CN109462586A - Flow monitoring method, device and execute server - Google Patents
Flow monitoring method, device and execute server Download PDFInfo
- Publication number
- CN109462586A CN109462586A CN201811327450.6A CN201811327450A CN109462586A CN 109462586 A CN109462586 A CN 109462586A CN 201811327450 A CN201811327450 A CN 201811327450A CN 109462586 A CN109462586 A CN 109462586A
- Authority
- CN
- China
- Prior art keywords
- data packet
- uplink
- verification
- preset
- execution server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000012544 monitoring process Methods 0.000 title claims abstract description 48
- 230000002159 abnormal effect Effects 0.000 claims abstract description 58
- 238000012795 verification Methods 0.000 claims abstract description 50
- 238000012545 processing Methods 0.000 claims abstract description 39
- 230000005540 biological transmission Effects 0.000 claims description 60
- 238000012806 monitoring device Methods 0.000 claims description 16
- 238000013524 data verification Methods 0.000 claims description 13
- 238000011144 upstream manufacturing Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 abstract description 11
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 6
- 230000003993 interaction Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000006798 recombination Effects 0.000 description 3
- 238000005215 recombination Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of flow monitoring method, device and execute server, is related to technical field of communication processing.This method receives the uplink traffic data packet that user terminal is sent by dispatch server, and uplink traffic data packet is sent to execute server;Execute server verifies uplink traffic data packet according to default verification rule, to determine whether uplink traffic data packet is abnormal;When to be no, execute server sends reply data packet corresponding with uplink traffic data packet to user terminal.Because execute server only carries out flow monitoring to the uplink traffic data packet that dispatch server is obtained from user terminal, namely execute server is only monitored the uplink traffic of user terminal, it is monitored without the downlink traffic data to user terminal, reduce the amount of data processing, so the memory space of service system can be saved, and then mitigate the pressure of service system flow monitoring processing, help to improve the efficiency of flow monitoring processing.
Description
Technical Field
The invention relates to the technical field of communication data processing, in particular to a traffic monitoring method, a traffic monitoring device and an execution server.
Background
In the field of traffic security, the transmitted traffic generally includes abnormal traffic, and if the abnormal traffic is not filtered, the server or the client is easily attacked and cannot operate normally. In the traffic transmission process, the traffic is usually monitored on the side of the server, the traditional method is to analyze the mass traffic after the uplink and downlink traffic is completely recombined, and because the downlink traffic is usually multiple times (for example, 10 times) of the uplink traffic, the traditional method can seriously consume the memory resources of the server and the computing resources of the processor during the recombination, thereby reducing the processing efficiency of the traffic monitoring.
Disclosure of Invention
In order to overcome the above-mentioned deficiencies in the prior art, the present invention provides a traffic monitoring method, a traffic monitoring device, and an execution server, which can reduce the consumption of storage space and computing resources of the server, and are helpful for improving the efficiency of traffic monitoring.
In order to achieve the above object, the technical solutions provided by the embodiments of the present invention are as follows:
in a first aspect, an embodiment of the present invention provides a traffic monitoring method, which is applied to a distributed service system including a scheduling server and at least one execution server, where the method includes:
the scheduling server receives an uplink flow data packet sent by a user terminal and sends the uplink flow data packet to an execution server;
the execution server checks the uplink flow data packet according to a preset check rule to determine whether the uplink flow data packet is abnormal or not;
and if not, the execution server sends a reply data packet corresponding to the uplink flow data packet to the user terminal.
Optionally, the performing server performs verification on the uplink traffic data packet according to a preset verification rule, including at least one of the following manners:
based on a transmission control protocol corresponding to the uplink traffic data packet, the execution server performs field verification and/or mark verification and/or load data verification on the uplink traffic data, wherein when any one of the field verification, the mark verification and the load data verification is failed, the uplink traffic data packet is determined to be abnormal; or
Based on the source IP corresponding to the uplink flow data packet, the execution server checks the byte size or the request times of the uplink flow data packet sent by the user terminal corresponding to the same source IP, wherein in a preset time period, the byte size or the request times of the uplink flow data packet sent by the user terminal corresponding to the same source IP is not in a preset flow threshold range, or when the request times exceed the preset times, the uplink flow data packet is determined to be abnormal.
Optionally, the verifying, by the execution server, the uplink traffic data packet according to a preset verification rule includes:
judging whether a transmission channel for transmitting the uplink flow data between the distributed service system and the user terminal is established with three-way handshake of transmission control protocol connection;
when the transmission channel is established with three-way handshake of transmission control protocol connection, the execution server judges whether the throughput rate of the transmission channel for transmitting the uplink flow data packet is in a preset throughput rate range, and when the throughput rate of the transmission channel for transmitting the uplink flow data packet is not in the preset throughput rate range, the execution server determines that the uplink flow data packet is abnormal; or,
when the transmission channel does not establish three-way handshake of transmission control protocol connection, the execution server determines whether the uplink traffic data packet is abnormal or not according to the transmission rate of the transmission channel and the byte size of the uplink traffic data packet transmitted within a preset time, wherein when the transmission rate is not within a preset transmission rate range or the byte size of the uplink traffic data packet transmitted within the preset time is not within a preset traffic threshold range, the uplink traffic data packet is determined to be abnormal.
Optionally, the method further includes: and when the uplink flow data packet is determined to be abnormal, the execution server discards the uplink flow data packet.
Optionally, before sending the upstream traffic data packet to an execution server, the method further includes:
and the scheduling server determines a target execution server from at least one execution server according to a preset equilibrium strategy, wherein the target execution server is used for receiving the uplink traffic data packet sent by the scheduling server.
Optionally, before the executing server checks the uplink traffic data packet according to a preset checking rule, the method further includes:
and the execution server analyzes the uplink traffic data packet according to a preset analysis rule and obtains an analyzed field to check the uplink traffic data packet.
In a second aspect, an embodiment of the present invention provides a traffic monitoring apparatus, which is applied to a distributed service system including a scheduling server and at least one execution server, where the apparatus includes:
the receiving unit is used for receiving an uplink flow data packet sent by a user terminal and sending the uplink flow data packet to an execution server;
the verification unit is used for verifying the uplink traffic data packet according to a preset verification rule so as to determine whether the uplink traffic data packet is abnormal or not;
and the sending unit is used for sending a reply data packet corresponding to the uplink flow data packet to the user terminal when the verification unit determines that the uplink flow data packet is not abnormal.
Optionally, the check unit is further configured to:
based on a transmission control protocol corresponding to the uplink traffic data packet, the execution server performs field verification and/or mark verification and/or load data verification on the uplink traffic data, wherein when any one of the field verification, the mark verification and the load data verification is failed, the uplink traffic data packet is determined to be abnormal; or
Based on the source IP corresponding to the uplink flow data packet, the execution server checks the byte size or the request times of the uplink flow data packet sent by the user terminal corresponding to the same source IP, wherein in a preset time period, the byte size or the request times of the uplink flow data packet sent by the user terminal corresponding to the same source IP is not in a preset flow threshold range, or when the request times exceed the preset times, the uplink flow data packet is determined to be abnormal.
In a third aspect, an embodiment of the present invention provides an execution server, including:
a storage module;
a processing module; and
a flow monitoring device including one or more software functional modules stored in the memory module and executed by the processing module, the flow monitoring device comprising:
the receiving unit is used for receiving an uplink flow data packet sent by a user terminal and sending the uplink flow data packet to an execution server;
the verification unit is used for verifying the uplink traffic data packet according to a preset verification rule so as to determine whether the uplink traffic data packet is abnormal or not;
and the sending unit is used for sending a reply data packet corresponding to the uplink flow data packet to the user terminal when the verification unit determines that the uplink flow data packet is not abnormal.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored, and when the computer program runs on a computer, the computer is caused to execute the above-mentioned flow monitoring method.
Compared with the prior art, the traffic monitoring method, the traffic monitoring device and the execution server provided by the invention at least have the following beneficial effects: the method comprises the steps that an uplink flow data packet sent by a user terminal is received through a scheduling server, and the uplink flow data packet is sent to an execution server; the execution server checks the uplink flow data packet according to a preset check rule to determine whether the uplink flow data packet is abnormal or not; and if not, the execution server sends a reply data packet corresponding to the uplink flow data packet to the user terminal. The execution server only monitors the uplink flow data packet acquired by the scheduling server from the user terminal, namely the execution server only monitors the uplink flow of the user terminal, the downlink flow data of the user terminal does not need to be monitored, and the data processing amount is reduced, so that the storage space of a service system can be saved, the pressure of the flow monitoring processing of the service system is reduced, and the efficiency of the flow monitoring processing is improved.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments will be briefly described below. It is appreciated that the following drawings depict only some embodiments of the invention and are therefore not to be considered limiting of its scope, for those skilled in the art will be able to derive additional related drawings therefrom without the benefit of the inventive faculty.
Fig. 1 is a schematic diagram of interaction between an execution server, a scheduling server, and a user terminal according to an embodiment of the present invention.
Fig. 2 is a block diagram of an execution server according to an embodiment of the present invention.
Fig. 3 is a schematic flow chart of a flow monitoring method according to an embodiment of the present invention.
Fig. 4 is a schematic block diagram of a flow monitoring device according to an embodiment of the present invention.
Icon: 10-an execution server; 11-a processing module; 12-a communication module; 13-a storage module; 20-a scheduling server; 30-a user terminal; 100-a flow monitoring device; 110-a receiving unit; 120-a verification unit; 130-a transmitting unit.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It is to be understood that the described embodiments are merely a few embodiments of the invention, and not all embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Furthermore, the terms "first," "second," and the like are used merely to distinguish one description from another, and are not to be construed as indicating or implying relative importance.
In the field of traffic safety, an existing server analyzes and monitors uplink traffic and downlink traffic to determine whether abnormal traffic is included. The data volume of the uplink traffic and the downlink traffic is large, and the downlink traffic is usually more than the uplink traffic by times, that is, the data volume of the traffic to be monitored by the server is large, which occupies the storage space of the server and consumes high computing resources, thereby resulting in low efficiency of processing the traffic monitoring data.
The following describes embodiments of the present invention in detail with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, an interaction diagram of an execution server 10, a dispatch server 20 and a user terminal 30 according to an embodiment of the present invention is shown. The distributed service system provided by the embodiment of the invention can comprise a scheduling server 20 and at least one execution server 10, wherein the scheduling server 20 establishes communication connection with the at least one execution server 10 through a network and performs data interaction. The dispatch server 20 establishes a communication connection with at least one user terminal 30 through a network for data interaction. The target execution server 10 of the at least one execution server 10 establishes a communication connection with the user terminal 30 through the network for data interaction. The distributed service system may be a load balancing service system, and may be configured to execute or implement each step of the following traffic monitoring method, so that in the process of implementing traffic monitoring, the occupation of a storage space may be reduced, the consumption of computing resources (which may be understood as reducing the occupation/usage rate of a central processing unit) may be reduced, and the processing efficiency of traffic monitoring may be improved.
Fig. 2 is a block diagram of an execution server 10 according to an embodiment of the present invention. In this embodiment, the execution server 10 may include a processing module 11, a communication module 12, a storage module 13, and a flow monitoring device 100, and the processing module 11, the communication module 12, the storage module 13, and the flow monitoring device 100 are electrically connected directly or indirectly to implement data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
Fig. 3 is a schematic flow chart of a traffic monitoring method according to an embodiment of the present invention. The traffic monitoring method provided by the embodiment of the invention can be applied to the distributed service system, and each step of the traffic monitoring method is realized by the scheduling server 20 and the execution server 10, so that the occupation of the storage space of the system can be reduced on the basis of realizing traffic monitoring, and the processing efficiency of the system on traffic monitoring can be improved.
In this embodiment, the flow monitoring method may include the following steps:
step S210, the scheduling server 20 receives the uplink traffic data packet sent by the user terminal 30, and sends the uplink traffic data packet to the execution server 10;
step S220, the execution server 10 checks the uplink traffic data packet according to a preset check rule to determine whether the uplink traffic data packet is abnormal;
in step S230, if no, the execution server 10 sends a reply packet corresponding to the uplink traffic packet to the user terminal 30.
The steps of the flow monitoring method shown in fig. 3 will be described in detail below:
in step S210, the scheduling server 20 receives the uplink traffic data packet sent by the user terminal 30, and sends the uplink traffic data packet to the execution server 10.
In this embodiment, the scheduling server 20 receives the uplink traffic data packet from the user terminal 30, which can be understood as that the scheduling server 20 receives the uplink data sent by the user terminal 30. The data transmitted by the scheduling server 20 to the user terminal 30 or the data transmitted by other servers to the user terminal 30 may be understood as the downlink data of the user terminal 30. Generally, the bytes of the downstream data of the user terminal 30 are exponentially higher than the bytes of the downstream data. In a massive traffic environment, the embodiment performs traffic monitoring processing on the uplink data of the user terminal 30, so as to reduce the amount of data processing, reduce the storage space occupied by the system for storing uplink traffic data packets, and contribute to saving the computing power of the central processing unit, so that the processing efficiency of the execution server 10/the scheduling server 20 is improved, and the breakdown caused by an excessively large amount of data processing is avoided.
The uplink traffic data packet includes, but is not limited to, a TCP (Transmission Control Protocol) data packet, an IP (Internet Protocol) data packet, and may be a data packet formed by recombining data packets. Specifically, the uplink traffic data packet may be a data packet sent by the user terminal 30 to the scheduling server 20 for requesting a service. The request service may be set according to actual situations, including but not limited to a video downloading request, a news acquisition request, a text acquisition request, a picture acquisition request, and the like, where the uplink traffic data is not specifically limited.
Optionally, before sending the upstream traffic data packet to the execution server 10, the method may further include: the scheduling server 20 determines a target execution server 10 from at least one execution server 10 according to a preset equalization strategy, wherein the target execution server 10 is configured to receive an uplink traffic data packet sent by the scheduling server 20.
In this embodiment, the preset equalization strategy may be set according to actual situations. For example, one or more of the execution servers 10 having the smallest central processor usage may be selected as the target execution server 10; or if the number of the uplink traffic data packets is large, the scheduling server 20 may sequentially send a plurality of uplink traffic data packets to one execution server 10 according to a preset sequence, and one uplink traffic data packet is sent to one execution server 10, where the execution server 10 that the scheduling server 20 sends the uplink traffic data packet to the execution server 10 is the target execution server 10. Then, the scheduling server 20 sends the uplink traffic data packet to the target execution server 10, so that the target execution server performs corresponding processing on the uplink traffic data packet. For example, the security of the uplink traffic data packet is monitored, and if the security is high, the request corresponding to the uplink traffic data packet is responded, and the content of the responded request is directly fed back to the user terminal 30, and the content of the fed-back response request does not need to be sent to the user terminal 30 through the scheduling server 20, so that the pressure of the scheduling server 20 can be reduced. Based on this, the load balance of the execution servers 10 in distributed deployment is facilitated, and the situation that the partial execution servers 10 are stressed too much to run normally due to the load imbalance is avoided.
In step S220, the execution server 10 checks the uplink traffic data packet according to a preset check rule to determine whether the uplink traffic data packet is abnormal.
In this embodiment, the preset check rule may be set according to an actual situation, as long as the safety of the uplink traffic data packet can be monitored. Based on this, the execution server 10 may determine whether the uplink traffic data packet is a data packet with a DDoS (Distributed Denial of Service) attack.
For example, step S220 may be implemented in at least one of the following ways:
based on a transmission control protocol corresponding to the uplink traffic data packet, the execution server 10 performs field verification and/or flag verification and/or load data verification on the uplink traffic data, wherein when any one of the field verification, the flag verification and the load data verification fails, it is determined that the uplink traffic data packet is abnormal.
Or, based on the source IP corresponding to the uplink traffic data packet, the execution server 10 checks the byte size or the request number of the uplink traffic data packet sent by the user terminal 30 corresponding to the same source IP, where in a preset time period, the byte size or the request number of the uplink traffic data packet sent by the user terminal 30 corresponding to the same source IP is not within a preset traffic threshold range, or when the request number exceeds the preset number, it is determined that the uplink traffic data packet is abnormal.
Understandably, the field check, the flag check, and the load data check may be used for validity check of the uplink traffic data packet transmission protocol. The principle of field check may include: judging whether preset fields in the uplink traffic data conflict, for example, if the source IP address of the uplink traffic data packet is the same as the destination IP address, it is that IP addresses (preset fields) conflict; or, if the source port number and the destination port number are the same port of the same device, the port is in conflict, the field check of the uplink traffic data packet is not qualified, that is, the uplink traffic data packet is an abnormal data packet. The preset field may be set according to actual conditions, and is not specifically limited herein.
The principle of the flag check may include: extracting preset marks in the uplink flow data packet from the uplink flow data packet, and then judging whether the preset marks represent the abnormality of the uplink flow data packet. For example, if a TCP packet (upstream traffic packet) includes both the syn flag and the fin flag, the TCP packet is determined to be an abnormal packet. The preset flag is a flag identified in advance by the uplink traffic data packet, and may be set according to an actual situation, which is not specifically limited herein.
The principle of load data verification may include: in the upstream traffic data packet, payload data is usually included. For normal load data, the corresponding content can be analyzed, and for abnormal load data, the content cannot be analyzed or cannot be analyzed. For example, based on the HTTP protocol and the HTTPs protocol of the TCP protocol, the load data of the TCP is regular and can be analyzed to obtain a partial field, and if the load data is analyzed to obtain a value of 0xff, the uplink traffic data packet becomes abnormal data.
For example, the six flag bits are all 1, the six flag bits are all 0, the SYN and FIN flag bits are all 1, the SYN and RST flag bits are all 1, the FIN and RST flag bits are all 1, the PSH, FIN and URG flag bits are all 1, only the FIN flag bit is 1, only the PSH flag bit is 1, only the URG flag bit is 1, a SYN and SYN-ACK packet with a load, and a fragmentation packet with the SYN, RST and FIN flag bits being 1.
Optionally, step S220 may include: it is determined whether a transmission channel for transmitting uplink traffic data between the distributed service system and the user terminal 30 has a three-way handshake connected by a transmission control protocol.
When the transmission channel establishes the three-way handshake of the tcp connection, the execution server 10 determines whether a throughput rate (a unit of the throughput rate may be Packet Per Second (PPS)) of the transmission channel transmitting the uplink traffic data packet is within a preset throughput rate range, and determines that the uplink traffic data packet is abnormal when the throughput rate of the transmission channel transmitting the uplink traffic data packet is not within the preset throughput rate range. The preset throughput rate range may be set according to actual situations, and is not specifically limited herein.
Or, when the transmission channel does not establish the three-way handshake of the tcp connection, the execution server 10 determines whether the uplink traffic data packet is abnormal according to the transmission rate of the transmission channel and the byte size of the uplink traffic data packet transmitted within the preset time duration, where when the transmission rate is not within the preset transmission rate range or the byte size of the uplink traffic data packet transmitted within the preset time duration is not within the preset traffic threshold range, the uplink traffic data packet is determined to be abnormal. The preset duration, the preset transmission rate range and the preset flow threshold range may be set according to actual conditions, and are not specifically limited herein.
In the present embodiment, the three-way handshake may be a three-way handshake between the user terminal 30 and the scheduling server 20. Understandably, on the basis of the three-way handshake, if it is detected that the total bytes of the uplink traffic data packet exceed the preset traffic threshold range within the preset duration, it usually means that a DDoS attack exists currently, and the uplink traffic data in the period may be regarded as abnormal data.
The three-way handshake negotiates how to track the data volume sent each time, synchronizes the sending and receiving of the data segments, determines the data confirmation number according to the received data volume and when to cancel the contact after the data sending and receiving are finished, and establishes the virtual connection.
Specifically, for example, the first handshake: when establishing a connection, the user terminal 30 sends a SYN packet (SYN ═ j) to the scheduling server 20, enters a SYN _ send state, and waits for the confirmation of the scheduling server 20; SYN: synchronization sequence Numbers (syncronizesequescence Numbers).
Second handshake: when the scheduling server 20 receives the SYN packet, it must confirm the SYN (ACK ═ j +1) of the user terminal 30 and send a SYN packet (SYN ═ k), that is, a SYN + ACK packet, and then the scheduling server 20 enters the SYN _ RECV state.
Third handshake: the user terminal 30 receives the SYN + ACK packet from the scheduling server 20, and transmits an acknowledgement packet ACK (ACK ═ k +1) to the scheduling server 20, and when the transmission of this packet is completed, the user terminal 30 and the scheduling server 20 enter an ESTABLISHED state, and the three-way handshake is completed. After the three-way handshake is completed, the user terminal 30 and the scheduling server 20 start to transmit data, for example, the user terminal 30 transmits uplink traffic data to the scheduling server 20 through a transmission channel based on the three-way handshake.
Optionally, before step S220, the method further comprises:
the execution server 10 analyzes the uplink traffic data packet according to a preset analysis rule, and obtains an analyzed field to check the uplink traffic data packet.
Optionally, in this embodiment, the traffic may also be monitored based on a tcp upstream traffic reassembly packet.
The preset parsing rule may be set according to an actual situation, so that the execution server 10 parses a required field from the uplink traffic data packet. For example, the executive server 10 may parse five fields (collectively referred to as a five-tuple) including a source address, a destination address, a source port, a destination port, and a protocol number from the uplink traffic data packet, process the five-tuple data through a hash function to obtain a unique hash value, where the hash value is used as a unique identifier of a session, and the tcp syn packet is used as the start of reassembly, and the data carried in the session is continuously added to a corresponding session table. Taking TCP fin or rst packet as the end of the recombination, if the connection is TCP long connection, triggering the session recombination by adopting a time wheel timing timeout mechanism. A session is understood to be a process of monitoring the uplink traffic data. The session table may be used to count the detection result and the progress of each uplink traffic data.
In addition, the timeout mechanism can be understood as: the pre-constructed data structure is driven to operate by using a data packet (an upstream flow data packet) based on a TCP connection, and when no data packet arrives on the connection within a specified time (the specified time can be set according to actual conditions), the corresponding TCP connection is removed from the session table. Based on the method, the problem that the scheduling of the large-batch periodic real-time tasks is slow due to long waiting time can be solved.
The time complexity of the scheduling algorithm of the optimized abstract structure is O (1), and the scheduling difficulty of large-batch periodic real-time tasks in a production environment is solved. Here, O (1) may represent the complexity of the hash table, which may be understood as a first-order complexity, i.e., a lower complexity.
The principle of analyzing the reassembled data packet to realize flow monitoring can be as follows:
calculating a downlink data packet: the packet (except for the packet of the three-way handshake) with the payload length of 0 in the upstream packet is an acknowledgement ack packet for the downstream data, and the packet size is the difference between the first packet and the last packet ack.
Calculating an upper data packet: the packets with the load length larger than 0 in the uplink data packets are pure uplink data transmitted by the user client, occasionally, the situation of segmented transmission is also brought, and the size of each segmented data packet is accumulated, so that the size of the total uplink flow can be obtained.
After the size of the uplink data packet or the size of the downlink data packet is determined, the size may be compared with a corresponding preset threshold, for example, if the uplink traffic is too large, for example, exceeds a preset traffic, the traffic is considered to be abnormal.
In addition, it may also be determined whether data in the same session satisfies a condition, for example, tcp connection is established, but data transmission is not performed within a predetermined time, for example, pure data starts to be transmitted when connection is not established, and the data is abnormal traffic.
In step S230, if no, the execution server 10 sends a reply packet corresponding to the uplink traffic packet to the user terminal 30.
Understandably, if the uplink traffic data packet is a normal data packet (not an abnormal data packet), the server executes corresponding processing according to the content of the uplink traffic data packet. For example, if the uplink traffic data packet is substantially a request for downloading a video sent by the user terminal 30, the execution server 10 responds to the request, acquires the video from a server corresponding to the video source, and then directly sends the video content to the user terminal 30, which is not required in the prior art to perform traffic safety monitoring on the video content and send the video content to the user terminal 30 through the scheduling server 20, so that the data processing amount of the execution server 10 and the scheduling server 20 is reduced, and the efficiency of traffic monitoring is improved.
Optionally, the method further comprises: when it is determined that the uplink traffic data packet is abnormal, the execution server 10 discards the uplink traffic data packet.
Understandably, if the uplink traffic data packet is an abnormal data packet, the execution server 10 directly discards the data packet, so as to avoid that the abnormal data packet attacks the execution server 10, so that the execution server 10 cannot normally operate. For example, if it is determined that the uplink traffic data packet has a DDoS attack, the uplink traffic data packet is discarded, so as to improve the security of the execution server 10.
Fig. 4 is a block diagram of a flow monitoring device 100 according to an embodiment of the present invention. The traffic monitoring device 100 provided by the embodiment of the present invention can be applied to the distributed service system, and is used for executing each step of the traffic monitoring method, so that in the traffic monitoring process, the occupation of the system storage space can be reduced, the consumption of the computing resources can be reduced, and the processing efficiency of the traffic monitoring can be improved. The traffic monitoring apparatus 100 may include a receiving unit 110, a verifying unit 120, and a sending unit 130.
The receiving unit 110 is configured to receive an uplink traffic data packet sent by the user terminal 30, and send the uplink traffic data packet to the execution server 10.
The checking unit 120 is configured to check the uplink traffic data packet according to a preset checking rule, so as to determine whether the uplink traffic data packet is abnormal.
Optionally, the verification unit 120 is further configured to: based on a transmission control protocol corresponding to the uplink traffic data packet, the execution server 10 performs field verification and/or flag verification and/or load data verification on the uplink traffic data, wherein when any one of the field verification, the flag verification and the load data verification fails, it is determined that the uplink traffic data packet is abnormal. Or based on the source IP corresponding to the uplink traffic data packet, the execution server 10 checks the byte size or the request times of the uplink traffic data packet sent by the user terminal 30 corresponding to the same source IP, where in a preset time period, the bytes of the uplink traffic data packet sent by the user terminal 30 corresponding to the same source IP are not within a preset traffic threshold range, or when the request times exceed the preset times, it is determined that the uplink traffic data packet is abnormal.
Optionally, the verification unit is further configured to: it is determined whether a transmission channel for transmitting uplink traffic data between the distributed service system and the user terminal 30 has a three-way handshake connected by a transmission control protocol. When the transmission channel establishes the three-way handshake of the transmission control protocol connection, the execution server 10 determines whether the throughput rate of the transmission channel for transmitting the uplink traffic data packet is within the preset throughput rate range, and determines that the uplink traffic data packet is abnormal when the throughput rate of the transmission channel for transmitting the uplink traffic data packet is not within the preset throughput rate range. Or, when the transmission channel does not establish the three-way handshake of the tcp connection, the execution server 10 determines whether the uplink traffic data packet is abnormal according to the transmission rate of the transmission channel and the byte size of the uplink traffic data packet transmitted within the preset time duration, where when the transmission rate is not within the preset transmission rate range or the byte size of the uplink traffic data packet transmitted within the preset time duration is not within the preset traffic threshold range, the uplink traffic data packet is determined to be abnormal.
A sending unit 130, configured to send a reply packet corresponding to the uplink traffic packet to the user terminal 30 when the checking unit 120 determines that the uplink traffic packet is not abnormal.
Optionally, the traffic monitoring apparatus 100 further includes a discarding unit, configured to discard the uplink traffic data packet by the execution server 10 when it is determined that the uplink traffic data packet is abnormal.
Optionally, the traffic monitoring apparatus 100 further comprises a schedule determining unit. Before the receiving unit 110 sends the uplink traffic data packet to the execution servers 10, the scheduling determining unit is configured to determine a target execution server 10 from at least one execution server 10 according to a preset equalization policy, where the target execution server 10 is configured to receive the uplink traffic data packet sent by the scheduling server 20.
Optionally, the flow monitoring device 100 further comprises an analysis unit. Before the checking unit 120 checks the uplink traffic data packet according to the preset checking rule, the parsing unit is configured to parse the uplink traffic data packet according to the preset parsing rule, and obtain a parsed field to check the uplink traffic data packet.
It should be noted that, as will be clear to those skilled in the art, for convenience and brevity of description, the specific working process of the flow monitoring apparatus 100 described above may refer to the corresponding process of each step in the foregoing method, and will not be described in detail herein.
In this embodiment, the user terminal 30 may be, but is not limited to, a smart phone, a Personal Computer (PC), a tablet PC, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and the like. The network may be, but is not limited to, a wired network or a wireless network.
Referring to fig. 2 again, in the present embodiment, the processing module 11 may be an integrated circuit chip having signal processing capability. The processing module 11 may be a general-purpose processor. For example, the Processor may be a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), a Network Processor (NP), or the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed.
The communication module 12 is configured to establish a communication connection between the execution server 10 and the scheduling server 20 and the user terminal 30 via a network, and to transmit and receive data via the network.
The memory module 13 may be, but is not limited to, a random access memory, a read only memory, a programmable read only memory, an erasable programmable read only memory, an electrically erasable programmable read only memory, and the like. In this embodiment, the storage module 13 may be configured to store an uplink traffic data packet, a preset check rule, and the like. Of course, the storage module 13 may also be used to store a program, and the processing module 11 executes the program after receiving the execution instruction.
Further, the flow monitoring apparatus 100 includes at least one software function module which may be stored in the storage module 13 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the execution server 10. The processing module 11 is used for executing executable modules stored in the storage module 13, such as software functional modules and computer programs included in the flow monitoring apparatus 100.
It is understood that the configuration shown in fig. 2 is only a schematic configuration of the execution server 10, and that the execution server 10 may include more or less components than those shown in fig. 2. The components shown in fig. 2 may be implemented in hardware, software, or a combination thereof.
The embodiment of the invention also provides a computer readable storage medium. The readable storage medium has stored therein a computer program that, when run on a computer, causes the computer to execute the flow rate monitoring method as in the above-described embodiments.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by hardware, or by software plus a necessary general hardware platform, and based on such understanding, the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) execute the method described in the embodiments of the present invention.
In summary, the present invention provides a traffic monitoring method, a traffic monitoring device and an execution server. The method comprises the steps that an uplink flow data packet sent by a user terminal is received through a scheduling server, and the uplink flow data packet is sent to an execution server; the execution server checks the uplink flow data packet according to a preset check rule to determine whether the uplink flow data packet is abnormal or not; and if not, the execution server sends a reply data packet corresponding to the uplink flow data packet to the user terminal. The execution server only monitors the uplink flow data packet acquired by the scheduling server from the user terminal, namely the execution server only monitors the uplink flow of the user terminal, the downlink flow data of the user terminal does not need to be monitored, and the data processing amount is reduced, so that the storage space of a service system can be saved, the pressure of the flow monitoring processing of the service system is reduced, and the efficiency of the flow monitoring processing is improved.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways. The apparatus, system, and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
Alternatively, all or part of the implementation may be in software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A traffic monitoring method is applied to a distributed service system comprising a scheduling server and at least one execution server, and comprises the following steps:
the scheduling server receives an uplink flow data packet sent by a user terminal and sends the uplink flow data packet to an execution server;
the execution server checks the uplink flow data packet according to a preset check rule to determine whether the uplink flow data packet is abnormal or not;
and if not, the execution server sends a reply data packet corresponding to the uplink flow data packet to the user terminal.
2. The method according to claim 1, wherein the performing server performs the verification on the upstream traffic data packet according to a preset verification rule, including at least one of the following manners:
based on a transmission control protocol corresponding to the uplink traffic data packet, the execution server performs field verification and/or mark verification and/or load data verification on the uplink traffic data, wherein when any one of the field verification, the mark verification and the load data verification is failed, the uplink traffic data packet is determined to be abnormal; or
Based on the source IP corresponding to the uplink flow data packet, the execution server checks the byte size or the request times of the uplink flow data packet sent by the user terminal corresponding to the same source IP, wherein in a preset time period, the byte size or the request times of the uplink flow data packet sent by the user terminal corresponding to the same source IP is not in a preset flow threshold range, or when the request times exceed the preset times, the uplink flow data packet is determined to be abnormal.
3. The method according to claim 1, wherein the performing server performs the verification on the uplink traffic data packet according to a preset verification rule, including:
judging whether a transmission channel for transmitting the uplink flow data between the distributed service system and the user terminal is established with three-way handshake of transmission control protocol connection;
when the transmission channel is established with three-way handshake of transmission control protocol connection, the execution server judges whether the throughput rate of the transmission channel for transmitting the uplink flow data packet is in a preset throughput rate range, and when the throughput rate of the transmission channel for transmitting the uplink flow data packet is not in the preset throughput rate range, the execution server determines that the uplink flow data packet is abnormal; or,
when the transmission channel does not establish three-way handshake of transmission control protocol connection, the execution server determines whether the uplink traffic data packet is abnormal or not according to the transmission rate of the transmission channel and the byte size of the uplink traffic data packet transmitted within a preset time, wherein when the transmission rate is not within a preset transmission rate range or the byte size of the uplink traffic data packet transmitted within the preset time is not within a preset traffic threshold range, the uplink traffic data packet is determined to be abnormal.
4. The method of claim 1, further comprising: and when the uplink flow data packet is determined to be abnormal, the execution server discards the uplink flow data packet.
5. The method of claim 1, wherein prior to sending the upstream traffic packet to an execution server, the method further comprises:
and the scheduling server determines a target execution server from at least one execution server according to a preset equilibrium strategy, wherein the target execution server is used for receiving the uplink traffic data packet sent by the scheduling server.
6. The method according to any one of claims 1 to 5, wherein before the performing server performs the verification on the upstream traffic data packet according to a preset verification rule, the method further comprises:
and the execution server analyzes the uplink traffic data packet according to a preset analysis rule and obtains an analyzed field to check the uplink traffic data packet.
7. A flow monitoring device is applied to a distributed service system comprising a scheduling server and at least one execution server, and the device comprises:
the receiving unit is used for receiving an uplink flow data packet sent by a user terminal and sending the uplink flow data packet to an execution server;
the verification unit is used for verifying the uplink traffic data packet according to a preset verification rule so as to determine whether the uplink traffic data packet is abnormal or not;
and the sending unit is used for sending a reply data packet corresponding to the uplink flow data packet to the user terminal when the verification unit determines that the uplink flow data packet is not abnormal.
8. The apparatus of claim 7, wherein the verification unit is further configured to:
based on a transmission control protocol corresponding to the uplink traffic data packet, the execution server performs field verification and/or mark verification and/or load data verification on the uplink traffic data, wherein when any one of the field verification, the mark verification and the load data verification is failed, the uplink traffic data packet is determined to be abnormal; or
Based on the source IP corresponding to the uplink flow data packet, the execution server checks the byte size or the request times of the uplink flow data packet sent by the user terminal corresponding to the same source IP, wherein in a preset time period, the byte size or the request times of the uplink flow data packet sent by the user terminal corresponding to the same source IP is not in a preset flow threshold range, or when the request times exceed the preset times, the uplink flow data packet is determined to be abnormal.
9. An execution server, comprising:
a storage module;
a processing module; and
a flow monitoring device including one or more software functional modules stored in the memory module and executed by the processing module, the flow monitoring device comprising:
the receiving unit is used for receiving an uplink flow data packet sent by a user terminal and sending the uplink flow data packet to an execution server;
the verification unit is used for verifying the uplink traffic data packet according to a preset verification rule so as to determine whether the uplink traffic data packet is abnormal or not;
and the sending unit is used for sending a reply data packet corresponding to the uplink flow data packet to the user terminal when the verification unit determines that the uplink flow data packet is not abnormal.
10. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the flow monitoring method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811327450.6A CN109462586A (en) | 2018-11-08 | 2018-11-08 | Flow monitoring method, device and execute server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811327450.6A CN109462586A (en) | 2018-11-08 | 2018-11-08 | Flow monitoring method, device and execute server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109462586A true CN109462586A (en) | 2019-03-12 |
Family
ID=65609778
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811327450.6A Pending CN109462586A (en) | 2018-11-08 | 2018-11-08 | Flow monitoring method, device and execute server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109462586A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111010409A (en) * | 2020-01-07 | 2020-04-14 | 南京林业大学 | Encryption attack network flow detection method |
| CN112887319A (en) * | 2021-02-01 | 2021-06-01 | 上海帆一尚行科技有限公司 | Network state monitoring method and device based on downlink traffic and electronic equipment |
| CN113098875A (en) * | 2021-04-02 | 2021-07-09 | 北京兰云科技有限公司 | Network monitoring method and device |
| CN113961920A (en) * | 2021-10-13 | 2022-01-21 | 安天科技集团股份有限公司 | Suspicious process processing method and device, storage medium and electronic equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007071881A2 (en) * | 2005-12-19 | 2007-06-28 | France Telecom | Terminal-accessible service use evaluation |
| CN101494598A (en) * | 2008-01-25 | 2009-07-29 | 华为技术有限公司 | Flow control method, device and system |
| CN101827033A (en) * | 2010-04-30 | 2010-09-08 | 北京搜狗科技发展有限公司 | Method and device for controlling network traffic and local area network system |
| CN106792618A (en) * | 2016-11-30 | 2017-05-31 | 宇龙计算机通信科技(深圳)有限公司 | Flux monitoring method and device and terminal |
| CN106850687A (en) * | 2017-03-29 | 2017-06-13 | 北京百度网讯科技有限公司 | Method and apparatus for detecting network attack |
| CN107395550A (en) * | 2016-05-16 | 2017-11-24 | 腾讯科技(深圳)有限公司 | The defence method and server of a kind of network attack |
| CN108322418A (en) * | 2017-01-16 | 2018-07-24 | 深圳兆日科技股份有限公司 | The detection method and device of unauthorized access |
| CN108600208A (en) * | 2018-04-12 | 2018-09-28 | 南京中新赛克科技有限责任公司 | A kind of fine granularity flow arbitration device and method for server cluster |
-
2018
- 2018-11-08 CN CN201811327450.6A patent/CN109462586A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007071881A2 (en) * | 2005-12-19 | 2007-06-28 | France Telecom | Terminal-accessible service use evaluation |
| CN101494598A (en) * | 2008-01-25 | 2009-07-29 | 华为技术有限公司 | Flow control method, device and system |
| CN101827033A (en) * | 2010-04-30 | 2010-09-08 | 北京搜狗科技发展有限公司 | Method and device for controlling network traffic and local area network system |
| CN107395550A (en) * | 2016-05-16 | 2017-11-24 | 腾讯科技(深圳)有限公司 | The defence method and server of a kind of network attack |
| CN106792618A (en) * | 2016-11-30 | 2017-05-31 | 宇龙计算机通信科技(深圳)有限公司 | Flux monitoring method and device and terminal |
| CN108322418A (en) * | 2017-01-16 | 2018-07-24 | 深圳兆日科技股份有限公司 | The detection method and device of unauthorized access |
| CN106850687A (en) * | 2017-03-29 | 2017-06-13 | 北京百度网讯科技有限公司 | Method and apparatus for detecting network attack |
| CN108600208A (en) * | 2018-04-12 | 2018-09-28 | 南京中新赛克科技有限责任公司 | A kind of fine granularity flow arbitration device and method for server cluster |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111010409A (en) * | 2020-01-07 | 2020-04-14 | 南京林业大学 | Encryption attack network flow detection method |
| CN111010409B (en) * | 2020-01-07 | 2021-08-17 | 南京林业大学 | Encryption attack network flow detection method |
| CN112887319A (en) * | 2021-02-01 | 2021-06-01 | 上海帆一尚行科技有限公司 | Network state monitoring method and device based on downlink traffic and electronic equipment |
| CN112887319B (en) * | 2021-02-01 | 2022-07-01 | 上海帆一尚行科技有限公司 | Network state monitoring method and device based on downlink traffic and electronic equipment |
| CN113098875A (en) * | 2021-04-02 | 2021-07-09 | 北京兰云科技有限公司 | Network monitoring method and device |
| CN113098875B (en) * | 2021-04-02 | 2023-01-10 | 北京兰云科技有限公司 | Network monitoring method and device |
| CN113961920A (en) * | 2021-10-13 | 2022-01-21 | 安天科技集团股份有限公司 | Suspicious process processing method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8856913B2 (en) | Method and protection system for mitigating slow HTTP attacks using rate and time monitoring | |
| CN109462586A (en) | Flow monitoring method, device and execute server | |
| US20140164641A1 (en) | Congestion control for data center traffic | |
| US10587668B2 (en) | Method to determine optimal number of HTTP2.0 streams and connections for better QoE | |
| RU2666289C1 (en) | System and method for access request limits | |
| US9088603B2 (en) | File transfer method and device | |
| US10355961B2 (en) | Network traffic capture analysis | |
| CN110417717B (en) | Login behavior identification method and device | |
| US20140304817A1 (en) | APPARATUS AND METHOD FOR DETECTING SLOW READ DoS ATTACK | |
| CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
| EP2887602A1 (en) | Session level mitigation of service disrupting attacks | |
| US20150071085A1 (en) | Network gateway for real-time inspection of data frames and identification of abnormal network behavior | |
| US9240952B2 (en) | System and method for communication between networked applications | |
| CN114301996A (en) | Transmission data processing method and device | |
| WO2019085923A1 (en) | Data processing method and device, and computer | |
| US11265372B2 (en) | Identification of a protocol of a data stream | |
| CN107547561B (en) | Method and device for carrying out DDOS attack protection processing | |
| CN107395550B (en) | Network attack defense method and server | |
| CN106961393B (en) | Detection method and device for UDP (user Datagram protocol) message in network session | |
| CN114338477B (en) | Communication link monitoring method, device, equipment and storage medium | |
| EP3408989B1 (en) | Detecting malware on spdy connections | |
| US20170070455A1 (en) | Method and apparatus for processing network protocol stack data | |
| WO2016184079A1 (en) | Method and device for processing system log message | |
| CN113722097A (en) | Surge protection method and device, electronic equipment and storage medium | |
| CN112565309B (en) | Message processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 311501, Unit 1, Building 5, Courtyard 1, Futong East Street, Chaoyang District, Beijing Applicant after: BEIJING KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd. Address before: Room 311501, Unit 1, Building 5, Courtyard 1, Futong East Street, Chaoyang District, Beijing Applicant before: BEIJING KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190312 |
|
| RJ01 | Rejection of invention patent application after publication |