WO2021063368A1 - Cdn system-based source station state detection method and device - Google Patents

Cdn system-based source station state detection method and device Download PDF

Info

Publication number
WO2021063368A1
WO2021063368A1 PCT/CN2020/119009 CN2020119009W WO2021063368A1 WO 2021063368 A1 WO2021063368 A1 WO 2021063368A1 CN 2020119009 W CN2020119009 W CN 2020119009W WO 2021063368 A1 WO2021063368 A1 WO 2021063368A1
Authority
WO
WIPO (PCT)
Prior art keywords
source station
traffic
flow
clock
real
Prior art date
Application number
PCT/CN2020/119009
Other languages
French (fr)
Chinese (zh)
Inventor
朱刚
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021063368A1 publication Critical patent/WO2021063368A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • This application relates to the IT field, and in particular to a method and equipment for detecting the status of a source station based on a content distribution network CDN system.
  • Content delivery network refers to the use of node server clusters distributed in different regions to form a traffic distribution management network platform to provide users with decentralized storage and high-speed caching of content, and according to the dynamic network traffic and load conditions, The content is distributed to a fast and stable cache server to improve the response speed of user content access and the availability of services.
  • Content providers can provide users with a large amount of content through CDN, such as video, audio, text, etc., and make money through advertising or charging content playback fees.
  • the content can be video, audio, text, and so on.
  • the present application provides a method and equipment for detecting the status of a source station based on a content distribution network CDN system, which can predict the traffic curve of the source station, thereby better resisting attack packets.
  • a method for detecting the status of an origin station based on a content distribution network CDN system which is characterized in that it includes:
  • the receiving real-time traffic information sent by the source station, and confirming whether the working state of the source station is normal according to the real-time traffic information and the traffic curve includes:
  • the method further includes:
  • the receiving real-time flow information sent by the source station, and confirming whether the working state of the source station is normal according to the real-time flow information and the flow curve includes:
  • the log information also records service type information of the source station. After receiving the real-time traffic information sent by the source station, the method further includes:
  • an intelligent defense device including: a receiving module, a prediction module, and a confirmation module,
  • the receiving module is configured to receive log information sent by a node in the CDN system, and the log information records the URL of the source station and historical traffic information of the source station;
  • the prediction module is configured to predict a flow curve of the source station according to the log information, the flow curve including a future time and a predicted flow value at a future time;
  • the confirmation module is configured to receive real-time flow information sent by the source station, and confirm whether the current working state of the source station is normal according to the real-time flow information and the flow curve.
  • the confirmation module is also used to:
  • the device further includes an alarm module for confirming whether the flow value recorded in the flow information exceeds the endurance capacity of the source station, and if it does not exceed the endurance capacity of the source station, In the case of capability, an alarm message is sent, and if the endurance capacity of the source station is exceeded, the node in the CDN system is notified to discard the message of the source station.
  • the confirmation module is used to obtain the corresponding predicted flow value in the flow curve at the current time; the flow value recorded in the real-time flow information does not exceed the current time corresponding to the flow curve in the flow curve. In the case of the predicted traffic value, confirm that the current working state of the source station is normal.
  • the confirmation module is used to determine whether the service type recorded in the real-time traffic information is consistent with the service type information of the source station recorded in the log information. In the case where the service type information is consistent, Confirm that the current working state of the source station is normal, and if the service types are inconsistent, confirm that the current working state of the source station is abnormal.
  • an intelligent defense device including: a processor and a memory, and the processor executes the code in the memory to execute the method according to any one of the first aspect.
  • a readable storage medium which is characterized by including instructions, which when run on an intelligent defense device, cause the intelligent defense device to execute the method described in any one of the first aspect .
  • a computer program product is provided.
  • the method described in any one of the first aspects will be executed.
  • Figure 1 is a schematic diagram of the structure of a content distribution network involved in this application.
  • FIG. 2 is a schematic diagram of a client requesting content data from a source site node in a content distribution network related to this application;
  • FIG. 3 is a schematic diagram of a cloud service involved in this application.
  • Fig. 4 is a schematic structural diagram of a cloud CDN involved in this application.
  • FIG. 5 is a schematic structural diagram of another cloud CDN provided by this application.
  • FIG. 6 is a schematic flowchart of a method for detecting the status of a source station based on a content distribution network CDN system provided by the present application;
  • Fig. 7 is a schematic diagram of the flow curves of source station 1 and source station 2 in the three cases of working days, weekends and big holidays in this application;
  • FIG. 8 is a schematic diagram of the structure of a deep neural network provided by the present application.
  • Fig. 9 is a schematic structural diagram of an intelligent defense device provided by the present application.
  • Fig. 10 is a schematic structural diagram of another intelligent defense device provided by the present application.
  • Fig. 1 is a schematic structural diagram of a content delivery network (CDN) involved in this application.
  • the CDN system includes a source site node 10, a control platform 20, a content distribution network CDN, and clients 101-105.
  • the content distribution network CDN includes central cache nodes 60-61 and edge cache nodes 70-74.
  • the clients 101-105 are usually private devices of the user, which are used by the user to access the content data of the origin node 10.
  • the terminal device may be a smart phone, a tablet computer, a desktop computer, a vehicle-mounted device, a wearable device, etc., which are not specifically limited here.
  • the origin node 10 is usually set in a data center far away from the clients 101-105, and is used to store a large amount of content data.
  • the origin node 10 may be a node of a website that provides video viewing or downloading such as entertainment, sports, news or movies, etc., may be a node of a website that provides audio playback of music or books, etc., may be a node that provides news, There are no specific restrictions here on the nodes of websites where texts such as articles and books are read.
  • the central cache node is the upper-level node of the edge cache nodes 73-74.
  • the central cache node 60-61 is also the lower-level node of the origin node 10. That is, the central cache node can start between the edge cache node and the central cache node. To the role of linking up and down.
  • the edge cache nodes 70-74 also called proxy caches (surroigates), are only a "single hop" away from the terminal device, and are used for the cache origin node 10 to deliver to the edge cache nodes 70-74
  • the content data for clients 101-105 to visit nearby Specifically, the edge cache nodes 70-74 store the mirror image of the origin node 10, and the edge cache nodes 70-74 are usually set at the edge of the network. Therefore, the edge cache nodes 70-74 can replace the origin node 10 to Clients 101-105 provide content data, so as to realize edge storage and dissemination of content data, solve network congestion, and improve the response speed of client 101-105 when accessing source site node 10.
  • edge cache node 70-74 and the client 101-105 must follow the following settings.
  • the edge cache nodes 70-74 are located in different regions.
  • the edge cache node 70 may be located in South China
  • the edge cache node 71 is located in Central China
  • the edge cache node 72 is located in West China
  • the edge cache node 73 is located in North China
  • the edge cache node 74 is located in East China.
  • Clients 101-105 are set in different regions.
  • the client 101 may be set in the South China region
  • the client 102 is set in the Central China region
  • the client 103 is set in the West China region
  • the client 104 is set in the North China region
  • the client 105 is set in the East China region.
  • the client 101 is located in South China, so the client 101 and the edge cache node 70 are in the same area, and the distance between the two is the closest; the client 102 is located in Central China, so the client 102 and the edge cache node 71 are in the same area.
  • the distance between the two is the closest; the client 103 is located in West China, so the client 103 and the edge cache node 72 are in the same area, and the distance between the two is the closest; the client 104 is located in North China, so the client 104 and the edge cache node 73 are in the same area Area, the distance between the two is the closest; the client 105 is located in East China, so the client 105 and the edge cache node 74 are in the same area, and the distance between the two is the closest.
  • the number of origin site nodes is not limited to 2, but can be other positive integers
  • the number of central cache nodes is not limited to 2, but can be other positive integers
  • the number of edge cache cache nodes is not limited to 5. It can be other positive integers, and there is no specific limitation this time.
  • FIG. 2 is a schematic diagram of a CDN content data request process involved in this application. Based on the CDN shown in FIG. 1, as shown in FIG. 2, the content data request process of the CDN of this application includes the following steps:
  • S101 The client sends a request message to the edge cache node.
  • the edge cache node receives the request message sent by the client.
  • the request message is used for the client to request the content data in the source station from the source station node.
  • step S102 The edge cache node judges whether it has cached the content data in the source station requested by the request message, if yes, go to step S103, if not, go to step S104.
  • S103 The edge cache node sends the content data requested by the request message, and ends the process.
  • the edge cache node sends a request message to the source station node.
  • the source site node receives the request message sent by the edge cache node.
  • the request message is used for the edge cache node to request the content data in the source station from the source station node.
  • S105 The source site node sends the content data to the edge cache node.
  • the edge cache node receives the content data sent by the source station node.
  • the edge cache node sends the content data in the source station to the client.
  • the client receives the content data in the source station sent by the edge cache node, and ends the process.
  • FIG. 3 is a schematic diagram of a cloud service involved in this application.
  • the cloud owner deploys cloud computing infrastructure by himself, that is, deploys computing resources (for example, servers) 110, deploys storage resources (for example, storage) 120, deploys network resources (for example, network cards) 130, and so on.
  • the owner of the public cloud for example, an operator
  • virtualizes the computing resources, storage resources, and network resources of the cloud computing infrastructure and provides corresponding services for cloud users (for example, users) to use.
  • operators can provide the following three services to users: cloud computing infrastructure as a service (Infrastructure as a Service, IaaS), platform as a service (Platform as a Service, PaaS), and software as a service (Software as a Service, SaaS).
  • cloud computing infrastructure as a service
  • IaaS infrastructure as a Service
  • PaaS platform as a service
  • SaaS software as a Service
  • the service provided by IaaS to users is the utilization of cloud computing infrastructure, including processing, storage, network and other basic computing resources. Users can deploy and run any software, including operating systems and applications. Users do not manage or control any cloud computing infrastructure, but can control the choice of operating system, storage space, deployment applications, and may also gain control of restricted network components (for example, firewalls, load balancers, etc.).
  • restricted network components for example, firewalls, load balancers, etc.
  • the service provided by PaaS to users is to deploy applications developed or acquired by users using development languages and tools provided by vendors (such as Java, python, Net, etc.) to cloud computing infrastructure. Users do not need to manage or control the underlying cloud computing infrastructure, including networks, servers, operating systems, storage, etc., but users can control the deployed applications and may also control the configuration of the hosting environment for running applications.
  • SaaS The services provided by SaaS to users are applications run by operators on cloud computing infrastructure. Users can access applications on cloud computing infrastructure on various devices through client interfaces, such as browsers. Users do not need to manage or control any cloud computing infrastructure, including networks, servers, operating systems, storage, and so on.
  • Fig. 4 is a schematic structural diagram of a cloud CDN involved in the present application.
  • the cloud CDN of this embodiment implements the CDN shown in FIG. 1 on the basis of the cloud service shown in FIG. 2.
  • the tenants of cloud computing infrastructure are content providers, and content providers set their source sites on the cloud computing infrastructure (including: computing resources, storage resources, network resources), and can use storage virtualization technology to flexibly serve as tenants Provide a storage solution to better store the content data in the tenant’s source site node, and use network virtualization technology to flexibly provide the tenant with a traffic solution, so as to better perform the content data of the tenant’s source site.
  • server virtualization technology can be used to flexibly provide tenants with computing power solutions, so as to better manage the content data of the tenant's source site.
  • the cloud CDN is a multi-tenant, multi-source site scenario.
  • a cloud CDN may include multiple tenants, each tenant may include one source site node or multiple source site nodes, and each source site node may have one or more source sites.
  • the tenant 1 may be a content provider that specializes in providing movies and videos, and the tenant may set a special source station node for movies and videos, that is, the source station node 10, to provide users with movies and videos.
  • Tenant 2 can be a content provider that provides a variety of content. Tenants can set up a special book origin node, namely origin node 11, to provide users with book reading, and a special current affairs origin node, namely origin node. 12. Provide users with current affairs information.
  • the number of tenants is not limited to 2, but can be other positive integers
  • the number of source site nodes is not limited to 3, and can be other positive integers
  • the number of central cache nodes is not limited to 2, but can be other positive integers.
  • the number of edge cache cache nodes is not limited to 5, and can be other positive integers, and there is no specific limitation this time.
  • the prior art has set up a firewall between the client and the edge cache node.
  • the firewall can only simply set a preset threshold, that is, different source sites and different time points are used.
  • the same preset threshold the normal access traffic of different origin sites varies greatly. For example, some large origin sites have an average normal access traffic of 20G, and some small origin sites have an average normal access traffic of 2G.
  • the normal access traffic at different time points of the same source station is also very different. For example, the average normal access traffic at the source station on major holidays can reach 20G, and the average normal access traffic on weekdays is 2G. Therefore, for different sources
  • the same preset threshold is used for stations and different time points, which can cause many problems. The following will assume that the preset threshold of the source station is 5G, and illustrate the problems with examples:
  • the capacity of the source site node after expansion is 8G, and the capacity of the edge cache node is 20G.
  • the firewall will alarm and block because the normal access traffic exceeds the preset threshold.
  • the endurance of the source site node and edge cache node is greater than normal access The sum of traffic and attack traffic, blocking will result in a large number of normal access being blocked as well.
  • the capacity of the source site node after expansion is 3G, and the capacity of the edge cache node is 20G.
  • the firewall will not alarm and block, but in fact, the endurance of the source site node It is less than the sum of normal access traffic and attack traffic. Failure to alarm and block will cause the source site node to crash due to access overload.
  • the present application provides a method and equipment for detecting the status of a source station based on a content distribution network CDN system, which can predict the traffic curve of the source station, thereby better resisting attack packets.
  • a content distribution network CDN system which can predict the traffic curve of the source station, thereby better resisting attack packets.
  • FIG. 5 is a schematic structural diagram of another cloud CDN provided by the present application.
  • the operator can add an intelligent defense device on the basis of the cloud CDN shown in FIG. 4.
  • FIG. 6 is a schematic flowchart of a method for detecting the status of a source station based on a content distribution network CDN system provided by the present application.
  • this application is based on the source station status detection method of the content distribution network CDN system, including the following steps:
  • the intelligent defense device receives log information sent by a node in the CDN system, where the log information records the URL of the source station and historical traffic information of the source station;
  • the intelligent defense device predicts the flow curve of the source station according to the log information, where the flow curve includes a future time and a predicted flow value at a future time;
  • the intelligent defense device receives the real-time traffic information sent by the source station, and confirms whether the current working state of the source station is normal according to the real-time traffic information and the traffic curve.
  • the intelligent defense device obtains the predicted flow value corresponding to the flow curve at the current moment; the flow value recorded in the real-time flow information exceeds the predicted flow value corresponding to the flow curve at the current moment In the case of the flow value, confirm that the current working status of the source station is abnormal; in the case that the flow value recorded in the real-time flow information does not exceed the corresponding predicted flow value in the flow curve at the current moment, confirm the The current working status of the source station is normal.
  • the processing methods of the smart defense device may include the following two: (1) The smart defense device may directly notify the CDN system The node of discards the message of the source station. (2) The intelligent defense device confirms whether the flow value recorded in the flow information exceeds the endurance of the source station, if not, sends an alarm message, and if so, informs the node in the CDN system to discard the source station’s Message.
  • the endurance of the source station is determined by the used rate of the source station node's CPU, memory, network bandwidth, etc., and the source station node's CPU, memory, network bandwidth, etc. Determined by the capacity of the item.
  • the smart defense device can send first Instead of informing the nodes in the CDN system to discard the message of the source station, the alarm information can ensure that normal services are not interrupted and improve user experience.
  • working days are days when you go to work and go to school
  • weekends are days when you usually rest.
  • Sundays and big holidays usually refer to three or more public holidays, such as Christmas, Spring Festival, National Day, and so on.
  • the traffic curve of source website 1 is as follows:
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source site 1 at 0:00 on the previous working day 1 is 2.5G, and the historical traffic at 0:00 on the previous working day 2 is 2.3G,..., the historical traffic at 0 o'clock in the previous working day n is 2.7G, so the intelligent defense equipment can input the above data into the working day traffic prediction model to predict the source station 1 at 0 o'clock in the future working day
  • the predicted traffic value is 2.55G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 4 o'clock in the previous working day 1 is 0.71G, and the historical traffic at 4 o'clock in the previous working day 2 is 0.52G,..., the historical traffic at 4 o'clock in the previous working day n is 0.57G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 4 o'clock in the future working day The predicted traffic value is 0.53G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 8 o'clock in the previous working day 1 is 1.59G, and the historical traffic at 8 o'clock in the previous working day 2 is 1.62G,..., the historical traffic at 8 o'clock in the previous working day n is 1.75G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 8 o'clock in the future working day The predicted traffic value is 1.63G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 12 o'clock in the previous working day 1 is 20.5G, and the historical traffic at 12 o'clock in the previous working day 2 is 20.05G,..., the historical traffic at 0 o'clock in the previous working day n is 22.43G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 0 o'clock in the future working day The predicted traffic value is 21.53G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 16:00 on the previous working day 1 is 22.12G, and the historical traffic at 16:00 on the previous working day 2 is 18.45G,..., the historical traffic at 16 o'clock in the previous working day n is 21.32G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 16 o'clock in the future working day The predicted traffic value is 21.28G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 20 o'clock in the previous working day 1 is 23.52G, and the historical traffic at 20 o'clock in the previous working day 2 is 25.38G,....
  • the historical traffic at 20 o'clock in the previous working day n is 23.05G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 20 o'clock in the future working day
  • the predicted traffic value is 24.23G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 24:00 on the previous working day 1 is 0.55G, and the historical traffic at 24:00 on the previous working day 2 is 0.62G,..., the historical traffic at 24 o'clock in the previous working day n is 0.51G, so the intelligent defense equipment can input the above data into the working day traffic prediction model to predict the source station 1 at 24 o'clock in the future working day The predicted traffic value is 0.55G.
  • the traffic curve of the source station 1 in the future working day can be based on the above-mentioned predicted values: 2.55G, 0.53G, 1.63G, 21.53G, 21.28G, 24.23G and The curve formed by 0.55G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 0 o'clock in the previous working day 1 is 0.19G, and the historical traffic at 0 o'clock in the previous working day 2 is 0.22G,..., the historical traffic at 0 o'clock in the previous working day n is 0.09G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2 at 0 o'clock in the future working day The predicted traffic value is 0.13G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 4 o'clock in the previous working day 1 is 0.07G, and the historical traffic at 4 o'clock in the previous working day 2 is 0.12G,..., the historical traffic at 4 o'clock in the previous working day n is 0.15G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2 at 4 o'clock in the future working day The predicted traffic value is 0.12G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 8 o'clock in the previous working day 1 is 0.82G, and the historical traffic at 8 o'clock in the previous working day 2 is 0.87G,..., the historical traffic at 8 o'clock in the previous working day n is 0.95G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2 at 8 o'clock in the future working day The predicted traffic value is 0.83G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 12 o'clock in the previous working day 1 is 2.49G, and the historical traffic at 12 o'clock in the previous working day 2 is 2.82G,....
  • the historical traffic at 12 o'clock in the previous working day n was 1.79G, so the intelligent defense equipment can input the above data into the working day traffic prediction model to predict the source station 2 at 12 o'clock in the future working day
  • the predicted traffic value is 2.62G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 16:00 on the previous working day 1 is 1.63G, and the historical traffic at 16:00 on the previous working day 2 is 2.48G,..., the historical traffic at 16 o’clock in the previous working day n is 2.19G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2’s 16 o’clock in the future working day
  • the predicted traffic value is 2.42G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 3 at 20 o'clock in the previous working day 1 is 2.67G, and the historical traffic at 30 o'clock in the previous working day 2 is 3.56G,..., the historical traffic at 20 o’clock in the previous working day n is 3.15G, so the smart defense device can input the above data into the working day traffic forecast model to predict the source station 2’s 20 o’clock in the future working day The predicted traffic value is 3.26G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 24:00 on the previous working day 1 is 0.21G, and the historical traffic at 0:00 on the previous working day 2 is 0.17G,..., the historical traffic at 24 o'clock in the previous working day n is 0.13G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2 at 24 o'clock in the future working day The predicted flow value is 0.15G.
  • the traffic curve of the source station 2 in the future working day can be based on the above-mentioned predicted values: 0.13G, 0.12G, 0.83G, 2.62G, 2.42G, 3.26G and Curve composed of 0.15G.
  • the traffic curve of source website 1 is as follows:
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 0 o'clock in the past weekend 1 is 4.53G, and the historical traffic at 0 o'clock in the past weekend 2 is 4.81G ,..., the historical traffic at 0 o’clock on weekends n in the past is 4.92G, so the intelligent defense equipment can input the above data into the weekend traffic forecasting model to predict the predicted traffic value of source station 1 at 0 o’clock on future weekends is 4.78 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 4 o'clock in the previous weekend 1 was 2.45G, and the historical traffic at 4 o'clock in the previous weekend 2 was 2.83G ,....
  • the historical traffic at 4 o'clock in the previous weekend n was 2.51G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 4 o'clock in the future weekend is 2.73 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 8 o'clock in the previous weekend 1 was 3.07G, and the historical traffic at 8 o'clock in the previous weekend 2 was 3.39G ,....
  • the historical traffic at 8 o'clock in the previous weekend n was 5.15G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 8 o'clock in the future weekend is 4.15 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 12 o'clock in the previous weekend 1 is 24.75G, and the historical traffic at 12 o'clock in the previous weekend 2 is 27.55G ,..., the historical traffic at 0 o'clock on weekend n in the past is 22.48G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 0 o'clock in the future weekend is 26.29 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 16:00 in the past weekend 1 is 28.12G, and the historical traffic at 16:00 in the past weekend 2 is 28.41G ,..., the historical traffic at 16 o'clock in the past weekend n is 30.38G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of the source station 1 at 16 o'clock in the future weekend It is 29.25G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 20 o'clock in the previous weekend 1 is 35.25G, and the historical traffic at 20 o'clock in the previous weekend 2 is 38.38G ,..., the historical traffic at 20 o'clock in the previous weekend n was 37.08G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 20 o'clock in the future weekend is 37.09 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 24 o'clock in the previous weekend 1 is 20.58G, and the historical traffic at 24 o'clock in the previous weekend 2 is 20.33G ,..., the historical traffic at 24 o'clock in the past weekend n is 25.57G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 24 o'clock in the future weekend is 23.88 G.
  • the traffic curve of the source station 1 in the future weekend can be based on the above predicted values: 5.77, 2.68G, 16.88G, 33.75G, 37.25G, 40.77G, and 26.66G Constitute the curve.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 0 o'clock in the previous weekend 1 is 1.85G, and the historical traffic at 0 o'clock in the previous weekend 2 is 0.99. ....
  • the historical traffic at 0 o'clock on weekends n in the past is 1.53, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 0 o’clock on the future weekend is 1.01G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 4 o'clock in the past weekend 1 is 0.53G, and the historical traffic at 4 o'clock in the past weekend 2 is 0.75G ,..., the historical traffic at 4 o'clock in the past weekend n is 1.01G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 4 o'clock in the future weekend is 0.99 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 8 o'clock in the previous weekend 1 was 2.11G, and the historical traffic at 8 o'clock in the previous weekend 2 was 1.75G ,..., the historical traffic at 8 o'clock in the previous weekend n was 1.06G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 8 o'clock in the future weekend is 1.83 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 12 o'clock in the previous weekend 1 was 3.69G, and the historical traffic at 12 o'clock in the previous weekend 2 was 2.52G ,..., the historical traffic at 12 o'clock in the past weekend n was 3.72G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 12 o'clock in the future weekend is 3.62 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 16:00 in the past weekend 1 is 3.88G, and the historical traffic at 16 o'clock in the past weekend 2 is 2.91G ,..., the historical traffic at 16 o'clock in the past weekend n is 3.04G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 16 o'clock in the future weekend is 3.76 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 3 at 20 o'clock in the previous weekend 1 was 4.19G, and the historical traffic at 20 o'clock in the previous weekend 2 was 4.94G ,..., the historical traffic at 20 o'clock in the previous weekend n was 3.25G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 20 o'clock in the future weekend is 4.85 G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 24:00 on the previous weekend 1 is 2.16G, and the historical traffic at 0:00 on the previous weekend 2 is 1.88G ,....
  • the historical traffic at 24 o'clock in the past weekend n was 1.79G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 24 o'clock in the future weekend is 2.07 G.
  • the traffic curve of the source station 2 in the future weekend can be based on the above-mentioned predicted values: 1.01G, 0.99G, 1.83G, 3.62G, 3.76G, 4.85G, and 2.07
  • the curve formed by G 1.01G, 0.99G, 1.83G, 3.62G, 3.76G, 4.85G, and 2.07
  • the traffic curve of source website 1 is as follows:
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of origin site 1 at 0 o'clock in the previous big holiday 1 is 5.06G, and the historical traffic at 0 o'clock in the previous big holiday 2 is 4.55G,..., the historical traffic at 0 o’clock in the previous big holiday n is 6.12G, so the intelligent defense device can input the above data into the big holiday traffic prediction model to predict the source station 1 at 0 o’clock in the future big holiday The predicted traffic value is 5.77G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 4 o'clock in the previous big holiday 1 is 2.14G, and the historical traffic at 4 o'clock in the previous big holiday 2 is 2.08G,....
  • the historical traffic at 4 o’clock in the previous big holiday n was 2.87G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 1’s 4 o’clock in the future big holiday
  • the predicted traffic value is 2.68G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 8 o'clock in the previous big holiday 1 is 15.85G, and the historical traffic at 8 o'clock in the previous big holiday 2 is 14.09G,....
  • the historical traffic at 8 o'clock in the previous big holiday n is 17.11G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 1 at 8 o'clock in the future big holiday
  • the predicted traffic value is 16.88G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 12 o'clock in the previous big holiday 1 is 30.45G, and the historical traffic at 12 o'clock in the previous big holiday 2 is 35.22G,....
  • the historical traffic at 0 o'clock in the previous big holiday n is 32.55G, so the intelligent defense device can input the above data into the big holiday traffic prediction model to predict the source station 1 at 0 o'clock in the future big holiday
  • the predicted traffic value is 33.75G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 16:00 in the previous big holiday 1 is 34.12G, and the historical traffic at 16:00 in the previous big holiday 2 is 39.53G,...., the historical traffic at 16 o'clock in the previous big holiday n is 38.06G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 1 at 16 o'clock in the future big holiday
  • the predicted traffic value is 37.25G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 20 o'clock in the previous big holiday 1 is 40.15G, and the historical traffic at 20 o'clock in the previous big holiday 2 is 38.66G,....
  • the historical traffic at 20 o'clock in the previous big holiday n is 42.43G, so the intelligent defense device can input the above data into the big holiday traffic prediction model to predict the source station 1 at 20 o'clock in the future big holiday
  • the predicted traffic value is 40.77G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 24 o'clock in the previous big holiday 1 is 25.18G, and the historical traffic at 24 o'clock in the previous big holiday 2 is 27.23G,....
  • the historical traffic at 24 o'clock in the previous big holiday n is 27.17G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 1 at 24 o'clock in the future big holiday
  • the predicted traffic value is 26.66G.
  • the traffic curve of the source station 1 in the future big holiday can be based on the above-mentioned predicted values: 4.78G, 2.73G, 4.15G, 26.29G, 29.25G, 37.09G and The curve formed by 23.88G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 0 o'clock in the previous big holiday 1 is 2.52G, and the historical traffic at 0 o'clock in the previous big holiday 2 is 1.75,..., the historical traffic at 0 o'clock in the previous big holiday n is 2.78, so the intelligent defense device can input the above data into the big holiday traffic prediction model to predict the predicted traffic at 0 o'clock of the source station 2 in the future big holiday The value is 2.57G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 4 o'clock in the previous big holiday 1 is 1.61G, and the historical traffic at 4 o'clock in the previous big holiday 2 is 1.69G,..., the historical traffic at 4 o’clock in the previous big holiday n is 1.22G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 2’s 4 o’clock in the future big holiday The predicted traffic value is 1.45G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 8 o'clock in the previous big holiday 1 is 3.22G, and the historical traffic at 8 o'clock in the previous big holiday 2 is 3.79G,..., the historical traffic at 8 o'clock in the previous big holiday n is 2.98G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 2 at 8 o'clock in the future big holiday The predicted traffic value is 3.03G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 12 o'clock in the previous big holiday 1 is 4.35G, and the historical traffic at 12 o'clock in the previous big holiday 2 is 4.12G,..., the historical traffic at 12 o'clock in the previous big holiday n is 5.09G, so the intelligent defense equipment can input the above data into the big holiday traffic prediction model to predict the source station 2 at 12 o'clock in the future big holiday The predicted traffic value is 4.66G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 16:00 in the previous big holiday 1 is 5.81G, and the historical traffic at 16:00 in the previous big holiday 2 is 4.93G,..., the historical traffic at 16 o'clock in the previous big holiday n is 4.88G, so the smart defense can input the above data into the big holiday traffic forecast model to predict the 16 o'clock forecast of the source station 2 in the future big holiday
  • the flow value is 5.26G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 3 at 20 o'clock in the previous big holiday 1 is 5.88G, and the historical traffic at 20 o'clock in the previous big holiday 2 is 6.04G,..., the historical traffic at 20 o’clock in the previous big holiday n is 6.25G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 2’s 20 o’clock in the future big holiday The predicted traffic value is 6.17G.
  • the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 24 o'clock in the previous big holiday 1 is 3.17G, and the historical traffic at 0 o'clock in the previous big holiday 2 is 2.94G,..., the historical traffic at 24 o'clock in the previous big holiday n was 3.09G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 2's 24 o'clock in the future big holiday The predicted traffic value is 3.01G.
  • the traffic curve of the source station 2 in the future big holiday can be based on the above-mentioned predicted values: 2.57G, 1.45G, 3.03G, 4.66G, 5.26G, 6.17G and Curve composed of 3.01G.
  • the above example uses a time interval of 4 hours to predict the predicted flow value of each time node.
  • the above time interval can be shortened to 2 hours, 1 hour, and 30 minutes. Sum, 15 minutes, 10 minutes, 5 minutes, etc., of course, when the curve requirements do not need to be so precise, the above time interval can also be increased, which is not specifically limited here.
  • the weekday traffic prediction model, weekend traffic prediction model, and big holiday traffic prediction model in the above example can be implemented by using a deep neural network or a segmented model.
  • the detailed introduction will be given below.
  • the weekday traffic forecasting model, weekend traffic forecasting model, and big holiday traffic forecasting model can be implemented using deep neural networks.
  • the weekday traffic prediction model can be expressed as:
  • mapping relationship g 1 may be obtained by training a large number of historical traffic of known working days and a large number of predicted traffic values of the source station's current sampling time of known working days.
  • a large number of predicted flow values at the source station's current sampling time of known working days may be predicted flow values at a working Japan time point in the last six months.
  • the weekend traffic forecast model can be expressed as:
  • b 2 is the predicted traffic value on the weekend
  • a 2 is the historical traffic of the current sampling time of the source station on the weekend
  • g 2 is the mapping relationship between the predicted traffic value of the weekend and the historical traffic of the current sampling time of the source station on the weekend.
  • the mapping relationship g 2 may be obtained by training a large number of predicted traffic values of known weekends and a large number of historical traffic of the source station at the current sampling time of known weekends.
  • a large number of known historical traffic at the source station's current sampling time on weekends may be the historical traffic at the current time point on weekends in the last year.
  • a large number of known weekends’ predicted traffic values may be It is the predicted traffic value at the weekend at this point in the last year.
  • mapping relationship g 3 may be obtained through training of a large number of predicted traffic values of known major holidays and a large number of historical traffic of source stations of known major holidays at the current sampling time.
  • the historical traffic at the current sampling time of the source station of a large number of known major holidays may be the historical traffic at the current time point of the major holidays in the last two years.
  • a large number of known major holidays are predicted The flow value can be the predicted flow value at this point of time during the big holiday in the last two years.
  • the weekday traffic forecast model, the weekend traffic forecast model, and the big holiday traffic forecast model can be implemented using a segmented model.
  • the working day traffic forecast model can be expressed as:
  • x 1 to x n-1 are the historical traffic at the working time in Japan during the last six months
  • x n is the historical traffic at the current sampling time of the source station on the working day
  • n is the working at the Japanese time in the most recent six months The sum of the number of historical traffic and the number of historical traffic at the current sampling time of the source station;
  • ⁇ 1 is the variance
  • x 1 to x n-1 are the historical traffic at the time of working in Japan in the last six months
  • x n is the historical traffic at the current sampling time of the source station in the working day
  • n is the working in Japan in the last six months. The sum of the number of historical traffic at the time point and the number of historical traffic at the current sampling time of the source station;
  • p is the lower limit of the confidence interval
  • q is the upper limit of the confidence interval
  • t is a natural number greater than zero
  • ⁇ 1 is the variance.
  • the predicted flow value can be made equal to the upper limit of the confidence interval.
  • the weekend traffic forecast model can be expressed as:
  • Is the average value, y 1 to y n-1 are the historical traffic at the weekend at this time point in the last year, y n is the historical traffic at the source station during the weekend at the current sampling time, and n is the weekend at the current time point in the last year The sum of the number of historical traffic and the number of historical traffic of the source station's current sampling time;
  • ⁇ 2 is the variance
  • y 1 to y n-1 are the historical traffic at the current time point on the weekend in the last year
  • y n is the historical traffic at the current sampling time of the source station on the weekend
  • n is the weekend in the last year. The sum of the number of historical traffic at this point in time and the number of historical traffic at the current sampling time of the source station;
  • p is the lower limit of the confidence interval
  • q is the upper limit of the confidence interval
  • t is a natural number greater than zero
  • ⁇ 2 is the variance.
  • the predicted flow value can be made equal to the upper limit of the confidence interval.
  • Is the average value, z 1 to z n-1 are the historical traffic at this time point of the big holiday in the last two years, z n is the historical traffic at the current sampling time of the source station of the big holiday, and n is the big holiday in the last two years The sum of the number of historical traffic at this point in time and the number of historical traffic at the current sampling time of the source station;
  • ⁇ 3 is the variance
  • z 1 to z n-1 are the historical traffic at this time point of the big holiday in the last two years
  • z n is the historical traffic at the current sampling time of the source station during the big holiday
  • n is the time in the last two years The sum of the number of historical traffic at this point of time during the national holiday and the number of historical traffic at the current sampling time of the source station;
  • p is the lower limit of the confidence interval
  • q is the upper limit of the confidence interval
  • t is a natural number greater than zero
  • ⁇ 3 is the variance.
  • the predicted flow value can be made equal to the upper limit of the confidence interval.
  • the predicted flow value is equal to the upper limit of the confidence interval as an example.
  • the predicted flow value can be equal to the lower limit of the confidence interval, and any one between the upper limit and the lower limit of the confidence interval The value is not limited here.
  • the normal access traffic of the source station is 1G
  • the attack traffic is 3G.
  • the predicted traffic value at 10 a.m. on a working day can be calculated to be about 1G.
  • the attack data is superimposed, resulting in the access data being about 4G, which seriously deviates from the normal access level, and an alarm is raised.
  • the normal access traffic on the working day 20 can be calculated to be about 5G.
  • the flow rate is about 5G, the deviation of the two values is small, which belongs to the normal range.
  • the normal access traffic of the source station exceeded 5G.
  • the normal access traffic at 12 o’clock on the big holiday can be calculated to be about 33G, and the access data collected in real time is about 30G.
  • the value deviation is small and belongs to the normal range.
  • the capacity of the source site node after expansion is 8G
  • the capacity of the edge cache node is 20G.
  • the capacity of the source site node after expansion is 3G, and the capacity of the edge cache node is 20G.
  • the normal access traffic of the source site exceeds 1G and the attack traffic is 3G, by judging that the 6G access has exceeded the endurance of the source site node, active blocking defense is performed to prevent the source site node from going down.
  • the intelligent defense device can also identify the service type of real-time traffic through the service type recognition model, and determine whether the service type of the real-time traffic is consistent with the service type information of the source station recorded in the log information, and if so, confirm the source The current working state of the station is normal. If not, confirm that the current working state of the source station is abnormal.
  • the service type identification model can be expressed as:
  • mapping relationship f 1 may be obtained through training of a large number of known historical flows and service types corresponding to a large number of known historical flows.
  • the service type recognition model may be implemented by using deep neural networks (DNN).
  • DNN deep neural networks
  • the deep neural network includes an input layer, one or more hidden layers, and an output layer.
  • the input of the input layer is the real-time flow I i
  • the output and the input are equal, that is, no processing is performed on the input.
  • the input layer does not perform any processing.
  • the input layer can be normalized and so on, which is not specifically limited here.
  • the real-time traffic I i output by the input layer is taken as the input of the hidden layer.
  • Z l denote the output result of the lth layer.
  • Z 1 I i , where 1 ⁇ l ⁇ L, then the relationship between the lth layer and the l+1th layer is:
  • W l is the weight vector of the lth layer
  • b l is the bias vector of the lth layer
  • a l+1 is the intermediate vector of the l+1th layer
  • f l+1 is the excitation of the l+1th layer
  • Z l+1 is the hidden layer result of the l+1th layer.
  • the excitation function can be any of a sigmoid function, a hyperbolic tangent function, a Relu function, an ELU (Exponential Linear Units) function, and so on.
  • y is the output result of the output layer
  • Z L is the output result of the hidden layer of the Lth layer
  • the softmax function is the classification function. It can be understood that the softmax function is taken as an example in the above example for description. However, in actual applications, a logistic function and the like can also be used, which is not specifically limited here.
  • the work of each layer in the deep neural network can be expressed in mathematical expressions To describe: From the physical level, the work of each layer in the deep neural network can be understood as the transformation of the input space to the output space (that is, the row space of the matrix to the column of the matrix) through five operations on the input space (the set of input vectors). Space), these five operations include: 1. Dimension Up/Down; 2. Enlarge/Reduce; 3. Rotate; 4. Translation; 5. "Bend”. The operations of 1, 2, and 3 are determined by Completed, the operation of 4 is completed by +b, and the operation of 5 is realized by a().
  • W is a weight vector, and each value in the vector represents the weight value of a neuron in the layer of neural network.
  • This vector W determines the spatial transformation from the input space to the output space described above, that is, the weight W of each layer controls how the space is transformed.
  • the purpose of training a deep neural network is to finally obtain the weight matrix of all layers of the trained neural network (the weight matrix formed by the vector W of many layers). Therefore, the training process of the neural network is essentially the way of learning to control the space transformation, and more specifically, the learning of the weight matrix.
  • the training process of the service type recognition model can be: the known historical traffic can be input into the service type recognition model to obtain the predicted value, and the known service type is taken as the real desired target value .
  • the weight vector of each layer of neural network is updated according to the difference between the two (of course, there is usually an initialization process before the first update, Pre-configured parameters for each layer in the deep neural network), for example, if the predicted value of the network is high, adjust the weight vector to make it predict lower, and keep adjusting until the neural network can predict the really desired target value . Therefore, it is necessary to predefine "how to compare the difference between the predicted value and the target value".
  • Important equation taking the loss function as an example, the higher the output value (loss) of the loss function, the greater the difference, then the training of the deep neural network becomes a process of reducing this loss as much as possible.
  • attack traffic can vary greatly, but normal access traffic is limited
  • the above solution trains the service type recognition model through a large number of known historical traffic and known service types, so that the service type recognition model can learn to recognize
  • the rules of the correct service type can identify normal access traffic and identify request packets that cannot be recognized as normal access traffic as attack traffic, which can effectively prevent the source site from being attacked and maintain the security of the entire system.
  • the newly recognized known historical traffic and known service types can be used online to train the service type recognition model in real time, so as to update the knowledge base of the service type recognition model in time.
  • the source station Since the access traffic belongs to the tenant and the smart defense device belongs to the operator, the source station has already eliminated the key information in the access traffic before sending the access traffic to the smart defense device.
  • the defense device recognizes that the request packet is attack traffic, and can only investigate where the attack traffic belongs on a large scale.
  • the service type of the abnormal message can be identified, so that only the abnormal message needs to be found in the service type described in the abnormal message, which effectively reduces the workload of checking the abnormal message.
  • the intelligent defense device may further include a data type identification model, where the data type identification model is used to identify the data type of the attack traffic.
  • the second AI model can be expressed as:
  • mapping relationship f 2 may be obtained through training with a large number of known attack traffic and a large number of known data types. It can be understood that the prediction process and training process of the data type recognition model are similar to the service type recognition model, and will not be further described here.
  • the data type recognition model and the service type recognition model can be integrated in the same model.
  • the data type of the attack flow can be identified through the data type identification model, so that only the access flow of the data type needs to be checked, which greatly reduces the workload of the check.
  • the intelligent defense device of the present application includes: a receiving module 310, a prediction module 320, a confirmation module 330, and an alarm module 340.
  • the receiving module 310 is configured to receive log information sent by nodes in the CDN system, and the log information records the URL of the source station and historical traffic information of the source station;
  • the prediction module 320 is configured to predict a flow curve of the source station according to the log information, the flow curve including a future time and a predicted flow value at a future time;
  • the confirmation module 330 is configured to receive real-time flow information sent by the source station, and confirm whether the current working state of the source station is normal according to the real-time flow information and the flow curve.
  • the alarm module 340 is configured to confirm whether the flow value recorded in the flow information exceeds the endurance capacity of the source station, and if the endurance capacity of the source station is not exceeded, send alarm information, In the case of the endurance of the station, the node in the CDN system is notified to discard the message of the source station.
  • the confirmation module 330 is further configured to obtain the predicted flow value corresponding to the flow curve at the current moment; the flow value recorded in the real-time flow information exceeds the current flow rate at the current moment. In the case of the corresponding predicted flow value in the curve, it is confirmed that the current working state of the source station is abnormal.
  • the confirmation module 330 is used to obtain the predicted flow value corresponding to the flow curve at the current moment; the flow value recorded in the real-time flow information does not exceed the current flow rate at the current moment. In the case of the corresponding predicted flow value in the curve, it is confirmed that the current working state of the source station is normal.
  • the confirmation module 330 is used to determine whether the service type recorded in the real-time traffic information is consistent with the service type information of the source station recorded in the log information. In the case, it is confirmed that the current working state of the source station is normal, and in the case of inconsistent service types, it is confirmed that the current working state of the source station is abnormal.
  • the smart defense device shown in Figure 9 can implement the source station status detection method based on the content distribution network CDN system shown in Figure 6.
  • the content distribution network CDN system shown in Figure 6 please refer to Figure 6 and related descriptions for details, which will not be further described here. .
  • the intelligent defense device of the present application includes a processing unit 410 and a communication interface 420.
  • the processing unit 410 is used to execute functions defined by various software programs, for example, to implement the functions of the intelligent defense device.
  • the communication interface 420 is used to communicate and interact with other computing nodes, and other devices may be other physical servers. Specifically, the communication interface 420 may be a network adapter card.
  • the smart defense device may further include an input/output interface 430, and the input/output interface 430 is connected to an input/output device for receiving input information and outputting operation results.
  • the input/output interface 430 may be a mouse, a keyboard, a display, or an optical drive, etc.
  • the smart defense device may also include auxiliary storage 440, which is generally also referred to as external storage.
  • the storage medium of auxiliary storage 440 may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, an optical disk), or Semiconductor media (such as solid state drives), etc.
  • the smart defense device may further include a bus 450.
  • the processing unit 410, the communication interface 420, the input/output interface 430, and the auxiliary memory 440 may be connected through the bus 450.
  • the bus 450 may be a peripheral component interconnect standard (PCI) bus or an extended industry standard architecture (EISA) bus, etc.
  • PCI peripheral component interconnect standard
  • EISA extended industry standard architecture
  • the bus 450 can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one line is used to represent in FIG. 10, but it does not mean that there is only one bus or one type of bus.
  • the processing unit 410 may have a variety of specific implementation forms.
  • the processing unit 410 may include a processor 411 and a memory 412, and the processor 411 performs related operations of the embodiment shown in FIG. 6 according to program instructions stored in the memory 412.
  • the processor 411 may be a central processing unit (central processing unit, CPU).
  • the processor can also be other general-purpose processors, digital signal processors (digital signal processors, DSP), application specific integrated circuits (ASICs), ready-made programmable gate arrays (field programmable gate arrays, FPGAs) or other Programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the processor 411 adopts one or more integrated circuits to execute related programs to implement the technical solutions provided in the embodiments of the present application.
  • the smart defense device shown in Figure 9 can implement the source station status detection method based on the content distribution network CDN system shown in Figure 6.
  • the content distribution network CDN system shown in Figure 6 please refer to Figure 6 and related descriptions for details, which will not be further described here. .
  • the computer may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instructions may be transmitted from a website, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a storage disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a Solid State Disk (SSD)).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application discloses a content delivery network (CDN) system-based source station state detection method and a device. Said method comprises: receiving log information sent by a node in a CDN system, the log information recording therein a URL of a source station and historical traffic information of the source station; predicting, according to the log information, a traffic curve of the source station, the traffic curve comprising a future time and a predicted traffic value at the future time; and receiving real-time traffic information sent by the source station, and confirming, according to the real-time traffic information and the traffic curve, whether the current working state of the source station is normal. The described solution is able to predict a traffic curve of a source station, and can thereby better defend against an attack message.

Description

基于CDN系统的源站状态检测方法以及设备CDN system-based source station state detection method and equipment 技术领域Technical field
本申请涉及IT领域,尤其涉及一种基于内容分发网络CDN系统的源站状态检测方法以及设备。This application relates to the IT field, and in particular to a method and equipment for detecting the status of a source station based on a content distribution network CDN system.
背景技术Background technique
内容分发网络(content delivery network,CDN)是指利用分布在不同区域的节点服务器群组成流量分配管理网络平台,为用户提供内容的分散存储和高速缓存,并根据网络动态流量和负载状况,将内容分发到快速、稳定的缓存服务器上,提高用户内容的访问响应速度和服务的可用性服务。内容提供商可以通过CDN为用户提供大量的内容,例如,视频、音频以及文字等等,并通过广告或者收取内容播放费的形式进行盈利。其中,内容可以是视频、音频以及文字等等。Content delivery network (CDN) refers to the use of node server clusters distributed in different regions to form a traffic distribution management network platform to provide users with decentralized storage and high-speed caching of content, and according to the dynamic network traffic and load conditions, The content is distributed to a fast and stable cache server to improve the response speed of user content access and the availability of services. Content providers can provide users with a large amount of content through CDN, such as video, audio, text, etc., and make money through advertising or charging content playback fees. Among them, the content can be video, audio, text, and so on.
本领域的技术人员在长期研究下发现,在现有技术条件下,客户端很容易通过CDN对源站进行攻击。Those skilled in the art have discovered through long-term research that under the existing technical conditions, it is easy for the client to attack the origin site through the CDN.
发明内容Summary of the invention
为了解决上述问题,本申请提供了一种基于内容分发网络CDN系统的源站状态检测方法以及设备,能够预测源站的流量曲线,从而更好的抵御攻击报文。In order to solve the above-mentioned problems, the present application provides a method and equipment for detecting the status of a source station based on a content distribution network CDN system, which can predict the traffic curve of the source station, thereby better resisting attack packets.
第一方面,提供了一种基于内容分发网络CDN系统的源站状态检测方法,其特征在于,包括:In the first aspect, a method for detecting the status of an origin station based on a content distribution network CDN system is provided, which is characterized in that it includes:
接收CDN系统中的节点发送的日志信息,所述日志信息中记录有源站的URL和源站的历史流量信息;Receiving log information sent by a node in the CDN system, where the log information records the URL of the source station and historical traffic information of the source station;
根据所述日志信息预测所述源站的流量曲线,所述流量曲线包括未来时刻以及在未来时刻的预测流量值;Predicting a flow curve of the source station according to the log information, the flow curve including a future time and a predicted flow value at a future time;
接收所述源站发送实时流量信息,根据所述实时流量信息以及所述流量曲线确认所述源站的当前工作状态是否正常。Receiving real-time flow information sent by the source station, and confirming whether the current working state of the source station is normal according to the real-time flow information and the flow curve.
在一些可能的设计中,所述接收所述源站发送的实时流量信息,根据所述实时流量信息以及所述流量曲线确认所述源站的工作状态是否正常,包括:In some possible designs, the receiving real-time traffic information sent by the source station, and confirming whether the working state of the source station is normal according to the real-time traffic information and the traffic curve includes:
获取当前时刻在所述流量曲线中对应的预测流量值;Acquiring the predicted flow value corresponding to the flow curve at the current moment;
在所述实时流量信息中记录的流量值超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态异常。In the case where the flow value recorded in the real-time flow information exceeds the corresponding predicted flow value in the flow curve at the current moment, it is confirmed that the current working state of the source station is abnormal.
在一些可能的设计中,在确认所述源站的当前工作状态异常之后,所述方法还包括:In some possible designs, after confirming that the current working state of the source station is abnormal, the method further includes:
确认所述流量信息中记录的流量值是否超过所述源站的承受能力,如果否,发送告警信息,如果是,通知所述CDN系统中的节点丢弃所述源站的报文。It is confirmed whether the flow value recorded in the flow information exceeds the endurance capacity of the source station, if not, an alarm information is sent, and if so, the node in the CDN system is notified to discard the message of the source station.
在一些可能的设计中,所述接收所述源站发送的实时流量信息,根据所述实时流量信 息以及所述流量曲线确认所述源站的工作状态是否正常,包括:In some possible designs, the receiving real-time flow information sent by the source station, and confirming whether the working state of the source station is normal according to the real-time flow information and the flow curve includes:
获取当前时刻在所述流量曲线中对应的预测流量值;Acquiring the predicted flow value corresponding to the flow curve at the current moment;
在所述实时流量信息中记录的流量值不超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态正常。In the case that the flow value recorded in the real-time flow information does not exceed the corresponding predicted flow value in the flow curve at the current moment, it is confirmed that the current working state of the source station is normal.
在一些可能的设计中,所述日志信息还记录有所述源站的业务类型信息,在接收所述源站发送的实时流量信息之后,所述方法还包括:In some possible designs, the log information also records service type information of the source station. After receiving the real-time traffic information sent by the source station, the method further includes:
判断所述实时流量信息中记录的业务类型与所述日志信息中记录的源站的业务类型信息是否一致,如果是,确认所述源站的当前工作状态正常,如果否,确认所述源站的当前工作状态异常。Determine whether the service type recorded in the real-time traffic information is consistent with the service type information of the source station recorded in the log information, if yes, confirm that the current working status of the source station is normal, if not, confirm the source station The current working status of is abnormal.
第二方面,提供了一种智能防御设备,包括:接收模块、预测模块以及确认模块,In the second aspect, an intelligent defense device is provided, including: a receiving module, a prediction module, and a confirmation module,
所述接收模块用于接收CDN系统中的节点发送的日志信息,所述日志信息中记录有源站的URL和源站的历史流量信息;The receiving module is configured to receive log information sent by a node in the CDN system, and the log information records the URL of the source station and historical traffic information of the source station;
所述预测模块用于根据所述日志信息预测所述源站的流量曲线,所述流量曲线包括未来时刻以及在未来时刻的预测流量值;The prediction module is configured to predict a flow curve of the source station according to the log information, the flow curve including a future time and a predicted flow value at a future time;
所述确认模块用于接收所述源站发送的实时流量信息,根据所述实时流量信息以及所述流量曲线确认所述源站的当前工作状态是否正常。The confirmation module is configured to receive real-time flow information sent by the source station, and confirm whether the current working state of the source station is normal according to the real-time flow information and the flow curve.
在一些可能的设计中,所述确认模块还用于:In some possible designs, the confirmation module is also used to:
获取当前时刻在所述流量曲线中对应的预测流量值;Acquiring the predicted flow value corresponding to the flow curve at the current moment;
在所述实时流量信息中记录的流量值超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态异常。In the case where the flow value recorded in the real-time flow information exceeds the corresponding predicted flow value in the flow curve at the current moment, it is confirmed that the current working state of the source station is abnormal.
在一些可能的设计中,所述装置还包括告警模块,所述告警模块用于确认所述流量信息中记录的流量值是否超过所述源站的承受能力,在没有超过所述源站的承受能力的情况下,发送告警信息,在超过所述源站的承受能力的情况下,通知所述CDN系统中的节点丢弃所述源站的报文。In some possible designs, the device further includes an alarm module for confirming whether the flow value recorded in the flow information exceeds the endurance capacity of the source station, and if it does not exceed the endurance capacity of the source station, In the case of capability, an alarm message is sent, and if the endurance capacity of the source station is exceeded, the node in the CDN system is notified to discard the message of the source station.
在一些可能的设计中,所述确认模块用于获取当前时刻在所述流量曲线中对应的预测流量值;在所述实时流量信息中记录的流量值不超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态正常。In some possible designs, the confirmation module is used to obtain the corresponding predicted flow value in the flow curve at the current time; the flow value recorded in the real-time flow information does not exceed the current time corresponding to the flow curve in the flow curve. In the case of the predicted traffic value, confirm that the current working state of the source station is normal.
在一些可能的设计中,所述确认模块用于判断所述实时流量信息中记录的业务类型与所述日志信息中记录的源站的业务类型信息是否一致,在业务类型信息一致的情况下,确认所述源站的当前工作状态正常,在业务类型不一致的情况下,确认所述源站的当前工作状态异常。In some possible designs, the confirmation module is used to determine whether the service type recorded in the real-time traffic information is consistent with the service type information of the source station recorded in the log information. In the case where the service type information is consistent, Confirm that the current working state of the source station is normal, and if the service types are inconsistent, confirm that the current working state of the source station is abnormal.
第三方面,提供了一种智能防御设备,包括:处理器和存储器,所述处理器执行所述存储器中的代码执行如第一方面任一项所述的方法。In a third aspect, an intelligent defense device is provided, including: a processor and a memory, and the processor executes the code in the memory to execute the method according to any one of the first aspect.
第四方面,提供了一种可读存储介质,其特征在于,包括指令,当所述指令在智能防御设备上运行时,使得所述智能防御设备执行如第一方面任一项所述的方法。In a fourth aspect, a readable storage medium is provided, which is characterized by including instructions, which when run on an intelligent defense device, cause the intelligent defense device to execute the method described in any one of the first aspect .
第五方面,提供了一种计算机程序产品,当所述计算机程序产品被计算机读取并执行时,如第一方面任一项述的方法将被执行。In a fifth aspect, a computer program product is provided. When the computer program product is read and executed by a computer, the method described in any one of the first aspects will be executed.
附图说明Description of the drawings
为了更清楚地说明本申请实施例或背景技术中的技术方案,下面将对本申请实施例或背景技术中所需要使用的附图进行说明。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the background art, the following will describe the drawings that need to be used in the embodiments of the present application or the background art.
图1是本申请涉及的一种内容分发网络的结构示意图;Figure 1 is a schematic diagram of the structure of a content distribution network involved in this application;
图2是本申请涉及的一种内容分发网络中客户端向源站节点请求内容数据的示意图;2 is a schematic diagram of a client requesting content data from a source site node in a content distribution network related to this application;
图3是本申请涉及的一种云服务的示意图;Figure 3 is a schematic diagram of a cloud service involved in this application;
图4是本申请涉及的一种云CDN的结构示意图;Fig. 4 is a schematic structural diagram of a cloud CDN involved in this application;
图5是本申请提供的另一种云CDN的结构示意图;Figure 5 is a schematic structural diagram of another cloud CDN provided by this application;
图6是本申请提供的一种基于内容分发网络CDN系统的源站状态检测方法的流程示意图;FIG. 6 is a schematic flowchart of a method for detecting the status of a source station based on a content distribution network CDN system provided by the present application;
图7是本申请中在工作日、周末以及大假期三种情况下的源站1和源站2的流量曲线的示意图;Fig. 7 is a schematic diagram of the flow curves of source station 1 and source station 2 in the three cases of working days, weekends and big holidays in this application;
图8是本申请提供的一种深度神经网络的结构示意图;FIG. 8 is a schematic diagram of the structure of a deep neural network provided by the present application;
图9是本申请提供的一种智能防御设备的结构示意图;Fig. 9 is a schematic structural diagram of an intelligent defense device provided by the present application;
图10是本申请提供的另一种智能防御设备的结构示意图。Fig. 10 is a schematic structural diagram of another intelligent defense device provided by the present application.
具体实施方式Detailed ways
参见图1,图1是本申请涉及的一种内容分发网络(content delivery network,CDN)的结构示意图。CDN系统包括源站节点10、控制平台20、内容分发网络CDN、客户端101-105。其中,内容分发网络CDN包括中心缓存节点60-61以及边缘缓存节点70-74。Referring to Fig. 1, Fig. 1 is a schematic structural diagram of a content delivery network (CDN) involved in this application. The CDN system includes a source site node 10, a control platform 20, a content distribution network CDN, and clients 101-105. Among them, the content distribution network CDN includes central cache nodes 60-61 and edge cache nodes 70-74.
客户端101-105通常是用户私人的设备,用于供用户使用以访问源站节点10的内容数据。举例来说,终端设备可以是智能手机、平板电脑、台式计算机、车载设备以及可穿戴设备等等,此处不作具体限定。The clients 101-105 are usually private devices of the user, which are used by the user to access the content data of the origin node 10. For example, the terminal device may be a smart phone, a tablet computer, a desktop computer, a vehicle-mounted device, a wearable device, etc., which are not specifically limited here.
源站节点10通常设置在远离客户端101-105的数据中心,用于存储大量的内容数据。举例来说,源站节点10可以是提供娱乐、体育、新闻或者影视等等视频观看或下载的网站的节点,可以是提供音乐或者书籍等等的音频播放的网站的节点,可以是提供新闻、文章以及书籍等等文字阅读的网站的节点等等,此处不作具体限定。The origin node 10 is usually set in a data center far away from the clients 101-105, and is used to store a large amount of content data. For example, the origin node 10 may be a node of a website that provides video viewing or downloading such as entertainment, sports, news or movies, etc., may be a node of a website that provides audio playback of music or books, etc., may be a node that provides news, There are no specific restrictions here on the nodes of websites where texts such as articles and books are read.
中心缓存节点是边缘缓存节点73-74的上级节点,同时,中心缓存节点60-61也是源站节点10的下级节点,也就是说,中心缓存节点可以在边缘缓存节点和中心缓存节点之间起到承上启下的作用。The central cache node is the upper-level node of the edge cache nodes 73-74. At the same time, the central cache node 60-61 is also the lower-level node of the origin node 10. That is, the central cache node can start between the edge cache node and the central cache node. To the role of linking up and down.
边缘缓存节点70-74,也可以称之为代理缓存(surroigate),距离终端设备仅有“一跳”(single hop)之遥,用于缓存源站节点10下发给边缘缓存节点70-74的内容数据,以便客户端101-105的就近访问。具体地来说,边缘缓存节点70-74中存储了源站节点10的镜像,并且,边缘缓存节点70-74通常设置于网络边缘,因此,边缘缓存节点70-74可以代替源站节点10向客户端101-105提供内容数据,从而实现内容数据的边缘存储和传播,解决网络拥挤的状况,提高客户端101-105访问源站节点10的响应速度。The edge cache nodes 70-74, also called proxy caches (surroigates), are only a "single hop" away from the terminal device, and are used for the cache origin node 10 to deliver to the edge cache nodes 70-74 The content data for clients 101-105 to visit nearby. Specifically, the edge cache nodes 70-74 store the mirror image of the origin node 10, and the edge cache nodes 70-74 are usually set at the edge of the network. Therefore, the edge cache nodes 70-74 can replace the origin node 10 to Clients 101-105 provide content data, so as to realize edge storage and dissemination of content data, solve network congestion, and improve the response speed of client 101-105 when accessing source site node 10.
为了保证数据能够尽快从边缘缓存节点70-74发送到客户端101-105,边缘缓存节点70-74和客户端101-105必须遵循以下设置。In order to ensure that data can be sent from the edge cache node 70-74 to the client 101-105 as soon as possible, the edge cache node 70-74 and the client 101-105 must follow the following settings.
边缘缓存节点70-74设置在不同的地域。举例而言,边缘缓存节点70可设置在华南地区,边缘缓存节点71设置在华中地区,边缘缓存节点72设置在华西地区,边缘缓存节点73设置在华北地区,边缘缓存节点74设置在华东地区。The edge cache nodes 70-74 are located in different regions. For example, the edge cache node 70 may be located in South China, the edge cache node 71 is located in Central China, the edge cache node 72 is located in West China, the edge cache node 73 is located in North China, and the edge cache node 74 is located in East China.
客户端101-105设置在不同的地域。举例而言,客户端101可设置在华南地区,客户端102设置在华中地区,客户端103设置在华西地区,客户端104设置在华北地区,客户端105设置在华东地区。Clients 101-105 are set in different regions. For example, the client 101 may be set in the South China region, the client 102 is set in the Central China region, the client 103 is set in the West China region, the client 104 is set in the North China region, and the client 105 is set in the East China region.
也就是说,客户端101位于华南地区,因此客户端101与边缘缓存节点70在同一区域,两者的距离最近;客户端102位于华中地区,因此客户端102与边缘缓存节点71在同一区域,两者的距离最近;客户端103位于华西地区,因此客户端103与边缘缓存节点72在同一区域,两者的距离最近;客户端104位于华北地区,因此客户端104与边缘缓存节点73在同一区域,两者的距离最近;客户端105位于华东地区,因此客户端105与边缘缓存节点74在同一区域,两者的距离最近。That is, the client 101 is located in South China, so the client 101 and the edge cache node 70 are in the same area, and the distance between the two is the closest; the client 102 is located in Central China, so the client 102 and the edge cache node 71 are in the same area. The distance between the two is the closest; the client 103 is located in West China, so the client 103 and the edge cache node 72 are in the same area, and the distance between the two is the closest; the client 104 is located in North China, so the client 104 and the edge cache node 73 are in the same area Area, the distance between the two is the closest; the client 105 is located in East China, so the client 105 and the edge cache node 74 are in the same area, and the distance between the two is the closest.
在其他实施例中,源站节点的数量不仅限于2个,可以是其他正整数,中心缓存节点的数量不仅限于2个,可以是其他正整数,边缘缓存缓存节点的数量也不限于5个,可以是其他正整数,此次不作具体限定。In other embodiments, the number of origin site nodes is not limited to 2, but can be other positive integers, the number of central cache nodes is not limited to 2, but can be other positive integers, and the number of edge cache cache nodes is not limited to 5. It can be other positive integers, and there is no specific limitation this time.
参见图2,图2是本申请涉及的一种CDN的内容数据的请求流程的示意图。在图1所示的CDN的基础上,如图2所示,本申请的CDN的内容数据的请求流程包括如下步骤:Refer to Figure 2. Figure 2 is a schematic diagram of a CDN content data request process involved in this application. Based on the CDN shown in FIG. 1, as shown in FIG. 2, the content data request process of the CDN of this application includes the following steps:
S101:客户端向边缘缓存节点发送请求报文。相应地,边缘缓存节点接收客户端发送的请求报文。其中,所述请求报文用于供客户端向源站节点请求源站中的内容数据。S101: The client sends a request message to the edge cache node. Correspondingly, the edge cache node receives the request message sent by the client. Wherein, the request message is used for the client to request the content data in the source station from the source station node.
S102:边缘缓存节点判断自身是否缓存了所述请求报文所请求的源站中的内容数据,如果是,进入步骤S103,如果不是,进入步骤S104。S102: The edge cache node judges whether it has cached the content data in the source station requested by the request message, if yes, go to step S103, if not, go to step S104.
S103:边缘缓存节点将所述请求报文所请求的内容数据,并结束流程。S103: The edge cache node sends the content data requested by the request message, and ends the process.
S104:边缘缓存节点向源站节点发送请求报文。相应地,源站节点接收边缘缓存节点发送的请求报文。其中,所述请求报文用于供边缘缓存节点向源站节点请求源站中的内容数据。S104: The edge cache node sends a request message to the source station node. Correspondingly, the source site node receives the request message sent by the edge cache node. Wherein, the request message is used for the edge cache node to request the content data in the source station from the source station node.
S105:源站节点向所述边缘缓存节点发送所述内容数据。相应地,边缘缓存节点接收源站节点发送的所述内容数据。S105: The source site node sends the content data to the edge cache node. Correspondingly, the edge cache node receives the content data sent by the source station node.
S106:边缘缓存节点向客户端发送所述源站中的内容数据。相应地,客户端接收边缘缓存节点发送的所述源站中的内容数据,并结束流程。S106: The edge cache node sends the content data in the source station to the client. Correspondingly, the client receives the content data in the source station sent by the edge cache node, and ends the process.
可以理解的是,图1中的任意一个客户端向图1中的任意一个对应的源站节点请求内容数据时,都遵循上述的请求流程,此处不再展开说明。It is understandable that when any client in FIG. 1 requests content data from any corresponding source site node in FIG. 1, it follows the above-mentioned request process, and no further description is given here.
参见图3,图3是本申请涉及的一种云服务的示意图。云的拥有者自己部署云计算基础设施,即,部署计算资源(例如,服务器)110、部署存储资源(例如,存储器)120以及部署网络资源(例如,网卡)130等等。然后,公有云的拥有者(例如,运营商)将云计算基础设施的计算资源、存储资源、网络资源进行虚拟化,并提供相应的服务给云的使用者(例如,用户)使用。其中,运营商可以提供以下三种服务给用户使用:云计算基础设施即服务(Infrastructure as a Service,IaaS)、平台即服务(Platform as a Service,PaaS)以及软件即服务(Software as a Service,SaaS)。Refer to Figure 3, which is a schematic diagram of a cloud service involved in this application. The cloud owner deploys cloud computing infrastructure by himself, that is, deploys computing resources (for example, servers) 110, deploys storage resources (for example, storage) 120, deploys network resources (for example, network cards) 130, and so on. Then, the owner of the public cloud (for example, an operator) virtualizes the computing resources, storage resources, and network resources of the cloud computing infrastructure, and provides corresponding services for cloud users (for example, users) to use. Among them, operators can provide the following three services to users: cloud computing infrastructure as a service (Infrastructure as a Service, IaaS), platform as a service (Platform as a Service, PaaS), and software as a service (Software as a Service, SaaS).
IaaS提供给用户的服务是对云计算基础设施的利用,包括处理、存储、网络和其它基本的计算资源,用户能够部署和运行任意软件,包括操作系统和应用程序。用户不管理或控制任何云计算基础设施,但能控制操作系统的选择、储存空间、部署应用,也有可能获得有限制的网络组件(例如,防火墙,负载均衡器等)的控制。The service provided by IaaS to users is the utilization of cloud computing infrastructure, including processing, storage, network and other basic computing resources. Users can deploy and run any software, including operating systems and applications. Users do not manage or control any cloud computing infrastructure, but can control the choice of operating system, storage space, deployment applications, and may also gain control of restricted network components (for example, firewalls, load balancers, etc.).
PaaS提供给用户的服务是把用户采用供应商提供的开发语言和工具(例如Java,python,Net等)开发的或收购的应用程序部署到云计算基础设施上去。用户不需要管理或控制底层的云计算基础设施,包括网络、服务器、操作系统、存储等,但用户能控制部署的应用程序,也可能控制运行应用程序的托管环境配置。The service provided by PaaS to users is to deploy applications developed or acquired by users using development languages and tools provided by vendors (such as Java, python, Net, etc.) to cloud computing infrastructure. Users do not need to manage or control the underlying cloud computing infrastructure, including networks, servers, operating systems, storage, etc., but users can control the deployed applications and may also control the configuration of the hosting environment for running applications.
SaaS提供给用户的服务是运营商运行在云计算基础设施上的应用程序,用户可以在各种设备上通过客户端界面,如浏览器,访问云计算基础设施上的应用程序。用户不需要管理或控制任何云计算基础设施,包括网络、服务器、操作系统、存储等等。The services provided by SaaS to users are applications run by operators on cloud computing infrastructure. Users can access applications on cloud computing infrastructure on various devices through client interfaces, such as browsers. Users do not need to manage or control any cloud computing infrastructure, including networks, servers, operating systems, storage, and so on.
可以理解,运营商通过IaaS、PaaS、SaaS中的任意一种为不同的租户进行租赁服务,不同租户之间数据和配置是相互隔离的,从而保证每个租户数据的安全与隐私。It is understandable that operators use any one of IaaS, PaaS, and SaaS to provide leasing services for different tenants, and the data and configuration of different tenants are isolated from each other, thereby ensuring the security and privacy of each tenant's data.
参见图4,图4是本申请涉及的一种云CDN的结构示意图。本实施方式的云CDN是在图2所示的云服务的基础上实现图1所示的CDN。云计算基础设施的租户是内容提供商,内容提供商将自己的源站设置于云计算基础设施(包括:计算资源、存储资源、网络资源)之上,可以利用存储虚拟化技术灵活地为租户提供存储方案,从而更好地将该租户的源站节点中的内容数据进行存储,可以利用网络虚拟化技术灵活地为租户提供流量方案,从而更好地将该租户的源站的内容数据进行传输,可以利用服务器虚拟化技术灵活地为租户提供计算能力方案,从而更好地对该租户的源站的内容数据进行管理。Refer to Fig. 4, which is a schematic structural diagram of a cloud CDN involved in the present application. The cloud CDN of this embodiment implements the CDN shown in FIG. 1 on the basis of the cloud service shown in FIG. 2. The tenants of cloud computing infrastructure are content providers, and content providers set their source sites on the cloud computing infrastructure (including: computing resources, storage resources, network resources), and can use storage virtualization technology to flexibly serve as tenants Provide a storage solution to better store the content data in the tenant’s source site node, and use network virtualization technology to flexibly provide the tenant with a traffic solution, so as to better perform the content data of the tenant’s source site. For transmission, server virtualization technology can be used to flexibly provide tenants with computing power solutions, so as to better manage the content data of the tenant's source site.
在一具体的实施例中,云CDN为多租户、多源站的场景。也就是说,云CDN可以包括多个租户,每个租户可以包括一个源站节点或者多个源站节点,每个源站节点可以设置一个或者多个源站。以图4所示的云CDN为例,租户1可以是专门提供影视视频的内容提供商,租户可以设置一个专门的影视视频的源站节点,即,源站节点10,以为用户提供影视视频。租户2可以是提供多种内容的内容提供商,租户可以设置一个专门的书籍的源站节点,即源站节点11,以为用户提供书籍阅读,一个专门的时事的源站节点,即源站节点12,以为用户提供时事资讯。In a specific embodiment, the cloud CDN is a multi-tenant, multi-source site scenario. In other words, a cloud CDN may include multiple tenants, each tenant may include one source site node or multiple source site nodes, and each source site node may have one or more source sites. Taking the cloud CDN shown in FIG. 4 as an example, the tenant 1 may be a content provider that specializes in providing movies and videos, and the tenant may set a special source station node for movies and videos, that is, the source station node 10, to provide users with movies and videos. Tenant 2 can be a content provider that provides a variety of content. Tenants can set up a special book origin node, namely origin node 11, to provide users with book reading, and a special current affairs origin node, namely origin node. 12. Provide users with current affairs information.
在其他实施例中,租户的数量不仅限于2个,可以是其他正整数,源站节点的数量不仅限于3个,可以是其他正整数,中心缓存节点的数量不仅限于2个,可以是其他正整数,边缘缓存缓存节点的数量也不限于5个,可以是其他正整数,此次不作具体限定。In other embodiments, the number of tenants is not limited to 2, but can be other positive integers, the number of source site nodes is not limited to 3, and can be other positive integers, and the number of central cache nodes is not limited to 2, but can be other positive integers. Integer, the number of edge cache cache nodes is not limited to 5, and can be other positive integers, and there is no specific limitation this time.
为了防止遭受攻击报文的攻击,现有技术在客户端和边缘缓存节点之间设置了防火墙,但是,防火墙只能简单地设置预设阈值,即,不同的源站,不同的时间点均使用同一预设阈值。但是,不同的源站的正常访问流量的差异非常大,例如,有些大型的源站的平均正常访问流量为20G,有些小型的平均正常访问流量为2G。另外,同一源站不同时间点的正常访问流量的差异也非常大,例如,源站在大假日的平均正常访问流量可达20G,在工作日的平均正常访问流量为2G,因此对于不同的源站和不同的时间点均采用同一预设阈值,会导致很多问题。下面将假设源站的预设阈值为5G,分别举例说明存在的问题:In order to prevent attacks from attack messages, the prior art has set up a firewall between the client and the edge cache node. However, the firewall can only simply set a preset threshold, that is, different source sites and different time points are used. The same preset threshold. However, the normal access traffic of different origin sites varies greatly. For example, some large origin sites have an average normal access traffic of 20G, and some small origin sites have an average normal access traffic of 2G. In addition, the normal access traffic at different time points of the same source station is also very different. For example, the average normal access traffic at the source station on major holidays can reach 20G, and the average normal access traffic on weekdays is 2G. Therefore, for different sources The same preset threshold is used for stations and different time points, which can cause many problems. The following will assume that the preset threshold of the source station is 5G, and illustrate the problems with examples:
(1)在工作日上午8点,源站的正常访问流量为1G,攻击流量为3G,但由于总流量 没有到达5G,防火墙没法进行报警以及阻断。(1) At 8 o'clock in the morning on a working day, the normal access traffic of the source site is 1G, and the attack traffic is 3G, but since the total traffic does not reach 5G, the firewall cannot alarm and block it.
(2)在在工作日晚上20点,源站的访问高峰期突然来临,正常访问流量突破5G,由于正常访问流量超过预设阈值,防火墙错误进行报警以及阻断。(2) At 20 o'clock in the evening on a working day, the visit peak period of the source station suddenly came, and the normal access traffic exceeded 5G. Because the normal access traffic exceeded the preset threshold, the firewall error alarm and blockade.
(3)在大假期中午12点,源站的正常访问流量突破5G,由于正常访问流量超过预设阈值,防火墙错误进行报警以及阻断。(3) At 12 o'clock in the big holiday, the normal access traffic of the source station broke through 5G. Because the normal access traffic exceeded the preset threshold, the firewall error alarm and blockade.
(4)源站节点经过扩容后的承受能力为8G,边缘缓存节点的承受能力为20G。在源站节点的正常访问流量超过1G,攻击流量为5G时,由于正常访问流量超过预设阈值,防火墙进行报警以及阻断,但是,实际上源站节点以及边缘缓存节点的承受能力大于正常访问流量和攻击流量之和,阻断会导致大量正常访问同样被阻断。(4) The capacity of the source site node after expansion is 8G, and the capacity of the edge cache node is 20G. When the normal access traffic of the source site node exceeds 1G and the attack traffic is 5G, the firewall will alarm and block because the normal access traffic exceeds the preset threshold. However, in fact, the endurance of the source site node and edge cache node is greater than normal access The sum of traffic and attack traffic, blocking will result in a large number of normal access being blocked as well.
(5)源站节点经过扩容后的承受能力为3G,边缘缓存节点的承受能力为20G。在源站的正常访问流量超过1G,攻击流量为3G时,由于正常访问流量以及攻击流量之和没有超过预设阈值,防火墙不会进行报警以及阻断,但是,实际上源源站节点的承受能力小于正常访问流量以及攻击流量之和,不进行告警以及阻断会导致源站节点因为访问过载宕机。(5) The capacity of the source site node after expansion is 3G, and the capacity of the edge cache node is 20G. When the normal access traffic of the source site exceeds 1G and the attack traffic is 3G, since the sum of normal access traffic and attack traffic does not exceed the preset threshold, the firewall will not alarm and block, but in fact, the endurance of the source site node It is less than the sum of normal access traffic and attack traffic. Failure to alarm and block will cause the source site node to crash due to access overload.
为了解决上述问题,本申请提供了一种基于内容分发网络CDN系统的源站状态检测方法以及设备,能够能够预测源站的流量曲线,从而更好的抵御攻击报文。下面将分别进行详细的介绍。In order to solve the above-mentioned problems, the present application provides a method and equipment for detecting the status of a source station based on a content distribution network CDN system, which can predict the traffic curve of the source station, thereby better resisting attack packets. The detailed introduction will be given below.
参阅图5,图5是本申请提供的另一种云CDN的结构示意图。在本实施例中,运营商可以在图4所示的云CDN的基础上增设智能防御设备。从而得到如图5所示的云CDN。参阅图6,图6是本申请提供的一种基于内容分发网络CDN系统的源站状态检测方法的流程示意图。如图6所示,在图5所示的云CDN的基础上,本申请基于内容分发网络CDN系统的源站状态检测方法,包括如下步骤:Refer to FIG. 5, which is a schematic structural diagram of another cloud CDN provided by the present application. In this embodiment, the operator can add an intelligent defense device on the basis of the cloud CDN shown in FIG. 4. Thus, the cloud CDN as shown in Figure 5 is obtained. Refer to FIG. 6, which is a schematic flowchart of a method for detecting the status of a source station based on a content distribution network CDN system provided by the present application. As shown in Fig. 6, on the basis of the cloud CDN shown in Fig. 5, this application is based on the source station status detection method of the content distribution network CDN system, including the following steps:
S201:智能防御设备接收CDN系统中的节点发送的日志信息,所述日志信息中记录有源站的URL和源站的历史流量信息;S201: The intelligent defense device receives log information sent by a node in the CDN system, where the log information records the URL of the source station and historical traffic information of the source station;
S202:智能防御设备根据所述日志信息预测所述源站的流量曲线,所述流量曲线包括未来时刻以及在未来时刻的预测流量值;S202: The intelligent defense device predicts the flow curve of the source station according to the log information, where the flow curve includes a future time and a predicted flow value at a future time;
S203:智能防御设备接收所述源站发送的实时流量信息,根据所述实时流量信息以及所述流量曲线确认所述源站的当前工作状态是否正常。S203: The intelligent defense device receives the real-time traffic information sent by the source station, and confirms whether the current working state of the source station is normal according to the real-time traffic information and the traffic curve.
在本申请具体的实施方式中,智能防御设备获取当前时刻在所述流量曲线中对应的预测流量值;在所述实时流量信息中记录的流量值超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态异常;在所述实时流量信息中记录的流量值不超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态正常。In the specific implementation of the present application, the intelligent defense device obtains the predicted flow value corresponding to the flow curve at the current moment; the flow value recorded in the real-time flow information exceeds the predicted flow value corresponding to the flow curve at the current moment In the case of the flow value, confirm that the current working status of the source station is abnormal; in the case that the flow value recorded in the real-time flow information does not exceed the corresponding predicted flow value in the flow curve at the current moment, confirm the The current working status of the source station is normal.
在本申请具体的实施方式中,在确认所述源站的当前工作状态异常的情况下,智能防御设备的处理方式可以包括以下两种:(1)智能防御设备可以直接通知所述CDN系统中的节点丢弃所述源站的报文。(2)智能防御设备确认所述流量信息中记录的流量值是否超过所述源站的承受能力,如果否,发送告警信息,如果是,通知所述CDN系统中的节点丢弃所述源站的报文。其中,所述源站的承受能力由源站所在的源站节点的CPU,内存,网络带宽等各项的已使用率,以及,源站所在的源站节点的CPU,内存,网络带宽等各项的容 量决定的。举个例子说明,尽管所述源站的预测流量值为3.2G,而当前的实际流量值为8G,但是,如果源站所在的源站节点能够承受20G的流量,则智能防御设备可以先发送告警信息,而不是通知所述CDN系统中的节点丢弃所述源站的报文,这样能够保证正常的业务可以不被中断,提高用户体验。In the specific implementation manner of this application, in the case that the current working status of the source station is confirmed to be abnormal, the processing methods of the smart defense device may include the following two: (1) The smart defense device may directly notify the CDN system The node of discards the message of the source station. (2) The intelligent defense device confirms whether the flow value recorded in the flow information exceeds the endurance of the source station, if not, sends an alarm message, and if so, informs the node in the CDN system to discard the source station’s Message. Wherein, the endurance of the source station is determined by the used rate of the source station node's CPU, memory, network bandwidth, etc., and the source station node's CPU, memory, network bandwidth, etc. Determined by the capacity of the item. For example, although the predicted traffic value of the source site is 3.2G, and the current actual traffic value is 8G, if the source site node where the source site is located can withstand 20G traffic, the smart defense device can send first Instead of informing the nodes in the CDN system to discard the message of the source station, the alarm information can ensure that normal services are not interrupted and improve user experience.
为了便于理解,下面将结合源站在工作日、周末以及大假期几种情况对源站1以及源站2的流量曲线的进行详细的说明。其中,工作日为正常上班以及上学的日子,周末为平时休息的日子,例如,周日,大假期通常指三天或者三天以上的公众假期,例如,圣诞节、春节以及国庆等等。For ease of understanding, the flow curves of the source station 1 and the source station 2 will be described in detail below in combination with the source station on working days, weekends, and major holidays. Among them, working days are days when you go to work and go to school, and weekends are days when you usually rest. For example, Sundays and big holidays usually refer to three or more public holidays, such as Christmas, Spring Festival, National Day, and so on.
一、工作日1. Working day
(1)源网站1的流量曲线如下:(1) The traffic curve of source website 1 is as follows:
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的工作日1的0点的历史流量为2.5G,以往的工作日2的0点的历史流量为2.3G,….,以往的工作日n的0点的历史流量为2.7G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站1在未来的工作日的0点的预测流量值为2.55G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source site 1 at 0:00 on the previous working day 1 is 2.5G, and the historical traffic at 0:00 on the previous working day 2 is 2.3G,..., the historical traffic at 0 o'clock in the previous working day n is 2.7G, so the intelligent defense equipment can input the above data into the working day traffic prediction model to predict the source station 1 at 0 o'clock in the future working day The predicted traffic value is 2.55G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的工作日1的4点的历史流量为0.71G,以往的工作日2的4点的历史流量为0.52G,….,以往的工作日n的4点的历史流量为0.57G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站1在未来的工作日的4点的预测流量值为0.53G。Suppose that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 4 o'clock in the previous working day 1 is 0.71G, and the historical traffic at 4 o'clock in the previous working day 2 is 0.52G,..., the historical traffic at 4 o'clock in the previous working day n is 0.57G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 4 o'clock in the future working day The predicted traffic value is 0.53G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的工作日1的8点的历史流量为1.59G,以往的工作日2的8点的历史流量为1.62G,….,以往的工作日n的8点的历史流量为1.75G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站1在未来的工作日的8点的预测流量值为1.63G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 8 o'clock in the previous working day 1 is 1.59G, and the historical traffic at 8 o'clock in the previous working day 2 is 1.62G,..., the historical traffic at 8 o'clock in the previous working day n is 1.75G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 8 o'clock in the future working day The predicted traffic value is 1.63G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的工作日1的12点的历史流量为20.5G,以往的工作日2的12点的历史流量为20.05G,….,以往的工作日n的0点的历史流量为22.43G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站1在未来的工作日的0点的预测流量值为21.53G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 12 o'clock in the previous working day 1 is 20.5G, and the historical traffic at 12 o'clock in the previous working day 2 is 20.05G,..., the historical traffic at 0 o'clock in the previous working day n is 22.43G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 0 o'clock in the future working day The predicted traffic value is 21.53G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的工作日1的16点的历史流量为22.12G,以往的工作日2的16点的历史流量为18.45G,….,以往的工作日n的16点的历史流量为21.32G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站1在未来的工作日的16点的预测流量值为21.28G。Suppose that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 16:00 on the previous working day 1 is 22.12G, and the historical traffic at 16:00 on the previous working day 2 is 18.45G,..., the historical traffic at 16 o'clock in the previous working day n is 21.32G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 16 o'clock in the future working day The predicted traffic value is 21.28G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的工作日1的20点的历史流量为23.52G,以往的工作日2的20点的历史流量为25.38G,….,以往的工作日n的20点的历史流量为23.05G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站1在未来的工作日的20点的预测流量值为24.23G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 20 o'clock in the previous working day 1 is 23.52G, and the historical traffic at 20 o'clock in the previous working day 2 is 25.38G,.... The historical traffic at 20 o'clock in the previous working day n is 23.05G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 1 at 20 o'clock in the future working day The predicted traffic value is 24.23G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1 在以往的工作日1的24点的历史流量为0.55G,以往的工作日2的24点的历史流量为0.62G,….,以往的工作日n的24点的历史流量为0.51G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站1在未来的工作日的24点的预测流量值为0.55G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 24:00 on the previous working day 1 is 0.55G, and the historical traffic at 24:00 on the previous working day 2 is 0.62G,..., the historical traffic at 24 o'clock in the previous working day n is 0.51G, so the intelligent defense equipment can input the above data into the working day traffic prediction model to predict the source station 1 at 24 o'clock in the future working day The predicted traffic value is 0.55G.
因此,如图7中(a)所示,所述源站1在未来的工作日的流量曲线可以是由上述预测值:2.55G、0.53G、1.63G、21.53G、21.28G、24.23G以及0.55G构成的曲线。Therefore, as shown in Figure 7(a), the traffic curve of the source station 1 in the future working day can be based on the above-mentioned predicted values: 2.55G, 0.53G, 1.63G, 21.53G, 21.28G, 24.23G and The curve formed by 0.55G.
(2)源网站2的流量曲线如下:(2) The traffic curve of source website 2 is as follows:
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的工作日1的0点的历史流量为0.19G,以往的工作日2的0点的历史流量为0.22G,….,以往的工作日n的0点的历史流量为0.09G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站2在未来的工作日的0点的预测流量值为0.13G。Suppose that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 0 o'clock in the previous working day 1 is 0.19G, and the historical traffic at 0 o'clock in the previous working day 2 is 0.22G,..., the historical traffic at 0 o'clock in the previous working day n is 0.09G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2 at 0 o'clock in the future working day The predicted traffic value is 0.13G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的工作日1的4点的历史流量为0.07G,以往的工作日2的4点的历史流量为0.12G,….,以往的工作日n的4点的历史流量为0.15G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站2在未来的工作日的4点的预测流量值为0.12G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 4 o'clock in the previous working day 1 is 0.07G, and the historical traffic at 4 o'clock in the previous working day 2 is 0.12G,..., the historical traffic at 4 o'clock in the previous working day n is 0.15G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2 at 4 o'clock in the future working day The predicted traffic value is 0.12G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的工作日1的8点的历史流量为0.82G,以往的工作日2的8点的历史流量为0.87G,….,以往的工作日n的8点的历史流量为0.95G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站2在未来的工作日的8点的预测流量值为0.83G。Suppose that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 8 o'clock in the previous working day 1 is 0.82G, and the historical traffic at 8 o'clock in the previous working day 2 is 0.87G,..., the historical traffic at 8 o'clock in the previous working day n is 0.95G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2 at 8 o'clock in the future working day The predicted traffic value is 0.83G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的工作日1的12点的历史流量为2.49G,以往的工作日2的12点的历史流量为2.82G,….,以往的工作日n的12点的历史流量为1.79G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站2在未来的工作日的12点的预测流量值为2.62G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 12 o'clock in the previous working day 1 is 2.49G, and the historical traffic at 12 o'clock in the previous working day 2 is 2.82G,.... The historical traffic at 12 o'clock in the previous working day n was 1.79G, so the intelligent defense equipment can input the above data into the working day traffic prediction model to predict the source station 2 at 12 o'clock in the future working day The predicted traffic value is 2.62G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的工作日1的16点的历史流量为1.63G,以往的工作日2的16点的历史流量为2.48G,….,以往的工作日n的16点的历史流量为2.19G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站2在未来的工作日的16点的预测流量值为2.42G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 16:00 on the previous working day 1 is 1.63G, and the historical traffic at 16:00 on the previous working day 2 is 2.48G,..., the historical traffic at 16 o’clock in the previous working day n is 2.19G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2’s 16 o’clock in the future working day The predicted traffic value is 2.42G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站3在以往的工作日1的20点的历史流量为2.67G,以往的工作日2的30点的历史流量为3.56G,….,以往的工作日n的20点的历史流量为3.15G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站2在未来的工作日的20点的预测流量值为3.26G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 3 at 20 o'clock in the previous working day 1 is 2.67G, and the historical traffic at 30 o'clock in the previous working day 2 is 3.56G,..., the historical traffic at 20 o’clock in the previous working day n is 3.15G, so the smart defense device can input the above data into the working day traffic forecast model to predict the source station 2’s 20 o’clock in the future working day The predicted traffic value is 3.26G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的工作日1的24点的历史流量为0.21G,以往的工作日2的0点的历史流量为0.17G,….,以往的工作日n的24点的历史流量为0.13G,于是,智能防御设备可以将上述数据输入工作日流量预测模型以预测源站2在未来的工作日的24点的预测流量值为 0.15G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 24:00 on the previous working day 1 is 0.21G, and the historical traffic at 0:00 on the previous working day 2 is 0.17G,..., the historical traffic at 24 o'clock in the previous working day n is 0.13G, so the intelligent defense equipment can input the above data into the working day traffic forecast model to predict the source station 2 at 24 o'clock in the future working day The predicted flow value is 0.15G.
因此,如图7中(b)所示,所述源站2在未来的工作日的流量曲线可以是由上述预测值:0.13G、0.12G、0.83G、2.62G、2.42G、3.26G以及0.15G构成的曲线。Therefore, as shown in Figure 7(b), the traffic curve of the source station 2 in the future working day can be based on the above-mentioned predicted values: 0.13G, 0.12G, 0.83G, 2.62G, 2.42G, 3.26G and Curve composed of 0.15G.
二、周末2. Weekend
(1)源网站1的流量曲线如下:(1) The traffic curve of source website 1 is as follows:
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的周末1的0点的历史流量为4.53G,以往的周末2的0点的历史流量为4.81G,….,以往的周末n的0点的历史流量为4.92G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站1在未来的周末的0点的预测流量值为4.78G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 0 o'clock in the past weekend 1 is 4.53G, and the historical traffic at 0 o'clock in the past weekend 2 is 4.81G ,..., the historical traffic at 0 o’clock on weekends n in the past is 4.92G, so the intelligent defense equipment can input the above data into the weekend traffic forecasting model to predict the predicted traffic value of source station 1 at 0 o’clock on future weekends is 4.78 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的周末1的4点的历史流量为2.45G,以往的周末2的4点的历史流量为2.83G,….,以往的周末n的4点的历史流量为2.51G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站1在未来的周末的4点的预测流量值为2.73G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 4 o'clock in the previous weekend 1 was 2.45G, and the historical traffic at 4 o'clock in the previous weekend 2 was 2.83G ,.... The historical traffic at 4 o'clock in the previous weekend n was 2.51G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 4 o'clock in the future weekend is 2.73 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的周末1的8点的历史流量为3.07G,以往的周末2的8点的历史流量为3.39G,….,以往的周末n的8点的历史流量为5.15G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站1在未来的周末的8点的预测流量值为4.15G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 8 o'clock in the previous weekend 1 was 3.07G, and the historical traffic at 8 o'clock in the previous weekend 2 was 3.39G ,.... The historical traffic at 8 o'clock in the previous weekend n was 5.15G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 8 o'clock in the future weekend is 4.15 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的周末1的12点的历史流量为24.75G,以往的周末2的12点的历史流量为27.55G,….,以往的周末n的0点的历史流量为22.48G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站1在未来的周末的0点的预测流量值为26.29G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 12 o'clock in the previous weekend 1 is 24.75G, and the historical traffic at 12 o'clock in the previous weekend 2 is 27.55G ,..., the historical traffic at 0 o'clock on weekend n in the past is 22.48G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 0 o'clock in the future weekend is 26.29 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的周末1的16点的历史流量为28.12G,以往的周末2的16点的历史流量为28.41G,….,以往的周末n的16点的历史流量为30.38G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测可以预测源站1在未来的周末的16点的预测流量值为29.25G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 16:00 in the past weekend 1 is 28.12G, and the historical traffic at 16:00 in the past weekend 2 is 28.41G ,..., the historical traffic at 16 o'clock in the past weekend n is 30.38G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of the source station 1 at 16 o'clock in the future weekend It is 29.25G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的周末1的20点的历史流量为35.25G,以往的周末2的20点的历史流量为38.38G,….,以往的周末n的20点的历史流量为37.08G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站1在未来的周末的20点的预测流量值为37.09G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 20 o'clock in the previous weekend 1 is 35.25G, and the historical traffic at 20 o'clock in the previous weekend 2 is 38.38G ,..., the historical traffic at 20 o'clock in the previous weekend n was 37.08G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 20 o'clock in the future weekend is 37.09 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的周末1的24点的历史流量为20.58G,以往的周末2的24点的历史流量为20.33G,….,以往的周末n的24点的历史流量为25.57G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站1在未来的周末的24点的预测流量值为23.88G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 24 o'clock in the previous weekend 1 is 20.58G, and the historical traffic at 24 o'clock in the previous weekend 2 is 20.33G ,..., the historical traffic at 24 o'clock in the past weekend n is 25.57G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 1 at 24 o'clock in the future weekend is 23.88 G.
因此,如图7中(c)所示,所述源站1在未来的周末的流量曲线可以是由上述预测值:5.77、2.68G、16.88G、33.75G、37.25G、40.77G以及26.66G构成的曲线。Therefore, as shown in Figure 7(c), the traffic curve of the source station 1 in the future weekend can be based on the above predicted values: 5.77, 2.68G, 16.88G, 33.75G, 37.25G, 40.77G, and 26.66G Constitute the curve.
(2)源网站2的流量曲线如下:(2) The traffic curve of source website 2 is as follows:
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2 在以往的周末1的0点的历史流量为1.85G,以往的周末2的0点的历史流量为0.99,….,以往的周末n的0点的历史流量为1.53,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站2在未来的周末的0点的预测流量值为1.01G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 0 o'clock in the previous weekend 1 is 1.85G, and the historical traffic at 0 o'clock in the previous weekend 2 is 0.99. …. The historical traffic at 0 o'clock on weekends n in the past is 1.53, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 0 o’clock on the future weekend is 1.01G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的周末1的4点的历史流量为0.53G,以往的周末2的4点的历史流量为0.75G,….,以往的周末n的4点的历史流量为1.01G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站2在未来的周末的4点的预测流量值为0.99G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 4 o'clock in the past weekend 1 is 0.53G, and the historical traffic at 4 o'clock in the past weekend 2 is 0.75G ,..., the historical traffic at 4 o'clock in the past weekend n is 1.01G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 4 o'clock in the future weekend is 0.99 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的周末1的8点的历史流量为2.11G,以往的周末2的8点的历史流量为1.75G,….,以往的周末n的8点的历史流量为1.06G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站2在未来的周末的8点的预测流量值为1.83G。Suppose that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 8 o'clock in the previous weekend 1 was 2.11G, and the historical traffic at 8 o'clock in the previous weekend 2 was 1.75G ,..., the historical traffic at 8 o'clock in the previous weekend n was 1.06G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 8 o'clock in the future weekend is 1.83 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的周末1的12点的历史流量为3.69G,以往的周末2的12点的历史流量为2.52G,….,以往的周末n的12点的历史流量为3.72G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站2在未来的周末的12点的预测流量值为3.62G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 12 o'clock in the previous weekend 1 was 3.69G, and the historical traffic at 12 o'clock in the previous weekend 2 was 2.52G ,..., the historical traffic at 12 o'clock in the past weekend n was 3.72G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 12 o'clock in the future weekend is 3.62 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的周末1的16点的历史流量为3.88G,以往的周末2的16点的历史流量为2.91G,….,以往的周末n的16点的历史流量为3.04G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站2在未来的周末的16点的预测流量值为3.76G。Suppose that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 16:00 in the past weekend 1 is 3.88G, and the historical traffic at 16 o'clock in the past weekend 2 is 2.91G ,..., the historical traffic at 16 o'clock in the past weekend n is 3.04G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 16 o'clock in the future weekend is 3.76 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站3在以往的周末1的20点的历史流量为4.19G,以往的周末2的20点的历史流量为4.94G,….,以往的周末n的20点的历史流量为3.25G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站2在未来的周末的20点的预测流量值为4.85G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 3 at 20 o'clock in the previous weekend 1 was 4.19G, and the historical traffic at 20 o'clock in the previous weekend 2 was 4.94G ,..., the historical traffic at 20 o'clock in the previous weekend n was 3.25G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 20 o'clock in the future weekend is 4.85 G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的周末1的24点的历史流量为2.16G,以往的周末2的0点的历史流量为1.88G,….,以往的周末n的24点的历史流量为1.79G,于是,智能防御设备可以将上述数据输入周末流量预测模型以预测源站2在未来的周末的24点的预测流量值为2.07G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 24:00 on the previous weekend 1 is 2.16G, and the historical traffic at 0:00 on the previous weekend 2 is 1.88G ,.... The historical traffic at 24 o'clock in the past weekend n was 1.79G, so the intelligent defense equipment can input the above data into the weekend traffic prediction model to predict the predicted traffic value of source station 2 at 24 o'clock in the future weekend is 2.07 G.
因此,如图7中(d)所示,所述源站2在未来的周末的流量曲线可以是由上述预测值:1.01G、0.99G、1.83G、3.62G、3.76G、4.85G以及2.07G构成的曲线。Therefore, as shown in Figure 7(d), the traffic curve of the source station 2 in the future weekend can be based on the above-mentioned predicted values: 1.01G, 0.99G, 1.83G, 3.62G, 3.76G, 4.85G, and 2.07 The curve formed by G.
三、大假期Three, big holiday
(1)源网站1的流量曲线如下:(1) The traffic curve of source website 1 is as follows:
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的大假期1的0点的历史流量为5.06G,以往的大假期2的0点的历史流量为4.55G,….,以往的大假期n的0点的历史流量为6.12G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站1在未来的大假期的0点的预测流量值为5.77G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of origin site 1 at 0 o'clock in the previous big holiday 1 is 5.06G, and the historical traffic at 0 o'clock in the previous big holiday 2 is 4.55G,..., the historical traffic at 0 o’clock in the previous big holiday n is 6.12G, so the intelligent defense device can input the above data into the big holiday traffic prediction model to predict the source station 1 at 0 o’clock in the future big holiday The predicted traffic value is 5.77G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的大假期1的4点的历史流量为2.14G,以往的大假期2的4点的历史流量为2.08G,….,以往的大假期n的4点的历史流量为2.87G,于是,智能防御设备可以将上述 数据输入大假日流量预测模型以预测源站1在未来的大假期的4点的预测流量值为2.68G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 4 o'clock in the previous big holiday 1 is 2.14G, and the historical traffic at 4 o'clock in the previous big holiday 2 is 2.08G,.... The historical traffic at 4 o’clock in the previous big holiday n was 2.87G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 1’s 4 o’clock in the future big holiday The predicted traffic value is 2.68G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的大假期1的8点的历史流量为15.85G,以往的大假期2的8点的历史流量为14.09G,….,以往的大假期n的8点的历史流量为17.11G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站1在未来的大假期的8点的预测流量值为16.88G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 8 o'clock in the previous big holiday 1 is 15.85G, and the historical traffic at 8 o'clock in the previous big holiday 2 is 14.09G,.... The historical traffic at 8 o'clock in the previous big holiday n is 17.11G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 1 at 8 o'clock in the future big holiday The predicted traffic value is 16.88G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的大假期1的12点的历史流量为30.45G,以往的大假期2的12点的历史流量为35.22G,….,以往的大假期n的0点的历史流量为32.55G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站1在未来的大假期的0点的预测流量值为33.75G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 12 o'clock in the previous big holiday 1 is 30.45G, and the historical traffic at 12 o'clock in the previous big holiday 2 is 35.22G,.... The historical traffic at 0 o'clock in the previous big holiday n is 32.55G, so the intelligent defense device can input the above data into the big holiday traffic prediction model to predict the source station 1 at 0 o'clock in the future big holiday The predicted traffic value is 33.75G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的大假期1的16点的历史流量为34.12G,以往的大假期2的16点的历史流量为39.53G,….,以往的大假期n的16点的历史流量为38.06G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站1在未来的大假期的16点的预测流量值为37.25G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 16:00 in the previous big holiday 1 is 34.12G, and the historical traffic at 16:00 in the previous big holiday 2 is 39.53G,...., the historical traffic at 16 o'clock in the previous big holiday n is 38.06G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 1 at 16 o'clock in the future big holiday The predicted traffic value is 37.25G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的大假期1的20点的历史流量为40.15G,以往的大假期2的20点的历史流量为38.66G,….,以往的大假期n的20点的历史流量为42.43G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站1在未来的大假期的20点的预测流量值为40.77G。Suppose that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 1 at 20 o'clock in the previous big holiday 1 is 40.15G, and the historical traffic at 20 o'clock in the previous big holiday 2 is 38.66G,.... The historical traffic at 20 o'clock in the previous big holiday n is 42.43G, so the intelligent defense device can input the above data into the big holiday traffic prediction model to predict the source station 1 at 20 o'clock in the future big holiday The predicted traffic value is 40.77G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的大假期1的24点的历史流量为25.18G,以往的大假期2的24点的历史流量为27.23G,….,以往的大假期n的24点的历史流量为27.17G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站1在未来的大假期的24点的预测流量值为26.66G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source site 1 at 24 o'clock in the previous big holiday 1 is 25.18G, and the historical traffic at 24 o'clock in the previous big holiday 2 is 27.23G,.... The historical traffic at 24 o'clock in the previous big holiday n is 27.17G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 1 at 24 o'clock in the future big holiday The predicted traffic value is 26.66G.
因此,如图7中(e)所示,所述源站1在未来的大假期的流量曲线可以是由上述预测值:4.78G、2.73G、4.15G、26.29G、29.25G、37.09G以及23.88G构成的曲线。Therefore, as shown in Figure 7(e), the traffic curve of the source station 1 in the future big holiday can be based on the above-mentioned predicted values: 4.78G, 2.73G, 4.15G, 26.29G, 29.25G, 37.09G and The curve formed by 23.88G.
(2)源网站2的流量曲线如下:(2) The traffic curve of source website 2 is as follows:
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的大假期1的0点的历史流量为2.52G,以往的大假期2的0点的历史流量为1.75,….,以往的大假期n的0点的历史流量为2.78,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站2在未来的大假期的0点的预测流量值为2.57G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 0 o'clock in the previous big holiday 1 is 2.52G, and the historical traffic at 0 o'clock in the previous big holiday 2 is 1.75,..., the historical traffic at 0 o'clock in the previous big holiday n is 2.78, so the intelligent defense device can input the above data into the big holiday traffic prediction model to predict the predicted traffic at 0 o'clock of the source station 2 in the future big holiday The value is 2.57G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的大假期1的4点的历史流量为1.61G,以往的大假期2的4点的历史流量为1.69G,….,以往的大假期n的4点的历史流量为1.22G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站2在未来的大假期的4点的预测流量值为1.45G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 4 o'clock in the previous big holiday 1 is 1.61G, and the historical traffic at 4 o'clock in the previous big holiday 2 is 1.69G,..., the historical traffic at 4 o’clock in the previous big holiday n is 1.22G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 2’s 4 o’clock in the future big holiday The predicted traffic value is 1.45G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2 在以往的大假期1的8点的历史流量为3.22G,以往的大假期2的8点的历史流量为3.79G,….,以往的大假期n的8点的历史流量为2.98G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站2在未来的大假期的8点的预测流量值为3.03G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 8 o'clock in the previous big holiday 1 is 3.22G, and the historical traffic at 8 o'clock in the previous big holiday 2 is 3.79G,..., the historical traffic at 8 o'clock in the previous big holiday n is 2.98G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 2 at 8 o'clock in the future big holiday The predicted traffic value is 3.03G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的大假期1的12点的历史流量为4.35G,以往的大假期2的12点的历史流量为4.12G,….,以往的大假期n的12点的历史流量为5.09G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站2在未来的大假期的12点的预测流量值为4.66G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of source station 2 at 12 o'clock in the previous big holiday 1 is 4.35G, and the historical traffic at 12 o'clock in the previous big holiday 2 is 4.12G,..., the historical traffic at 12 o'clock in the previous big holiday n is 5.09G, so the intelligent defense equipment can input the above data into the big holiday traffic prediction model to predict the source station 2 at 12 o'clock in the future big holiday The predicted traffic value is 4.66G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站1在以往的大假期1的16点的历史流量为5.81G,以往的大假期2的16点的历史流量为4.93G,….,以往的大假期n的16点的历史流量为4.88G,于是,智能防御可以将上述数据输入大假日流量预测模型以预测源站2在未来的大假期的16点的预测流量值为5.26G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 1 at 16:00 in the previous big holiday 1 is 5.81G, and the historical traffic at 16:00 in the previous big holiday 2 is 4.93G,..., the historical traffic at 16 o'clock in the previous big holiday n is 4.88G, so the smart defense can input the above data into the big holiday traffic forecast model to predict the 16 o'clock forecast of the source station 2 in the future big holiday The flow value is 5.26G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站3在以往的大假期1的20点的历史流量为5.88G,以往的大假期2的20点的历史流量为6.04G,….,以往的大假期n的20点的历史流量为6.25G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站2在未来的大假期的20点的预测流量值为6.17G。Assume that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 3 at 20 o'clock in the previous big holiday 1 is 5.88G, and the historical traffic at 20 o'clock in the previous big holiday 2 is 6.04G,..., the historical traffic at 20 o’clock in the previous big holiday n is 6.25G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 2’s 20 o’clock in the future big holiday The predicted traffic value is 6.17G.
假设智能防御设备从CDN系统发送的日志信息中携带的历史流量信息包括:源站2在以往的大假期1的24点的历史流量为3.17G,以往的大假期2的0点的历史流量为2.94G,….,以往的大假期n的24点的历史流量为3.09G,于是,智能防御设备可以将上述数据输入大假日流量预测模型以预测源站2在未来的大假期的24点的预测流量值为3.01G。Suppose that the historical traffic information carried in the log information sent by the smart defense device from the CDN system includes: the historical traffic of the source station 2 at 24 o'clock in the previous big holiday 1 is 3.17G, and the historical traffic at 0 o'clock in the previous big holiday 2 is 2.94G,..., the historical traffic at 24 o'clock in the previous big holiday n was 3.09G, so the intelligent defense device can input the above data into the big holiday traffic forecast model to predict the source station 2's 24 o'clock in the future big holiday The predicted traffic value is 3.01G.
因此,如图7中(f)所示,所述源站2在未来的大假期的流量曲线可以是由上述预测值:2.57G、1.45G、3.03G、4.66G、5.26G、6.17G以及3.01G构成的曲线。Therefore, as shown in Figure 7(f), the traffic curve of the source station 2 in the future big holiday can be based on the above-mentioned predicted values: 2.57G, 1.45G, 3.03G, 4.66G, 5.26G, 6.17G and Curve composed of 3.01G.
为了方便陈述,上述例子中以时间间隔为4个小时预测各个时间节点的预测流量值,但是,在实际应用中,为了使得曲线更加精确,可以缩短上述时间间隔为2小时、1小时、30分钟和、15分钟、10分钟以及5分钟等等,当然,对曲线要求不需要那么精确时,也可以增加上述时间间隔,此处不作具体限定。For ease of presentation, the above example uses a time interval of 4 hours to predict the predicted flow value of each time node. However, in actual applications, in order to make the curve more accurate, the above time interval can be shortened to 2 hours, 1 hour, and 30 minutes. Sum, 15 minutes, 10 minutes, 5 minutes, etc., of course, when the curve requirements do not need to be so precise, the above time interval can also be increased, which is not specifically limited here.
上述例子中的工作日流量预测模型、周末流量预测模型和大假期流量预测模型可以采用深度神经网络或者分段模型来实现。下面将分别进行详细的介绍。The weekday traffic prediction model, weekend traffic prediction model, and big holiday traffic prediction model in the above example can be implemented by using a deep neural network or a segmented model. The detailed introduction will be given below.
第一种方式,工作日流量预测模型、周末流量预测模型和大假期流量预测模型可以采用深度神经网络来实现。In the first way, the weekday traffic forecasting model, weekend traffic forecasting model, and big holiday traffic forecasting model can be implemented using deep neural networks.
在本申请具体的实施方式中,工作日流量预测模型可以表示为:In the specific implementation of this application, the weekday traffic prediction model can be expressed as:
b 1=g 1(a 1) b 1 =g 1 (a 1 )
其中,b 1为工作日的预测流量值,a 1为工作日的源站当前采样时间的历史流量,g 1为工作日的预测流量值和工作日的源站当前采样时间的历史流量之间的映射关系。其中,映射关系g 1可以是通过大量的已知工作日的历史流量和大量的已知工作日的源站当前采样时间的预测流量值进行训练得到的。在一具体的实施例中,大量的已知工作日的源站当前采 样时间的预测流量值可以是最近半年时间内工作日本时间点的预测流量值,对应地,大量的已知工作日的流量可以是最近半年时间内工作日本时间点的历史流量。 Among them, b 1 is the predicted flow value of the working day, a 1 is the historical flow of the current sampling time of the source station on the working day, and g 1 is the difference between the predicted flow value of the working day and the historical flow of the source station's current sampling time of the working day The mapping relationship. Wherein, the mapping relationship g 1 may be obtained by training a large number of historical traffic of known working days and a large number of predicted traffic values of the source station's current sampling time of known working days. In a specific embodiment, a large number of predicted flow values at the source station's current sampling time of known working days may be predicted flow values at a working Japan time point in the last six months. Correspondingly, a large number of known working days’ flow It can be the historical traffic at the time of working in Japan in the last six months.
(2)周末流量预测模型可以表示为:(2) The weekend traffic forecast model can be expressed as:
b 2=g 2(a 2) b 2 =g 2 (a 2 )
其中,b 2为周末的预测流量值,a 2为周末的源站当前采样时间的历史流量,g 2为周末的预测流量值和周末的源站当前采样时间的历史流量之间的映射关系。其中,映射关系g 2可以是通过大量的已知周末的预测流量值和大量的已知周末的源站当前采样时间的历史流量进行训练得到的。在一具体的实施例中,大量的已知周末的源站当前采样时间的历史流量可以是最近一年时间内周末本时间点的历史流量,对应地,大量的已知周末的预测流量值可以是最近一年时间内周末本时间点的预测流量值。 Among them, b 2 is the predicted traffic value on the weekend, a 2 is the historical traffic of the current sampling time of the source station on the weekend, and g 2 is the mapping relationship between the predicted traffic value of the weekend and the historical traffic of the current sampling time of the source station on the weekend. Wherein, the mapping relationship g 2 may be obtained by training a large number of predicted traffic values of known weekends and a large number of historical traffic of the source station at the current sampling time of known weekends. In a specific embodiment, a large number of known historical traffic at the source station's current sampling time on weekends may be the historical traffic at the current time point on weekends in the last year. Correspondingly, a large number of known weekends’ predicted traffic values may be It is the predicted traffic value at the weekend at this point in the last year.
(3)大假期流量预测模型可以表示为:(3) The traffic forecast model for big holidays can be expressed as:
b 3=g 3(a 3) b 3 =g 3 (a 3 )
其中,b 3为大假期的预测流量值,a 3为大假期的源站当前采样时间的历史流量,g 3为大假期的预测流量值和大假期的源站当前采样时间的历史流量之间的映射关系。其中,映射关系g 3可以是通过大量的已知大假期的预测流量值和大量的已知大假期的源站当前采样时间的历史流量进行训练得到的。在一具体的实施例中,大量的已知大假期的源站当前采样时间的历史流量可以是最近两年时间内大假期本时间点的历史流量,对应地,大量的已知大假期的预测流量值可以是最近两年时间内大假期本时间点的预测流量值。 Among them, b 3 is the predicted traffic value of the big holiday, a 3 is the historical traffic of the source station of the big holiday at the current sampling time, and g 3 is the difference between the predicted traffic value of the big holiday and the historical traffic of the source station at the current sampling time of the big holiday The mapping relationship. Wherein, the mapping relationship g 3 may be obtained through training of a large number of predicted traffic values of known major holidays and a large number of historical traffic of source stations of known major holidays at the current sampling time. In a specific embodiment, the historical traffic at the current sampling time of the source station of a large number of known major holidays may be the historical traffic at the current time point of the major holidays in the last two years. Correspondingly, a large number of known major holidays are predicted The flow value can be the predicted flow value at this point of time during the big holiday in the last two years.
在第二种方式中,工作日流量预测模型、周末流量预测模型和大假期流量预测模型可以采用分段模型来实现。In the second method, the weekday traffic forecast model, the weekend traffic forecast model, and the big holiday traffic forecast model can be implemented using a segmented model.
(1)工作日流量预测模型可以表示为:(1) The working day traffic forecast model can be expressed as:
求平均值:Find the average:
Figure PCTCN2020119009-appb-000001
Figure PCTCN2020119009-appb-000001
其中,
Figure PCTCN2020119009-appb-000002
为平均值,x 1至x n-1为最近半年时间内工作日本时间点的历史流量,x n为工作日的源站当前采样时间的历史流量,n为最近半年时间内工作日本时间点的历史流量的数量和源站当前采样时间的历史流量的数量的总和;
among them,
Figure PCTCN2020119009-appb-000002
Is the average value, x 1 to x n-1 are the historical traffic at the working time in Japan during the last six months, x n is the historical traffic at the current sampling time of the source station on the working day, and n is the working at the Japanese time in the most recent six months The sum of the number of historical traffic and the number of historical traffic at the current sampling time of the source station;
求方差:Find the variance:
Figure PCTCN2020119009-appb-000003
Figure PCTCN2020119009-appb-000003
其中,σ 1为方差,x 1至x n-1为最近半年时间内工作日本时间点的历史流量,x n为工作日的源站当前采样时间的历史流量,n为最近半年时间内工作日本时间点的历史流量的数量和源站当前采样时间的历史流量的数量的总和; Among them, σ 1 is the variance, x 1 to x n-1 are the historical traffic at the time of working in Japan in the last six months, x n is the historical traffic at the current sampling time of the source station in the working day, and n is the working in Japan in the last six months. The sum of the number of historical traffic at the time point and the number of historical traffic at the current sampling time of the source station;
求置信区间:Find the confidence interval:
Figure PCTCN2020119009-appb-000004
Figure PCTCN2020119009-appb-000004
其中,p为置信区间的下限,q为置信区间的上限,
Figure PCTCN2020119009-appb-000005
为平均值,t为大于零的自然数, σ 1为方差。
Among them, p is the lower limit of the confidence interval, q is the upper limit of the confidence interval,
Figure PCTCN2020119009-appb-000005
Is the average value, t is a natural number greater than zero, and σ 1 is the variance.
这里,可以令预测流量值等于置信区间的上限。Here, the predicted flow value can be made equal to the upper limit of the confidence interval.
(2)周末流量预测模型可以表示为:(2) The weekend traffic forecast model can be expressed as:
求平均值:Find the average:
Figure PCTCN2020119009-appb-000006
Figure PCTCN2020119009-appb-000006
其中,
Figure PCTCN2020119009-appb-000007
为平均值,y 1至y n-1为最近一年时间内周末本时间点的历史流量,y n为周末的源站当前采样时间的历史流量,n为最近一年时间内周末本时间点的历史流量的数量和源站当前采样时间的历史流量的数量的总和;
among them,
Figure PCTCN2020119009-appb-000007
Is the average value, y 1 to y n-1 are the historical traffic at the weekend at this time point in the last year, y n is the historical traffic at the source station during the weekend at the current sampling time, and n is the weekend at the current time point in the last year The sum of the number of historical traffic and the number of historical traffic of the source station's current sampling time;
求方差:Find the variance:
Figure PCTCN2020119009-appb-000008
Figure PCTCN2020119009-appb-000008
其中,σ 2为方差,y 1至y n-1为最近一年时间内周末本时间点的历史流量,y n为周末的源站当前采样时间的历史流量,n为最近一年时间内周末本时间点的历史流量的数量和源站当前采样时间的历史流量的数量的总和; Among them, σ 2 is the variance, y 1 to y n-1 are the historical traffic at the current time point on the weekend in the last year, y n is the historical traffic at the current sampling time of the source station on the weekend, and n is the weekend in the last year. The sum of the number of historical traffic at this point in time and the number of historical traffic at the current sampling time of the source station;
求置信区间:Find the confidence interval:
Figure PCTCN2020119009-appb-000009
Figure PCTCN2020119009-appb-000009
其中,p为置信区间的下限,q为置信区间的上限,
Figure PCTCN2020119009-appb-000010
为平均值,t为大于零的自然数,σ 2为方差。
Among them, p is the lower limit of the confidence interval, q is the upper limit of the confidence interval,
Figure PCTCN2020119009-appb-000010
Is the average value, t is a natural number greater than zero, and σ 2 is the variance.
这里,可以令预测流量值等于置信区间的上限。Here, the predicted flow value can be made equal to the upper limit of the confidence interval.
(3)大假日流量预测模型可以表示为:(3) The traffic forecast model for big holidays can be expressed as:
求平均值:Find the average:
Figure PCTCN2020119009-appb-000011
Figure PCTCN2020119009-appb-000011
其中,
Figure PCTCN2020119009-appb-000012
为平均值,z 1至z n-1为最近两年时间内大假期本时间点的历史流量,z n为大假期的源站当前采样时间的历史流量,n为最近两年时间内大假期本时间点的历史流量的数量和源站当前采样时间的历史流量的数量的总和;
among them,
Figure PCTCN2020119009-appb-000012
Is the average value, z 1 to z n-1 are the historical traffic at this time point of the big holiday in the last two years, z n is the historical traffic at the current sampling time of the source station of the big holiday, and n is the big holiday in the last two years The sum of the number of historical traffic at this point in time and the number of historical traffic at the current sampling time of the source station;
求方差:Find the variance:
Figure PCTCN2020119009-appb-000013
Figure PCTCN2020119009-appb-000013
其中,σ 3为方差,z 1至z n-1为最近两年时间内大假期本时间点的历史流量,z n为大假期的源站当前采样时间的历史流量,n为最近两年时间内大假期本时间点的历史流量的数量和源站当前采样时间的历史流量的数量的总和; Among them, σ 3 is the variance, z 1 to z n-1 are the historical traffic at this time point of the big holiday in the last two years, z n is the historical traffic at the current sampling time of the source station during the big holiday, and n is the time in the last two years The sum of the number of historical traffic at this point of time during the national holiday and the number of historical traffic at the current sampling time of the source station;
求置信区间:Find the confidence interval:
Figure PCTCN2020119009-appb-000014
Figure PCTCN2020119009-appb-000014
其中,p为置信区间的下限,q为置信区间的上限,
Figure PCTCN2020119009-appb-000015
为平均值,t为大于零的自然数,σ 3为方差。
Among them, p is the lower limit of the confidence interval, q is the upper limit of the confidence interval,
Figure PCTCN2020119009-appb-000015
Is the average value, t is a natural number greater than zero, and σ 3 is the variance.
这里,可以令预测流量值等于置信区间的上限。Here, the predicted flow value can be made equal to the upper limit of the confidence interval.
可以理解,上述例子中以预测流量值等于置信区间的上限为例进行说明,但是,在实际应用中,预测流量值可以等于置信区间的下限,以及,置信区间的上限和下限之间的任意一个数值,此处不作局限限定。It can be understood that in the above example, the predicted flow value is equal to the upper limit of the confidence interval as an example. However, in practical applications, the predicted flow value can be equal to the lower limit of the confidence interval, and any one between the upper limit and the lower limit of the confidence interval The value is not limited here.
采用了上述的基于内容分发网络CDN系统的源站状态检测方法之后,能够解决现有技术存在的问题。After adopting the above-mentioned source station status detection method based on the content distribution network CDN system, the problems existing in the prior art can be solved.
(1)在工作日上午8点,源站的正常访问流量为1G,攻击流量为3G,根据工作日流量预测模型可以计算出工作日的上午10点的预测流量值为1G左右,由于3G的攻击数据叠加,导致访问数据为4G左右,严重偏离正常访问量水平,提出告警。(1) At 8:00 a.m. on a working day, the normal access traffic of the source station is 1G, and the attack traffic is 3G. According to the working day traffic prediction model, the predicted traffic value at 10 a.m. on a working day can be calculated to be about 1G. The attack data is superimposed, resulting in the access data being about 4G, which seriously deviates from the normal access level, and an alarm is raised.
(2)在工作日晚上20点,源站的访问高峰期突然来临,正常访问流量突破5G,根据工作日流量预测模型可以计算工作日20的正常访问流量为5G左右,根据实时采集的正常访问流量为5G左右,两值偏差较小,属于正常范围。(2) At 20 o'clock in the evening of the working day, the visit peak period of the source station suddenly came, and the normal access traffic exceeded 5G. According to the working day traffic prediction model, the normal access traffic on the working day 20 can be calculated to be about 5G. According to the normal visits collected in real time The flow rate is about 5G, the deviation of the two values is small, which belongs to the normal range.
(3)在大假期中午12点,源站的正常访问流量突破5G,根据大假期流量预测模型可以计算出大假期12点正常访问流量为33G左右,根据实时采集的访问数据为30G左右,两值偏差较小,属于正常范围。(3) At 12 noon on the big holiday, the normal access traffic of the source station exceeded 5G. According to the traffic forecast model of the big holiday, the normal access traffic at 12 o’clock on the big holiday can be calculated to be about 33G, and the access data collected in real time is about 30G. The value deviation is small and belongs to the normal range.
(4)源站节点经过扩容后的承受能力为8G,边缘缓存节点的承受能力为20G。在源站的正常访问流量超过1G,攻击流量为5G时,通过判断6G访问远低于源站节点的8G的承受能力和边缘缓存节点20G的承受能力,不进行防御阻断,仅提出告警。(4) The capacity of the source site node after expansion is 8G, and the capacity of the edge cache node is 20G. When the normal access traffic of the origin site exceeds 1G and the attack traffic is 5G, by judging that the 6G access is far lower than the 8G endurance of the origin node's 8G and the endurance capacity of the edge cache node 20G, no defensive blocking is performed, and only an alarm is raised.
(5)源站节点经过扩容后的承受能力为3G,边缘缓存节点的承受能力为20G。在源站的正常访问流量超过1G,攻击流量为3G时,通过判断6G访问已经超过了源站节点的承受能力,进行主动阻断防御,防止源站节点宕机。(5) The capacity of the source site node after expansion is 3G, and the capacity of the edge cache node is 20G. When the normal access traffic of the source site exceeds 1G and the attack traffic is 3G, by judging that the 6G access has exceeded the endurance of the source site node, active blocking defense is performed to prevent the source site node from going down.
智能防御设备还可以通过业务类型识别模型识别实时流量的业务类型,并判断所述实时流量的业务类型与所述日志信息中记录的源站的业务类型信息是否一致,如果是,确认所述源站的当前工作状态正常,如果否,确认所述源站的当前工作状态异常。The intelligent defense device can also identify the service type of real-time traffic through the service type recognition model, and determine whether the service type of the real-time traffic is consistent with the service type information of the source station recorded in the log information, and if so, confirm the source The current working state of the station is normal. If not, confirm that the current working state of the source station is abnormal.
在本申请具体的实施方式中,业务类型识别模型可以表示为:In the specific implementation manner of this application, the service type identification model can be expressed as:
y 1=f 1(x) y 1 = f 1 (x)
其中,y 1为业务类型,x为实时流量,f 1为实时流量和业务类型之间的映射关系。其中,映射关系f 1可以是通过大量的已知历史流量和大量的已知历史流量对应的业务类型行训练得到的。 Among them, y 1 is the service type, x is the real-time traffic, and f 1 is the mapping relationship between the real-time traffic and the service type. Wherein, the mapping relationship f 1 may be obtained through training of a large number of known historical flows and service types corresponding to a large number of known historical flows.
在本申请具体的实施方式中,如图8所示,业务类型识别模型可以是采用深度神经网络(deep neural networks,DNN)来实现的。在一具体的实施例中,深度神经网络包括输入层、一个或者多个隐含层以及输出层。In the specific implementation manner of the present application, as shown in FIG. 8, the service type recognition model may be implemented by using deep neural networks (DNN). In a specific embodiment, the deep neural network includes an input layer, one or more hidden layers, and an output layer.
输入层:Input layer:
假设输入层的输入为实时流量I i,输出和输入相等,即,不对输入进行任何处理。为 了陈述简便,此处假设输入层不作任何处理,但是,在实际应用中,可以对输入层进行归一化等等处理,此处不作具体限定。 Assuming that the input of the input layer is the real-time flow I i , the output and the input are equal, that is, no processing is performed on the input. For simplicity of presentation, it is assumed here that the input layer does not perform any processing. However, in practical applications, the input layer can be normalized and so on, which is not specifically limited here.
隐含层:Hidden layer:
将输入层输出的实时流量I i作为隐含层的输入,假设总共L(L≥2)层隐含层,设Z l表示第l层的输出结果,当l=1时,Z 1=I i,其中,1≤l≤L,那么,第l层和第l+1层之间的关系为: The real-time traffic I i output by the input layer is taken as the input of the hidden layer. Assuming that there are a total of L (L≥2) hidden layers, let Z l denote the output result of the lth layer. When l=1, Z 1 =I i , where 1≤l≤L, then the relationship between the lth layer and the l+1th layer is:
a l+1=W lZ l+b l a l+1 = W l Z l + b l
Z l+1=f l+1(a l+1) Z l+1 = f l+1 (a l+1 )
其中,W l为第l层的权值向量,b l为第l层的偏置向量,a l+1为第l+1层的中间向量,f l+1为第l+1层的激励函数,Z l+1为第l+1层的隐藏层结果。激励函数可以是sigmoid函数,双曲正切函数,Relu函数,ELU(Exponential Linear Units)函数等等中的任意一种。 Among them, W l is the weight vector of the lth layer, b l is the bias vector of the lth layer, a l+1 is the intermediate vector of the l+1th layer, and f l+1 is the excitation of the l+1th layer Function, Z l+1 is the hidden layer result of the l+1th layer. The excitation function can be any of a sigmoid function, a hyperbolic tangent function, a Relu function, an ELU (Exponential Linear Units) function, and so on.
输出层:Output layer:
假设第L层的输出结果Z L,将Z L输入softmax函数可以得到业务类型。 Assuming the output result Z L of the L- th layer, input Z L into the softmax function to get the business type.
y=softmax(Z L) y=softmax(Z L )
其中,y为输出层的输出结果,Z L为第L层隐含层的输出结果,softmax函数为分类函数。可以理解,上述例子中以softmax函数为例进行说明,但是,在实际的应用中,还可以采用逻辑斯谛函数(logistic)函数等等,此处不作具体限定。 Among them, y is the output result of the output layer, Z L is the output result of the hidden layer of the Lth layer, and the softmax function is the classification function. It can be understood that the softmax function is taken as an example in the above example for description. However, in actual applications, a logistic function and the like can also be used, which is not specifically limited here.
在本申请具体的实施方式中,业务类型识别模型的训练的本质可以这样理解:深度神经网络中的每一层的工作可以用数学表达式
Figure PCTCN2020119009-appb-000016
来描述:从物理层面深度神经网络中的每一层的工作可以理解为通过五种对输入空间(输入向量的集合)的操作,完成输入空间到输出空间的变换(即矩阵的行空间到列空间),这五种操作包括:1、升维/降维;2、放大/缩小;3、旋转;4、平移;5、“弯曲”。其中1、2、3的操作由
Figure PCTCN2020119009-appb-000017
完成,4的操作由+b完成,5的操作则由a()来实现。这里之所以用“空间”二字来表述是因为被分类的对象并不是单个事物,而是一类事物,空间是指这类事物所有个体的集合。其中,W是权重向量,该向量中的每一个值表示该层神经网络中的一个神经元的权重值。该向量W决定着上文所述的输入空间到输出空间的空间变换,即每一层的权重W控制着如何变换空间。训练深度神经网络的目的,也就是最终得到训练好的神经网络的所有层的权重矩阵(由很多层的向量W形成的权重矩阵)。因此,神经网络的训练过程本质上就是学习控制空间变换的方式,更具体的就是学习权重矩阵。
In the specific implementation of this application, the nature of the training of the service type recognition model can be understood as follows: the work of each layer in the deep neural network can be expressed in mathematical expressions
Figure PCTCN2020119009-appb-000016
To describe: From the physical level, the work of each layer in the deep neural network can be understood as the transformation of the input space to the output space (that is, the row space of the matrix to the column of the matrix) through five operations on the input space (the set of input vectors). Space), these five operations include: 1. Dimension Up/Down; 2. Enlarge/Reduce; 3. Rotate; 4. Translation; 5. "Bend". The operations of 1, 2, and 3 are determined by
Figure PCTCN2020119009-appb-000017
Completed, the operation of 4 is completed by +b, and the operation of 5 is realized by a(). The reason why the word "space" is used here is because the object to be classified is not a single thing, but a class of things, and space refers to the collection of all individuals of this type of thing. Among them, W is a weight vector, and each value in the vector represents the weight value of a neuron in the layer of neural network. This vector W determines the spatial transformation from the input space to the output space described above, that is, the weight W of each layer controls how the space is transformed. The purpose of training a deep neural network is to finally obtain the weight matrix of all layers of the trained neural network (the weight matrix formed by the vector W of many layers). Therefore, the training process of the neural network is essentially the way of learning to control the space transformation, and more specifically, the learning of the weight matrix.
在本申请具体的实施方式中,业务类型识别模型的的训练过程可以是:可以将已知历史流量输入业务类型识别模型,从而得到预测值,将已知业务类型作为真正的想要的目标值。通过比较当前网络的预测值和真正想要的目标值,再根据两者之间的差异情况来更新 每一层神经网络的权重向量(当然,在第一次更新之前通常会有初始化的过程,即为深度神经网络中的各层预先配置参数),比如,如果网络的预测值高了,就调整权重向量让它预测低一些,不断的调整,直到神经网络能够预测出真正想要的目标值。因此,就需要预先定义“如何比较预测值和目标值之间的差异”,这便是损失函数(loss function)或目标函数(objective function),它们是用于衡量预测值和目标值的差异的重要方程。其中,以损失函数举例,损失函数的输出值(loss)越高表示差异越大,那么深度神经网络的训练就变成了尽可能缩小这个loss的过程。In the specific implementation of this application, the training process of the service type recognition model can be: the known historical traffic can be input into the service type recognition model to obtain the predicted value, and the known service type is taken as the real desired target value . By comparing the predicted value of the current network with the really desired target value, the weight vector of each layer of neural network is updated according to the difference between the two (of course, there is usually an initialization process before the first update, Pre-configured parameters for each layer in the deep neural network), for example, if the predicted value of the network is high, adjust the weight vector to make it predict lower, and keep adjusting until the neural network can predict the really desired target value . Therefore, it is necessary to predefine "how to compare the difference between the predicted value and the target value". This is the loss function or objective function, which is used to measure the difference between the predicted value and the target value. Important equation. Among them, taking the loss function as an example, the higher the output value (loss) of the loss function, the greater the difference, then the training of the deep neural network becomes a process of reducing this loss as much as possible.
由于攻击流量可以是千差万别的,但是,正常访问流量是有限的,上述方案通过大量的已知历史流量和已知业务类型对业务类型识别模型进行训练,从而使得业务类型识别模型能够学习到识别出正确业务类型的规则,以识别出正常访问流量,并将不能识别为正常访问流量的请求报文识别为攻击流量,能够有效地避免源站遭受到攻击,维护整个系统的安全。另外,可以在线使用最新识别的已知历史流量和已知业务类型实时对业务类型识别模型进行训练,从而及时更新业务类型识别模型的知识库。Since attack traffic can vary greatly, but normal access traffic is limited, the above solution trains the service type recognition model through a large number of known historical traffic and known service types, so that the service type recognition model can learn to recognize The rules of the correct service type can identify normal access traffic and identify request packets that cannot be recognized as normal access traffic as attack traffic, which can effectively prevent the source site from being attacked and maintain the security of the entire system. In addition, the newly recognized known historical traffic and known service types can be used online to train the service type recognition model in real time, so as to update the knowledge base of the service type recognition model in time.
由于访问流量是属于租户的,智能防御设备是属于运营商的,因此,源站在将访问流量发送给智能防御设备之前,源站已经将访问流量中的关键信息进行了消除,所以,即使智能防御设备识别出请求报文是攻击流量,也只能大范围地去排查攻击流量是属于哪里的。Since the access traffic belongs to the tenant and the smart defense device belongs to the operator, the source station has already eliminated the key information in the access traffic before sending the access traffic to the smart defense device. The defense device recognizes that the request packet is attack traffic, and can only investigate where the attack traffic belongs on a large scale.
为了解决上述问题,可以识别出非正常报文的业务类型,从而只需在非正常报文所述的业务类型中查找非正常报文,有效减少排查非正常报文的工作量。In order to solve the above problem, the service type of the abnormal message can be identified, so that only the abnormal message needs to be found in the service type described in the abnormal message, which effectively reduces the workload of checking the abnormal message.
在本申请具体的实施方式中,智能防御设备还可以包括数据类型识别模型,其中,所述数据类型识别模型用于识别出攻击流量的数据类型。在本申请具体的实施方式中,第二AI模型可以表示为:In a specific implementation manner of the present application, the intelligent defense device may further include a data type identification model, where the data type identification model is used to identify the data type of the attack traffic. In the specific implementation of this application, the second AI model can be expressed as:
y 2=f 2(x) y 2 = f 2 (x)
其中,y 2为数据类型,x为攻击流量,f 2为攻击流量和数据类型之间的映射关系。其中,映射关系f 2可以是通过大量的已知攻击流量和大量的已知数据类型进行训练得到的。可以理解,数据类型识别模型的预测过程和训练过程均与业务类型识别模型相类似,此处不再展开描述。 Among them, y 2 is the data type, x is the attack flow, and f 2 is the mapping relationship between the attack flow and the data type. Wherein, the mapping relationship f 2 may be obtained through training with a large number of known attack traffic and a large number of known data types. It can be understood that the prediction process and training process of the data type recognition model are similar to the service type recognition model, and will not be further described here.
在本申请具体的实施方式中,数据类型识别模型和业务类型识别模型可以集成在同一个模型中。In the specific implementation manner of this application, the data type recognition model and the service type recognition model can be integrated in the same model.
上述方法中,可以通过数据类型识别模型识别出攻击流量的数据类型,从而只需要对该数据类型的访问流量进行排查即可,大大减少了进行排查的工作量。In the above method, the data type of the attack flow can be identified through the data type identification model, so that only the access flow of the data type needs to be checked, which greatly reduces the workload of the check.
参见图9,图9是本申请提供的一种智能防御设备的结构示意图。如图9所示,本申请的智能防御设备包括:接收模块310、预测模块320、确认模块330以及告警模块340。Refer to FIG. 9, which is a schematic structural diagram of an intelligent defense device provided by the present application. As shown in FIG. 9, the intelligent defense device of the present application includes: a receiving module 310, a prediction module 320, a confirmation module 330, and an alarm module 340.
所述接收模块310用于接收CDN系统中的节点发送的日志信息,所述日志信息中记录有源站的URL和源站的历史流量信息;The receiving module 310 is configured to receive log information sent by nodes in the CDN system, and the log information records the URL of the source station and historical traffic information of the source station;
所述预测模块320用于根据所述日志信息预测所述源站的流量曲线,所述流量曲线包括未来时刻以及在未来时刻的预测流量值;The prediction module 320 is configured to predict a flow curve of the source station according to the log information, the flow curve including a future time and a predicted flow value at a future time;
所述确认模块330用于接收所述源站发送的实时流量信息,根据所述实时流量信息以及所述流量曲线确认所述源站的当前工作状态是否正常。The confirmation module 330 is configured to receive real-time flow information sent by the source station, and confirm whether the current working state of the source station is normal according to the real-time flow information and the flow curve.
所述告警模块340用于确认所述流量信息中记录的流量值是否超过所述源站的承受能力,在没有超过所述源站的承受能力的情况下,发送告警信息,在超过所述源站的承受能力的情况下,通知所述CDN系统中的节点丢弃所述源站的报文。The alarm module 340 is configured to confirm whether the flow value recorded in the flow information exceeds the endurance capacity of the source station, and if the endurance capacity of the source station is not exceeded, send alarm information, In the case of the endurance of the station, the node in the CDN system is notified to discard the message of the source station.
在本申请具体的实施方式中,所述确认模块330还用于获取当前时刻在所述流量曲线中对应的预测流量值;在所述实时流量信息中记录的流量值超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态异常。In the specific implementation manner of the present application, the confirmation module 330 is further configured to obtain the predicted flow value corresponding to the flow curve at the current moment; the flow value recorded in the real-time flow information exceeds the current flow rate at the current moment. In the case of the corresponding predicted flow value in the curve, it is confirmed that the current working state of the source station is abnormal.
在本申请具体的实施方式中,所述确认模块330用于获取当前时刻在所述流量曲线中对应的预测流量值;在所述实时流量信息中记录的流量值不超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态正常。In the specific implementation manner of this application, the confirmation module 330 is used to obtain the predicted flow value corresponding to the flow curve at the current moment; the flow value recorded in the real-time flow information does not exceed the current flow rate at the current moment. In the case of the corresponding predicted flow value in the curve, it is confirmed that the current working state of the source station is normal.
在本申请具体的实施方式中,所述确认模块330用于判断所述实时流量信息中记录的业务类型与所述日志信息中记录的源站的业务类型信息是否一致,在业务类型信息一致的情况下,确认所述源站的当前工作状态正常,在业务类型不一致的情况下,确认所述源站的当前工作状态异常。In the specific implementation manner of this application, the confirmation module 330 is used to determine whether the service type recorded in the real-time traffic information is consistent with the service type information of the source station recorded in the log information. In the case, it is confirmed that the current working state of the source station is normal, and in the case of inconsistent service types, it is confirmed that the current working state of the source station is abnormal.
可以理解,图9所示的智能防御设备能够实现图6所示的基于内容分发网络CDN系统的源站状态检测方法,为了简便起见,具体请参见图6以及相关描述,此处不再展开描述。It is understandable that the smart defense device shown in Figure 9 can implement the source station status detection method based on the content distribution network CDN system shown in Figure 6. For brevity, please refer to Figure 6 and related descriptions for details, which will not be further described here. .
参见图10,图10是本申请提供的另一种智能防御设备的结构示意图。如图10所示,本申请的智能防御设备包括处理单元410和通信接口420,处理单元410用于执行各种软件程序所定义的功能,例如,用于实现智能防御设备的功能。通信接口420用于与其他计算节点进行通信交互,其他设备可以是其它物理服务器,具体地,通信接口420可以是网络适配卡。Refer to FIG. 10, which is a schematic structural diagram of another intelligent defense device provided by the present application. As shown in FIG. 10, the intelligent defense device of the present application includes a processing unit 410 and a communication interface 420. The processing unit 410 is used to execute functions defined by various software programs, for example, to implement the functions of the intelligent defense device. The communication interface 420 is used to communicate and interact with other computing nodes, and other devices may be other physical servers. Specifically, the communication interface 420 may be a network adapter card.
可选地,该智能防御设备还可以包括输入/输出接口430,输入/输出接口430连接有输入/输出设备,用于接收输入的信息,输出操作结果。输入/输出接口430可以为鼠标、键盘、显示器、或者光驱等。可选地,该智能防御设备还可以包括辅助存储器440,一般也称为外存,辅助存储器440的存储介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如光盘)、或者半导体介质(例如固态硬盘)等。Optionally, the smart defense device may further include an input/output interface 430, and the input/output interface 430 is connected to an input/output device for receiving input information and outputting operation results. The input/output interface 430 may be a mouse, a keyboard, a display, or an optical drive, etc. Optionally, the smart defense device may also include auxiliary storage 440, which is generally also referred to as external storage. The storage medium of auxiliary storage 440 may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, an optical disk), or Semiconductor media (such as solid state drives), etc.
可选的,智能防御设备还可以包括总线450。其中,处理单元410、通信接口420、输入/输出接口430、辅助存储器440可以通过总线450连接。总线450可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。总线450可以分为地址总线、数据总线、控制总线等。为便于表示,图10中仅用一条线表示,但并不表示仅有一根总线或一种类型的总线。Optionally, the smart defense device may further include a bus 450. Among them, the processing unit 410, the communication interface 420, the input/output interface 430, and the auxiliary memory 440 may be connected through the bus 450. The bus 450 may be a peripheral component interconnect standard (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus 450 can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one line is used to represent in FIG. 10, but it does not mean that there is only one bus or one type of bus.
处理单元410可以有多种具体实现形式,例如处理单元410可以包括处理器411和存储器412,处理器411根据存储器412中存储的程序指令执行图6所示的实施例的相关操作。处理器411可以为中央处理单元(central processing unit,CPU)。该处理器还可以是其它通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field programmable gate Array,FPGA)或者 其它可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。或者该处理器411采用一个或多个集成电路,用于执行相关程序,以实现本申请实施例所提供的技术方案。The processing unit 410 may have a variety of specific implementation forms. For example, the processing unit 410 may include a processor 411 and a memory 412, and the processor 411 performs related operations of the embodiment shown in FIG. 6 according to program instructions stored in the memory 412. The processor 411 may be a central processing unit (central processing unit, CPU). The processor can also be other general-purpose processors, digital signal processors (digital signal processors, DSP), application specific integrated circuits (ASICs), ready-made programmable gate arrays (field programmable gate arrays, FPGAs) or other Programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like. Or, the processor 411 adopts one or more integrated circuits to execute related programs to implement the technical solutions provided in the embodiments of the present application.
可以理解,图9所示的智能防御设备能够实现图6所示的基于内容分发网络CDN系统的源站状态检测方法,为了简便起见,具体请参见图6以及相关描述,此处不再展开描述。It is understandable that the smart defense device shown in Figure 9 can implement the source station status detection method based on the content distribution network CDN system shown in Figure 6. For brevity, please refer to Figure 6 and related descriptions for details, which will not be further described here. .
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、存储盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态存储盘Solid State Disk(SSD))等。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a storage disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a Solid State Disk (SSD)).

Claims (12)

  1. 一种基于内容分发网络CDN系统的源站状态检测方法,其特征在于,包括:A method for detecting the status of a source station based on a content distribution network CDN system, which is characterized in that it includes:
    接收CDN系统中的节点发送的日志信息,所述日志信息中记录有源站的URL和源站的历史流量信息;Receiving log information sent by a node in the CDN system, where the log information records the URL of the source station and historical traffic information of the source station;
    根据所述日志信息预测所述源站的流量曲线,所述流量曲线包括未来时刻以及在未来时刻的预测流量值;Predicting a flow curve of the source station according to the log information, the flow curve including a future time and a predicted flow value at a future time;
    接收所述源站发送的实时流量信息,根据所述实时流量信息以及所述流量曲线确认所述源站的当前工作状态是否正常。Receiving real-time flow information sent by the source station, and confirming whether the current working state of the source station is normal according to the real-time flow information and the flow curve.
  2. 根据权利要求1所述的方法,其特征在于,所述接收所述源站发送的实时流量信息,根据所述实时流量信息以及所述流量曲线确认所述源站的工作状态是否正常,包括:The method according to claim 1, wherein the receiving real-time traffic information sent by the source station, and confirming whether the working state of the source station is normal according to the real-time traffic information and the traffic curve, comprises:
    获取当前时刻在所述流量曲线中对应的预测流量值;Acquiring the predicted flow value corresponding to the flow curve at the current moment;
    在所述实时流量信息中记录的流量值超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态异常。In the case where the flow value recorded in the real-time flow information exceeds the corresponding predicted flow value in the flow curve at the current moment, it is confirmed that the current working state of the source station is abnormal.
  3. 根据权利要求2所述的方法,其特征在于,在确认所述源站的当前工作状态异常之后,所述方法还包括:The method according to claim 2, wherein after confirming that the current working state of the source station is abnormal, the method further comprises:
    确认所述流量信息中记录的流量值是否超过所述源站的承受能力,如果否,发送告警信息,如果是,通知所述CDN系统中的节点丢弃所述源站的报文。It is confirmed whether the flow value recorded in the flow information exceeds the endurance capacity of the source station, if not, an alarm information is sent, and if so, the node in the CDN system is notified to discard the message of the source station.
  4. 根据权利要求1所述的方法,其特征在于,所述接收所述源站发送的实时流量信息,根据所述实时流量信息以及所述流量曲线确认所述源站的工作状态是否正常,包括:The method according to claim 1, wherein the receiving real-time traffic information sent by the source station, and confirming whether the working state of the source station is normal according to the real-time traffic information and the traffic curve, comprises:
    获取当前时刻在所述流量曲线中对应的预测流量值;Acquiring the predicted flow value corresponding to the flow curve at the current moment;
    在所述实时流量信息中记录的流量值不超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态正常。In the case that the flow value recorded in the real-time flow information does not exceed the corresponding predicted flow value in the flow curve at the current moment, it is confirmed that the current working state of the source station is normal.
  5. 根据权利要求1至4任一项所述的方法,其特征在于,所述日志信息还记录有所述源站的业务类型信息,在接收所述源站发送的实时流量信息之后,所述方法还包括:The method according to any one of claims 1 to 4, wherein the log information also records service type information of the source station, and after receiving real-time traffic information sent by the source station, the method Also includes:
    判断所述实时流量信息中记录的业务类型与所述日志信息中记录的源站的业务类型信息是否一致,如果是,确认所述源站的当前工作状态正常,如果否,确认所述源站的当前工作状态异常。Determine whether the service type recorded in the real-time traffic information is consistent with the service type information of the source station recorded in the log information, if yes, confirm that the current working status of the source station is normal, if not, confirm the source station The current working status of is abnormal.
  6. 一种智能防御设备,其特征在于,包括:接收模块、预测模块以及确认模块,An intelligent defense device, characterized by comprising: a receiving module, a prediction module, and a confirmation module,
    所述接收模块用于接收CDN系统中的节点发送的日志信息,所述日志信息中记录有源站的URL和源站的历史流量信息;The receiving module is configured to receive log information sent by a node in the CDN system, and the log information records the URL of the source station and historical traffic information of the source station;
    所述预测模块用于根据所述日志信息预测所述源站的流量曲线,所述流量曲线包括未来时刻以及在未来时刻的预测流量值;The prediction module is configured to predict a flow curve of the source station according to the log information, the flow curve including a future time and a predicted flow value at a future time;
    所述确认模块用于接收所述源站发送的实时流量信息,根据所述实时流量信息以及所述流量曲线确认所述源站的当前工作状态是否正常。The confirmation module is configured to receive real-time flow information sent by the source station, and confirm whether the current working state of the source station is normal according to the real-time flow information and the flow curve.
  7. 根据权利要求6所述的设备,其特征在于,所述确认模块还用于:The device according to claim 6, wherein the confirmation module is further configured to:
    获取当前时刻在所述流量曲线中对应的预测流量值;Acquiring the predicted flow value corresponding to the flow curve at the current moment;
    在所述实时流量信息中记录的流量值超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态异常。In the case where the flow value recorded in the real-time flow information exceeds the corresponding predicted flow value in the flow curve at the current moment, it is confirmed that the current working state of the source station is abnormal.
  8. 根据权利要求7所述的设备,其特征在于,所述装置还包括告警模块,所述告警模块用于确认所述流量信息中记录的流量值是否超过所述源站的承受能力,在没有超过所述源站的承受能力的情况下,发送告警信息,在超过所述源站的承受能力的情况下,通知所述CDN系统中的节点丢弃所述源站的报文。The device according to claim 7, wherein the device further comprises an alarm module configured to confirm whether the flow value recorded in the flow information exceeds the endurance capacity of the source station. In the case of the endurance capability of the source station, an alarm message is sent, and if the endurance capability of the source station is exceeded, the node in the CDN system is notified to discard the message of the source station.
  9. 根据权利要求6所述的设备,其特征在于,所述确认模块用于获取当前时刻在所述流量曲线中对应的预测流量值;在所述实时流量信息中记录的流量值不超过当前时刻在所述流量曲线中对应的预测流量值的情况下,确认所述源站的当前工作状态正常。The device according to claim 6, wherein the confirmation module is configured to obtain the predicted flow value corresponding to the flow curve at the current moment; the flow value recorded in the real-time flow information does not exceed the current flow rate at the current moment. In the case of the corresponding predicted flow value in the flow curve, it is confirmed that the current working state of the source station is normal.
  10. 根据权利要求6至9任一项所述的设备,其特征在于,所述确认模块用于判断所述实时流量信息中记录的业务类型与所述日志信息中记录的源站的业务类型信息是否一致,在业务类型信息一致的情况下,确认所述源站的当前工作状态正常,在业务类型不一致的情况下,确认所述源站的当前工作状态异常。The device according to any one of claims 6 to 9, wherein the confirmation module is configured to determine whether the service type recorded in the real-time traffic information and the service type information of the source station recorded in the log information are Consistent, if the service type information is consistent, confirm that the current working status of the source station is normal, and if the service types are inconsistent, confirm that the current working status of the source station is abnormal.
  11. 一种智能防御设备,其特征在于,包括:处理器和存储器,所述处理器运行所述存储器中的代码以执行如权利要求1至5任一权利要求所述的方法。An intelligent defense device, comprising: a processor and a memory, and the processor runs the code in the memory to execute the method according to any one of claims 1 to 5.
  12. 一种可读存储介质,其特征在于,包括指令,当所述指令在智能防御设备上运行时,使得所述智能防御设备执行如权利要求1至5任一权利要求所述的方法。A readable storage medium, characterized by comprising instructions, which when running on an intelligent defense device, cause the intelligent defense device to execute the method according to any one of claims 1 to 5.
PCT/CN2020/119009 2019-09-30 2020-09-29 Cdn system-based source station state detection method and device WO2021063368A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910942665.7 2019-09-30
CN201910942665.7A CN110753041A (en) 2019-09-30 2019-09-30 Source station state detection method and equipment based on CDN system

Publications (1)

Publication Number Publication Date
WO2021063368A1 true WO2021063368A1 (en) 2021-04-08

Family

ID=69277625

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/119009 WO2021063368A1 (en) 2019-09-30 2020-09-29 Cdn system-based source station state detection method and device

Country Status (2)

Country Link
CN (1) CN110753041A (en)
WO (1) WO2021063368A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500231A (en) * 2022-01-20 2022-05-13 中通服创立信息科技有限责任公司 Early warning method and system for flow fluctuation, electronic equipment and storage medium
CN116599999A (en) * 2023-07-18 2023-08-15 中移(苏州)软件技术有限公司 Method, device and equipment for predicting real-time consumption data of CDN (content delivery network) user

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753041A (en) * 2019-09-30 2020-02-04 华为技术有限公司 Source station state detection method and equipment based on CDN system
CN112491601B (en) * 2020-11-16 2022-08-30 北京字节跳动网络技术有限公司 Traffic topology generation method and device, storage medium and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110078230A1 (en) * 2009-09-25 2011-03-31 Emilio Sepulveda Method and system for providing a cdn with granular quality of service
CN102801792A (en) * 2012-07-26 2012-11-28 华南理工大学 Statistical-prediction-based automatic cloud CDN (Content Delivery Network) resource automatic deployment method
CN106656662A (en) * 2016-12-07 2017-05-10 乐视控股(北京)有限公司 Method and system for determining abnormal bandwidth, and electronic device
CN107959640A (en) * 2016-10-14 2018-04-24 腾讯科技(深圳)有限公司 Network dispatching method and device
CN110753041A (en) * 2019-09-30 2020-02-04 华为技术有限公司 Source station state detection method and equipment based on CDN system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101466124A (en) * 2007-12-19 2009-06-24 中国移动通信集团公司 Control method and system for network bandwidth
CN101729301B (en) * 2008-11-03 2012-08-15 中国移动通信集团湖北有限公司 Monitor method and monitor system of network anomaly traffic
US9537973B2 (en) * 2012-11-01 2017-01-03 Microsoft Technology Licensing, Llc CDN load balancing in the cloud
CN105593837B8 (en) * 2013-07-03 2020-07-07 爱立信股份有限公司 System and method for delivering content in a content delivery network
CN106911511B (en) * 2017-03-10 2019-09-13 网宿科技股份有限公司 A kind of means of defence and system of CDN client source station
CN108429651B (en) * 2018-06-06 2022-02-25 腾讯科技(深圳)有限公司 Flow data detection method and device, electronic equipment and computer readable medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110078230A1 (en) * 2009-09-25 2011-03-31 Emilio Sepulveda Method and system for providing a cdn with granular quality of service
CN102801792A (en) * 2012-07-26 2012-11-28 华南理工大学 Statistical-prediction-based automatic cloud CDN (Content Delivery Network) resource automatic deployment method
CN107959640A (en) * 2016-10-14 2018-04-24 腾讯科技(深圳)有限公司 Network dispatching method and device
CN106656662A (en) * 2016-12-07 2017-05-10 乐视控股(北京)有限公司 Method and system for determining abnormal bandwidth, and electronic device
CN110753041A (en) * 2019-09-30 2020-02-04 华为技术有限公司 Source station state detection method and equipment based on CDN system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500231A (en) * 2022-01-20 2022-05-13 中通服创立信息科技有限责任公司 Early warning method and system for flow fluctuation, electronic equipment and storage medium
CN114500231B (en) * 2022-01-20 2023-07-25 中通服创立信息科技有限责任公司 Early warning method and system for flow fluctuation, electronic equipment and storage medium
CN116599999A (en) * 2023-07-18 2023-08-15 中移(苏州)软件技术有限公司 Method, device and equipment for predicting real-time consumption data of CDN (content delivery network) user
CN116599999B (en) * 2023-07-18 2023-10-10 中移(苏州)软件技术有限公司 Method, device and equipment for predicting real-time consumption data of CDN (content delivery network) user

Also Published As

Publication number Publication date
CN110753041A (en) 2020-02-04

Similar Documents

Publication Publication Date Title
WO2021063368A1 (en) Cdn system-based source station state detection method and device
US10560465B2 (en) Real time anomaly detection for data streams
US11936652B2 (en) Proxied multi-factor authentication using credential and authentication management in scalable data networks
US11546331B2 (en) Credential and authentication management in scalable data networks
US11106655B2 (en) Asset management system, method, apparatus, and electronic device
US20230130047A1 (en) Native activity tracking using credential and authentication management in scalable data networks
EP4203349A1 (en) Training method for detection model, system, device, and storage medium
CN108429718B (en) Account identification method and device
WO2022126970A1 (en) Method and device for financial fraud risk identification, computer device, and storage medium
WO2021174944A1 (en) Message push method based on target activity, and related device
WO2019128355A1 (en) Method and device for determining accurate geographic location
CN110135978B (en) User financial risk assessment method and device, electronic equipment and readable medium
US10937073B2 (en) Predicting delay in a process
US20170004201A1 (en) Structure-based entity analysis
CN108702334B (en) Method and system for distributed testing of network configuration for zero tariffs
WO2022057727A1 (en) Network quality determination method and apparatus, electronic device and readable storage medium
US10412076B2 (en) Identifying users based on federated user identifiers
WO2023129977A1 (en) Exponentially smoothed categorical encoding to control access to a network resource
US20220368709A1 (en) Detecting data exfiltration and compromised user accounts in a computing network
CN111865941B (en) Abnormal behavior identification method and device
WO2021114075A1 (en) Credit score processing method, system and apparatus based on blockchain, and medium
CN111291335B (en) Bill data processing method and device, computer equipment and storage medium
US20220368710A1 (en) Detecting data exfiltration and compromised user accounts in a computing network
US11563762B2 (en) User flow graph analytics for cyber security
US20220245124A1 (en) Verified entity attributes

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20871536

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20871536

Country of ref document: EP

Kind code of ref document: A1