用于若所述判断模块确定出所述目标去重流量命中所述预设流量规则,则输出提示信息。An output module is configured to output a prompt message if the determination module determines that the target deduplication traffic hits the preset traffic rule.
  9. 根据权利要求8所述的装置,其特征在于,所述确定模块,具体用于:解析所述预设流量规则,确定出目标操作符以及所述目标操作符对应的特征阈值;基于预设取值规则,确定出与所述目标操作符以及所述特征阈值匹配的用于计算所述目标去重流量的去重阈值。The device according to claim 8, wherein the determining module is specifically configured to: analyze the preset traffic rule to determine a target operator and a feature threshold corresponding to the target operator; The value rule determines a deduplication threshold that is used to calculate the target deduplication traffic that matches the target operator and the feature threshold.
  10. 根据权利要求9所述的装置,其特征在于,所述目标操作符包括大于、等于、小于等于、大于等于和小于中的至少一种,所述确定模块,具体用于:识别所述目标操作符,在所述目标操作符为大于、等于或者小于等于的情况下,将所述特征阈值增加1后的数值确定为用于计算所述目标去重流量的去重阈值;在所述目标操作符为大于等于或者小于的情况下,将所述特征阈值对应的数值确定为用于计算所述目标去重流量的去重阈值。The device according to claim 9, wherein the target operator comprises at least one of greater than, equal to, less than or equal to, greater than or equal to, and less than, and the determining module is specifically configured to identify the target operation If the target operator is greater than, equal to, or less than or equal to, the value after the characteristic threshold is increased by 1 is determined as the deduplication threshold used to calculate the target deduplication traffic; When the symbol is greater than or equal to or less than, the value corresponding to the characteristic threshold is determined as a deduplication threshold used to calculate the target deduplication traffic.
  11. 根据权利要求9或10所述的装置,其特征在于,所述判断模块,具体用于:解析所述各个目标时间窗口各自对应的所述去重值集合,从各个所述去重值集合中获取不为空集的目标去重值集合,并遍历每个所述目标去重值集合中去重值的数量;在所述目标操作符为大于或者大于等于的情况下,若任一目标去重值集合中的所述数量大于或者等于所述去重阈值,则确定所述目标去重流量命中所述预设流量规则;在所述目标操作符为等于、小于等于或者小于的情况下,若任一目标去重值集合中的所述数量大于或者等于所述去重阈值,则确定所述目标去重流量不命中所述预设流量规则。The device according to claim 9 or 10, wherein the judging module is specifically configured to: parse the deduplication value sets corresponding to the respective target time windows, and select from each of the deduplication value sets Obtain a target deduplication value set that is not the empty set, and traverse the number of deduplication values in each of the target deduplication value sets; in the case that the target operator is greater than or greater than or equal to, if any target is deduplicated If the number in the re-value set is greater than or equal to the de-duplication threshold, it is determined that the target de-duplication traffic hits the preset traffic rule; and when the target operator is equal to, less than or equal to, or less than, If the number in any target deduplication value set is greater than or equal to the deduplication threshold, it is determined that the target deduplication traffic does not hit the preset traffic rule.
  12. 根据权利要求11所述的装置,所述装置还包括:合并模块,其中:The apparatus according to claim 11, further comprising: a merging module, wherein:
    所述合并模块,用于若每个所述目标去重值集合下去重值的数量均小于所述去重阈值,则将每个所述目标去重集合下的去重值进行合并;The merging module is configured to merge the deduplication values under each of the target deduplication sets if the number of deduplication values for each of the target deduplication sets is less than the deduplication threshold;
    所述判断模块,还用于在所述目标操作符为大于或者大于等于的情况下,若合并后的所述去重值的数量大于或者等于所述去重阈值,则确定所述目标去重流量命中所述预设流量规则;The judging module is further configured to determine the target deduplication if the number of the deduplication values after merging is greater than or equal to the deduplication threshold when the target operator is greater than or greater than or equal to The traffic hits the preset traffic rule;
    所述判断模块,还用于在所述目标操作符为等于、小于等于或者小于的情况下,若合并后的所述去重值的数量大于或者等于所述去重阈值,则确定所述目标去重流量不命中所述预设流量规则。The judging module is further configured to determine the target if the number of deduplication values after merging is greater than or equal to the deduplication threshold when the target operator is equal to, less than or equal to, or less than The deduplication traffic does not hit the preset traffic rule.
  13. 根据权利要求8-12任一项所述的装置,其特征在于,所述判断模块,具体用于:解析所述报文,得到所述报文的字段点信息;根据所述字段点信息判断所述报文对应的流量是否为与所述预设流量规则匹配的目标去重流量。The device according to any one of claims 8-12, wherein the judgment module is specifically configured to: parse the message to obtain field point information of the message; and judge according to the field point information Whether the traffic corresponding to the message is a target deduplication traffic that matches the preset traffic rule.
  14. 根据权利要求8-13任一项所述的装置,其特征在于,所述确定模块,具体用于:解析所述预设流量规则,确定出统计所述目标去重流量的统计时长以及所述统计时长对应的时间粒度;根据所述统计时长和所述当前系统时间确定出统计所述目标去重流量的统计时间段;在所述统计时间段内确定出与所述时间粒度匹配的用于统计所述目标去重流量的多个目标时间窗口。The device according to any one of claims 8-13, wherein the determination module is specifically configured to: analyze the preset traffic rule to determine a statistical duration for counting the target deduplication traffic and the statistics A time granularity corresponding to the statistical duration; determining a statistical time period for counting the target deduplication traffic according to the statistical duration and the current system time; and determining, within the statistical time period, a matching time granularity for the Count multiple target time windows of the target deduplication traffic.
  15. 一种服务器,其特征在于,包括处理器、存储器和网络接口,所述处理器、所述存储器和所述网络接口相互连接,其中,所述网络接口受所述处理器的控制用于收发消息,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令执行:在通过所述网络接口接收到报文的情况下,判断所述报文对应的流量是否为与预设流量规则匹配的目标去重流量;若判断出所述报文对应的流量为与预设流量规则匹配的目标去重流量,则根据所述预设流量规则和当前系统时间确定出用于计算所述目标去重流量的多个目标时间窗口;获取所述多个目标时间窗口下各自对应的去重流量数据,所述去重流量数据用于记录历史去重流量的去重值;根据所述预设流量规则确定出用于计算所述目标去重流量的去重阈值,并在所述多个目标时间窗口中的各个目标时间窗口的所述去重流量数据中获取数量等于所述去重阈值的去重值,得到所述各个目标时间窗口各自对应的去重值集合;根据所述各个目标时间窗口各自对应的所述去重值集合中去重值的数量,确定所述目标去重流量是否命中所述预设流量规则,若命中,则输出提示信息。A server includes a processor, a memory, and a network interface. The processor, the memory, and the network interface are connected to each other. The network interface is controlled by the processor and is used to send and receive messages. The memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to call the program instructions to execute: when a message is received through the network interface, determining the Whether the traffic corresponding to the message is the target deduplication traffic that matches the preset traffic rule; if it is determined that the traffic corresponding to the message is the target deduplication traffic that matches the preset traffic rule, according to the preset traffic rule Determine multiple target time windows for calculating the target deduplication traffic with the current system time; obtain respective deduplication traffic data corresponding to the multiple target time windows, and the deduplication traffic data is used to record historical deduplication traffic A deduplication value of heavy traffic; a deduplication threshold used to calculate the target deduplication traffic is determined according to the preset traffic rule, and A number of deduplication values equal to the deduplication threshold is obtained from the deduplication traffic data of each target time window in the target time window, and a set of deduplication values corresponding to each target time window is obtained; according to each target, The number of deduplication values in the deduplication value set corresponding to each of the time windows determines whether the target deduplication traffic hits the preset traffic rule, and if it hits, a prompt message is output.
  16. 根据权利要求15所述的服务器,其特征在于,所述预设流量配置信息包括记录的时间精度,所述处理器,还用于从所述预设流量配置信息中获取所述记录的时间精度,并根据所述记录的时间精度确定出最小时间粒度窗口和次小时间粒度窗口,所述最小时间粒度窗口的时间粒度小于所述次小时间粒度窗口的时间粒度;将所述业务产生时间对应的所述最小时间粒度窗口确定为最小业务时间窗口,将所述业务产生时间对应的所述次小时间粒度窗口确定为次小业务时间窗口;基于所述最小业务时间窗口和所述次小业务时间窗口确定出用于记录所述去重流量的多个业务时间窗口。The server according to claim 15, wherein the preset flow configuration information includes recorded time accuracy, and the processor is further configured to obtain the recorded time accuracy from the preset flow configuration information. And determining a minimum time granularity window and a second small time granularity window according to the recorded time accuracy, the time granularity of the minimum time granularity window being smaller than the time granularity of the second small time granularity window; corresponding to the time when the service was generated The minimum time granularity window is determined as the minimum business time window, and the second small time granularity window corresponding to the service generation time is determined as the second small business time window; based on the minimum business time window and the second small business The time window determines a plurality of service time windows for recording the deduplication traffic.
  17. 根据权利要求15或16所述的服务器,其特征在于,所述指示信息用于指示对所述去重流量执行流量加操作,所述处理器,还用于解析所述指示信息,在所述指示信息用于指示对所述去重流量执行所述流量加操作的情况下,判断所述去重流量是否为重复流量;若所述去重流量不为所述重复流量,则在所述多个业务时间窗口下分别对所述去重流量出现的次数执行增加操作;若所述去重流量为所述重复流量,则对所述多个业务时间窗口中各个业务时间窗口下的所述去重流量出现的次数均保持不变。The server according to claim 15 or 16, wherein the instruction information is used to instruct a traffic addition operation to be performed on the deduplicated traffic, and the processor is further configured to parse the instruction information. The instruction information is used to instruct whether to perform the traffic addition operation on the deduplicated traffic, to determine whether the deduplicated traffic is a duplicate traffic; if the deduplicated traffic is not the duplicate traffic, then Performing an increase operation on the number of times that the deduplication traffic occurs under each service time window; if the deduplication traffic is the repeated traffic, the deduplication under each service time window in the multiple service time windows is performed; The number of occurrences of heavy traffic remains unchanged.
  18. 根据权利要求15或16所述的服务器,其特征在于,所述指示信息用于指示对所 述去重流量执行流量减操作,所述处理器,还用于解析所述指示信息,确定所述指示信息是否用于指示对所述去重流量执行所述流量减操作;若所述指示信息是用于指示对所述去重流量执行所述流量减操作,则在所述多个业务时间窗口下分别对所述去重流量出现的次数执行减少操作。The server according to claim 15 or 16, wherein the instruction information is used to instruct a traffic reduction operation to be performed on the deduplicated traffic, and the processor is further configured to parse the instruction information to determine the Whether the indication information is used to instruct the traffic deduction operation to be performed on the deduplicated traffic; if the indication information is used to instruct the traffic deduction operation to be performed on the deduplicated traffic, in the multiple service time windows Perform a reduction operation on the number of times that the deduplication traffic occurs.
  19. 根据权利要求15-18任一项所述的服务器,其特征在于,所述预设流量配置信息还包括失效时长阈值,所述处理器,还用于针对所述多个业务时间窗口开启计时功能;在当前所计时长大于或者等于所述失效时长阈值的情况下,将所述多个时间窗口下所述去重流量的记录数据删除。The server according to any one of claims 15 to 18, wherein the preset traffic configuration information further includes a failure duration threshold, and the processor is further configured to enable a timing function for the multiple service time windows In the case where the current time length is greater than or equal to the failure duration threshold, deleting the recorded data of the deduplication traffic in the multiple time windows.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-7任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes The method according to any one of claims 1-7 is required.
PCT/CN2018/108475 2018-06-30 2018-09-28 Deduplication traffic prompting method and apparatus, and server and storage medium WO2020000744A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810704335.XA CN108923972B (en) 2018-06-30 2018-06-30 Weight-reducing flow prompting method, device, server and storage medium
CN201810704335.X 2018-06-30

Publications (1)

Publication Number Publication Date
WO2020000744A1 true WO2020000744A1 (en) 2020-01-02

Family

ID=64423821

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/108475 WO2020000744A1 (en) 2018-06-30 2018-09-28 Deduplication traffic prompting method and apparatus, and server and storage medium

Country Status (2)

Country Link
CN (1) CN108923972B (en)
WO (1) WO2020000744A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109995613B (en) * 2019-03-29 2021-02-05 北京乐蜜科技有限责任公司 Flow calculation method and device
CN111142942B (en) * 2019-12-26 2023-08-04 远景智能国际私人投资有限公司 Window data processing method and device, server and storage medium
CN111177137B (en) * 2019-12-30 2023-10-13 广州酷狗计算机科技有限公司 Method, device, equipment and storage medium for data deduplication
CN113190567B (en) * 2021-04-28 2021-09-28 支付宝(杭州)信息技术有限公司 Transaction detection method and device
CN115086195B (en) * 2022-06-09 2024-02-02 北京锐安科技有限公司 Method, device, equipment and medium for determining message de-duplication time of shunt equipment
CN114996261B (en) * 2022-08-05 2022-10-28 深圳市深蓝信息科技开发有限公司 AIS data-based duplicate removal method and device, terminal equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050283511A1 (en) * 2003-09-09 2005-12-22 Wei Fan Cross-feature analysis
CN107623605A (en) * 2016-07-14 2018-01-23 精硕科技(北京)股份有限公司 The method and system of network traffics duplicate removal
CN107995046A (en) * 2017-12-20 2018-05-04 北京搜狐新媒体信息技术有限公司 A kind of network alarming analysis method, device and electronic equipment
CN108234524A (en) * 2018-04-02 2018-06-29 广州广电研究院有限公司 Method, apparatus, equipment and the storage medium of network data abnormality detection

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103559282B (en) * 2013-11-07 2018-02-23 北京国双科技有限公司 The De-weight method and device of real-time system data
JP6266479B2 (en) * 2014-09-12 2018-01-24 東芝メモリ株式会社 Memory system
CN105468699B (en) * 2015-11-18 2019-06-18 珠海多玩信息技术有限公司 Duplicate removal data statistical approach and equipment
CN106452868B (en) * 2016-10-12 2019-04-05 中国电子科技集团公司第三十研究所 A kind of network flow statistic implementation method for supporting various dimensions polymerization classification
CN106844143A (en) * 2016-12-27 2017-06-13 微梦创科网络科技(中国)有限公司 A kind of daily record duplicate removal treatment method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050283511A1 (en) * 2003-09-09 2005-12-22 Wei Fan Cross-feature analysis
CN107623605A (en) * 2016-07-14 2018-01-23 精硕科技(北京)股份有限公司 The method and system of network traffics duplicate removal
CN107995046A (en) * 2017-12-20 2018-05-04 北京搜狐新媒体信息技术有限公司 A kind of network alarming analysis method, device and electronic equipment
CN108234524A (en) * 2018-04-02 2018-06-29 广州广电研究院有限公司 Method, apparatus, equipment and the storage medium of network data abnormality detection

Also Published As

Publication number Publication date
CN108923972A (en) 2018-11-30
CN108923972B (en) 2021-06-04

Similar Documents

Publication Publication Date Title
WO2020000744A1 (en) Deduplication traffic prompting method and apparatus, and server and storage medium
WO2021109314A1 (en) Method, system and device for detecting abnormal data
CN108985553B (en) Abnormal user identification method and equipment
CN106548402B (en) Resource transfer monitoring method and device
CN108572907B (en) Alarm method, alarm device, electronic equipment and computer readable storage medium
CN108390856B (en) DDoS attack detection method and device and electronic equipment
CN104717120B (en) The method and apparatus for determining the access time
CN105868035B (en) A kind of methods, devices and systems of failure predication
CN105429801A (en) Traffic monitoring method and apparatus
CN108572898A (en) A kind of method, apparatus of control interface, equipment and storage medium
CN104866296A (en) Data processing method and device
CN111401874B (en) Self-service transaction system monitoring method and device
CN108322354B (en) Method and device for identifying running-stealing flow account
CN114208114A (en) Multi-view security context per participant
CN110177075B (en) Abnormal access interception method, device, computer equipment and storage medium
CN108923967A (en) A kind of duplicate removal discharge record method, apparatus, server and storage medium
CN110633165B (en) Fault processing method, device, system server and computer readable storage medium
CN113259322B (en) Method, system and medium for preventing Web service abnormity
EP4236200A1 (en) Method, apparatus and system for determining data flow information
CN115296913A (en) Rapid arranging system suitable for flink operation rule
CN115801307A (en) Method and system for carrying out port scanning detection by using server log
CN113254313A (en) Monitoring index abnormality detection method and device, electronic equipment and storage medium
CN114238069A (en) Web application firewall testing method and device, electronic equipment, medium and product
CN109495447B (en) Flow data integration method and device of distributed DDoS defense system and electronic equipment
CN109508356B (en) Data abnormality early warning method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18924426

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18924426

Country of ref document: EP

Kind code of ref document: A1