[go: up one dir, main page]

CN1866951B - Method and system for detecting shared access hosts in network - Google Patents

Method and system for detecting shared access hosts in network Download PDF

Info

Publication number
CN1866951B
CN1866951B CN2005100711324A CN200510071132A CN1866951B CN 1866951 B CN1866951 B CN 1866951B CN 2005100711324 A CN2005100711324 A CN 2005100711324A CN 200510071132 A CN200510071132 A CN 200510071132A CN 1866951 B CN1866951 B CN 1866951B
Authority
CN
China
Prior art keywords
source
address
main frame
difference
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2005100711324A
Other languages
Chinese (zh)
Other versions
CN1866951A (en
Inventor
段建敏
刘廷永
涂卫华
刘淑玲
张鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2005100711324A priority Critical patent/CN1866951B/en
Publication of CN1866951A publication Critical patent/CN1866951A/en
Application granted granted Critical
Publication of CN1866951B publication Critical patent/CN1866951B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种在网络中检测共享接入主机的方法,以解决现有技术检测共享上网主机时导致影响用户和因用户的操作而不能准确检测出共享上网主机的问题;该方法为:从网络中获取接入网络的网络数据;从所述网络数据中提取传输控制协议(TCP)数据包,并从该TCP数据包中提取出源IP地址和对应的IP包标识;以及根据一定时间内相同源IP址的TCP数据包的IP包标识的变化特征,确定该IP地址所对应的主机是为共享接入主机。本发明还公开了一种接入监控系统,包括:数据转发装置、分流过滤服务器和统计分析服务器。

Figure 200510071132

The invention discloses a method for detecting a shared access host in a network to solve the problems in the prior art that the detection of a shared access host affects users and cannot accurately detect the shared access host due to user operations; the method is as follows: Obtain the network data of the access network from the network; extract the transmission control protocol (TCP) data packet from the network data, and extract the source IP address and the corresponding IP packet identification from the TCP data packet; and according to a certain time The change feature of the IP packet identification of the TCP data packet with the same source IP address determines that the host corresponding to the IP address is a shared access host. The invention also discloses an access monitoring system, which includes: a data forwarding device, a streaming filter server and a statistical analysis server.

Figure 200510071132

Description

在网络中检测共享接入主机的方法及系统 Method and system for detecting shared access hosts in network

技术领域technical field

本发明涉及通信网络中的网络共享技术,尤其涉及在网络中检测共享接入主机的方法及其系统。The invention relates to a network sharing technology in a communication network, in particular to a method and system for detecting a shared access host in the network.

背景技术Background technique

数据业务中的宽带业务是电信业务的重要组成部分。目前有一些利用网络地址转换(NAT)、代理(Proxy)等实现网络共享接入的技术。这种接入主要是通过NAT方式或Proxy代理方式,使多个用户或多台主机使用同一个IP地址或账号接入互联网,实现网络共享。这种接入方式已经得到相当规模的应用,并在迅猛地发展。The broadband service in the data service is an important part of the telecommunication service. At present, there are some technologies for implementing network sharing access by using network address translation (NAT), proxy (Proxy) and the like. This kind of access is mainly through NAT mode or Proxy proxy mode, so that multiple users or multiple hosts use the same IP address or account to access the Internet to realize network sharing. This access method has already been applied on a considerable scale and is developing rapidly.

为了能够在网络上快速准确的检测共享上网主机,现有技术主要有以下两种技术方案:In order to quickly and accurately detect shared Internet hosts on the network, the prior art mainly contains the following two technical solutions:

一种方案是在客户机安装特定的软件,通过软件分析用户主机系统信息、IP地址等主机特性得到共享上网用户信息,并定时向监控服务器发送监控数据,由监控服务器进行统计而确定共享上网主机。One solution is to install specific software on the client computer, and use the software to analyze the user host system information, IP address and other host characteristics to obtain shared Internet user information, and regularly send monitoring data to the monitoring server, and the monitoring server will make statistics to determine the shared Internet host .

另一种方案是在非对称用户数据环路调制解调器(ADSL modem)上预留后门程序,通过预留简单网络管理协议(SNMP)端口,扫描处于局域网内部中的主机操作系统,并统计数量而确定共享上网主机。Another solution is to reserve a backdoor program on the asymmetric user data loop modem (ADSL modem), scan the host operating system in the internal LAN by reserving a simple network management protocol (SNMP) port, and determine the number of statistics Shared Internet hosting.

上述两种方案分别存在以下缺点:The above two solutions have the following disadvantages respectively:

在客户机上安装客户端软件不仅会引起用户反感,而且会增加运营商维护工作量,即在客户端软件工作不正常的时,需要运营商经常性的对软件进行维护。更严重的是在客户端通过操作可以从技术上绕开客户端软件,从而无法监测出准确信息。Installing the client software on the client computer will not only cause disgust of the user, but also increase the maintenance workload of the operator, that is, when the client software does not work normally, the operator needs to maintain the software frequently. What's more serious is that the client software can be technically bypassed through operations on the client, so that accurate information cannot be monitored.

通过扫描SNMP端口搜索主机数量的方法也会引起用户反感,而且用户可通过关闭SNMP服务等方法使其失效,无法监测出准确信息。The method of searching for the number of hosts by scanning SNMP ports will also cause user disgust, and users can disable SNMP services and other methods to make them invalid, and accurate information cannot be monitored.

总之,上述两种方法不仅都会影响用户,还会因用户的操作而不能准确检测出共享上网主机。In short, the above two methods will not only affect the user, but also cannot accurately detect the shared Internet host due to the operation of the user.

发明内容Contents of the invention

本发明提供一种在网络中检测共享接入主机的方法及其系统,以解决现有技术检测共享上网主机时导致影响用户和因用户的操作而不能准确检测出共享上网主机的问题。The invention provides a method and system for detecting a shared access host in a network to solve the problems in the prior art that the detection of a shared access host affects users and cannot accurately detect the shared access host due to user operations.

为解决上述问题,本发明提供以下技术方案:In order to solve the above problems, the present invention provides the following technical solutions:

一种在网络中检测共享接入主机的方法,包括如下步骤:A method for detecting a shared access host in a network, comprising the steps of:

A、从网络中获取接入网络的网络数据;B、从所述网络数据中提取传输控制协议(TCP)数据包,并从该TCP数据包中提取出源IP地址和对应的IP包标识;C、根据相同源IP地址的TCP数据包的IP包标识的变化特征,确定该源IP地址所对应的主机是否为共享接入主机,其中,根据相同源IP地址的TCP数据包的IP包标识的变化特征,确定是否为共享接入主机的过程具体包括:计算连续的且源IP地址相同的两个TCP数据包的IP包标识的差值;将所述差值与对应的设定值进行比较,并在该差值大于对应的设定值时确定该源IP地址所对应的主机为共享接入主机;或,在设定的检测周期到时,计算该周期中源IP地址相同的IP包标识中最大IP包标识与最小IP包标识的差值;将所述差值与对应的设定值进行比较,并在该差值大于对应的设定值时确定该源IP地址所对应的主机为共享接入主机。A, obtain the network data of access network from network; B, extract Transmission Control Protocol (TCP) data packet from described network data, and extract source IP address and corresponding IP packet identification from this TCP data packet; C, according to the change characteristics of the IP packet identification of the TCP data packet of the same source IP address, determine whether the corresponding host of the source IP address is a shared access host, wherein, according to the IP packet identification of the TCP data packet of the same source IP address The process of determining whether it is a shared access host specifically includes: calculating the difference between the IP packet identifiers of two consecutive TCP packets with the same source IP address; comparing the difference with the corresponding set value Compare, and when the difference is greater than the corresponding set value, determine that the host corresponding to the source IP address is a shared access host; or, when the set detection period expires, calculate the IP address of the same source IP address in this period. The difference between the largest IP packet identifier and the smallest IP packet identifier in the packet identifier; comparing the difference with the corresponding set value, and determining the IP address corresponding to the source IP address when the difference is greater than the corresponding set value The host is a shared access host.

在步骤B中还从所述TCP数据包中提取出源端口号。In step B, the source port number is also extracted from the TCP data packet.

在步骤C之前还包括步骤:C1、根据相同源IP地址的TCP数据包的源端口号变化特征,确定该源IP地址所对应的主机是否为共享接入主机,并在不能确定主机为共享接入主机时则进行步骤C。Also comprise step before step C: C1, according to the source port number change feature of the TCP data packet of same source IP address, determine whether the host computer corresponding to this source IP address is a shared access host, and if it cannot be determined that the host is a shared access host When entering the host, go to step C.

步骤C1包括步骤:计算连续的且源IP地址相同的两个TCP数据包的源端口号的差值;将所述差值与对应的设定值进行比较,若该差值大于对应的设定值,则确定该源IP地址所对应的主机为共享接入主机,否则进行步骤C。Step C1 includes the steps of: calculating the difference between the source port numbers of two consecutive TCP packets with the same source IP address; comparing the difference with the corresponding setting value, if the difference is greater than the corresponding setting value, it is determined that the host corresponding to the source IP address is a shared access host, otherwise, go to step C.

或者步骤C1包括步骤:在设定的检测周期到时,计算该周期中源IP地址相同的源端口号中最大源端口号与最小源端口号之间的差值;将所述差值与对应的设定值进行比较,若该差值大于对应的设定值,则确定该源IP地址所对应的主机为共享接入主机,否则进行步骤C。Or step C1 includes the steps: when the set detection cycle arrives, calculate the difference between the maximum source port number and the minimum source port number among the source port numbers with the same source IP address in this cycle; If the difference is greater than the corresponding set value, then it is determined that the host corresponding to the source IP address is a shared access host, otherwise, go to step C.

一种在网络中检测共享接入主机的方法,包括如下步骤:A method for detecting a shared access host in a network, comprising the steps of:

(1)从网络中获取接入网络的网络数据;(2)从所述网络数据中提取传输控制协议(TCP)数据包,并从该TCP数据包中提取出源IP地址和对应的源端口号;(3)根据相同源IP地址的TCP数据包的源端口号的变化特征,确定该源IP地址所对应的主机是否为共享接入主机,其中,根据相同源IP地址的TCP数据包的源端口号的变化特征,确定是否为共享接入主机的过程具体包括:计算连续的且源IP地址相同的两个TCP数据包的源端口号的差值,将所述差值与对应的设定值进行比较,并在该差值大于对应的设定值时确定该源IP地址所对应的主机为共享接入主机;或在设定的检测周期到时,计算该周期中源IP地址相同的源端口号中最大源端口号与最小源端口号之间的差值,将所述差值与对应的设定值进行比较,并在该差值大于对应的设定值时确定该源IP地址所对应的主机为共享接入主机。(1) Obtain the network data of the access network from the network; (2) extract the transmission control protocol (TCP) data packet from the network data, and extract the source IP address and the corresponding source port from the TCP data packet (3) According to the change characteristics of the source port number of the TCP data packet of the same source IP address, determine whether the host corresponding to the source IP address is a shared access host, wherein, according to the TCP data packet of the same source IP address The change characteristics of the source port number, the process of determining whether it is a shared access host specifically includes: calculating the difference between the source port numbers of two consecutive TCP packets with the same source IP address, and comparing the difference with the corresponding set When the difference is greater than the corresponding set value, it is determined that the host corresponding to the source IP address is a shared access host; or when the set detection period is up, it is calculated that the source IP address in this period is the same The difference between the largest source port number and the smallest source port number in the source port number, compare the difference with the corresponding set value, and determine the source IP when the difference is greater than the corresponding set value The host corresponding to the address is a shared access host.

一种接入监控系统,其特征在于包括:An access monitoring system, characterized in that it comprises:

数据转发装置,设置在被监控主机群的出口处或网络的出口处,用于转发通过出口处接入网络的网络数据;The data forwarding device is arranged at the exit of the monitored host group or the exit of the network, and is used to forward the network data connected to the network through the exit;

分流过滤服务器,与所述数据转发装置连接,用于从所述数据转发装置获取网络数据,从该网络数据中提取指定类型的数据包并解析出需要的信息,其中该解析出需要的信息包括:源IP地址和对应的IP包标识,或,源端口号、源IP地址和对应的IP包标识,或,源IP地址和对应的源端口号;A streaming and filtering server, connected to the data forwarding device, for obtaining network data from the data forwarding device, extracting data packets of a specified type from the network data and analyzing required information, wherein the required information includes : source IP address and corresponding IP packet identifier, or, source port number, source IP address and corresponding IP packet identifier, or, source IP address and corresponding source port number;

统计分析服务器,与所述分流过滤服务器连接,根据解析出的信息和配置的分析规则确定共享接入的主机,其中,当解析出的信息为源IP地址和对应的IP包标识时,该分析规则为分析相同源IP地址的TCP数据包的IP包标识的变化特征,当解析出的信息为源端口号、源IP地址和对应的IP包标识时,该分析规则为分析相同源IP地址的TCP数据包的源端口号的变化特征,确定该源IP地址对应的主机是否为共享接入主机,并在不能确定主机为共享接入主机时,根据分析相同源IP地址的TCP数据包的IP包标识的变化特征确定,当解析出的信息为源IP地址和对应的源端口号时,该分析规则为分析相同源IP地址的TCP数据包的源端口号的变化特征;所述分析相同源IP地址的TCP数据包的源端口号的变化特征包括:计算连续的且源IP地址相同的两个TCP数据包的源端口号的差值,将所述差值与对应的设定值进行比较,并在该差值大于对应的设定值时确定该源IP地址所对应的主机为共享接入主机,或,在设定的检测周期到时,计算该周期中源IP地址相同的源端口号中最大源端口号与最小源端口号之间的差值,将所述差值与对应的设定值进行比较,并在该差值大于对应的设定值时确定该源IP地址所对应的主机为共享接入主机;The statistical analysis server is connected to the splitting and filtering server, and determines the shared access host according to the parsed information and configured analysis rules, wherein, when the parsed information is the source IP address and the corresponding IP packet identifier, the analysis The rule is to analyze the change characteristics of the IP packet identification of TCP data packets with the same source IP address. When the parsed information is the source port number, source IP address and corresponding IP packet identification, the analysis rule is to analyze the same source IP address According to the change characteristics of the source port number of the TCP data packet, determine whether the host corresponding to the source IP address is a shared access host, and when it cannot be determined that the host is a shared access host, analyze the IP address of the TCP data packet with the same source IP address. The change characteristics of the packet identification are determined. When the parsed information is the source IP address and the corresponding source port number, the analysis rule is to analyze the change characteristics of the source port number of the TCP data packet with the same source IP address; The change feature of the source port number of the TCP data packet of the IP address includes: calculating the difference between the source port numbers of two TCP data packets that are continuous and have the same source IP address, and comparing the difference with a corresponding set value , and when the difference is greater than the corresponding set value, it is determined that the host corresponding to the source IP address is a shared access host, or, when the set detection period is up, calculate the source port with the same source IP address in this period The difference between the largest source port number and the smallest source port number in the number, compare the difference with the corresponding set value, and determine the IP address corresponding to the source IP address when the difference is greater than the corresponding set value The host is a shared access host;

所述分析相同源IP地址的TCP数据包的IP包标识的变化特征包括:计算连续的且源IP地址相同的两个TCP数据包的IP包标识的差值,将所述差值与对应的设定值进行比较,并在该差值大于对应的设定值时确定该源IP地址所对应的主机为共享接入主机,或,在设定的检测周期到时,计算该周期中源IP地址相同的IP包标识中最大IP包标识与最小IP包标识的差值,将所述差值与对应的设定值进行比较,并在该差值大于对应的设定值时确定该源IP地址所对应的主机为共享接入主机。The change feature of the IP packet identification of the TCP data packets of the same source IP address includes: calculating the difference between the IP packet identifications of two TCP data packets that are continuous and with the same source IP address, and comparing the difference with the corresponding The set value is compared, and when the difference is greater than the corresponding set value, it is determined that the host corresponding to the source IP address is a shared access host, or, when the set detection period expires, the source IP address in the period is calculated The difference between the largest IP packet identifier and the smallest IP packet identifier in the IP packet identifiers with the same address, compare the difference with the corresponding set value, and determine the source IP when the difference is greater than the corresponding set value The host corresponding to the address is a shared access host.

所述数据转发装置为分光器,或者为交换机中的用于镜像数据的镜像模块,或者为用于转发所述网络数据的交换机。The data forwarding device is an optical splitter, or a mirroring module in a switch for mirroring data, or a switch for forwarding the network data.

本发明具有以下有益效果:The present invention has the following beneficial effects:

本发明通过从获取的网络数据中提取TCP包,根据IP包标识的跳跃并辅以IP端口变化来快速准确的检测出互联网中的使用NAT方式共享上网的应用,这种采用被动监听的工作方式,其检测结果的准确性不受用户侧操作的影响,也不会对用户的正常上网造成任何影响,而且还减少了运营商维护工作量。The present invention extracts TCP packets from the obtained network data, and quickly and accurately detects the application in the Internet that uses NAT mode to share the Internet according to the jump of the IP packet identification and the change of the IP port. This working method adopts passive monitoring , the accuracy of the detection result is not affected by the operation on the user side, nor will it have any impact on the user's normal Internet access, and it also reduces the operator's maintenance workload.

附图说明Description of drawings

图1为本发明中接入监控系统结构示意图;Fig. 1 is a schematic structural diagram of an access monitoring system in the present invention;

图2为本发明中根据IP包标识变化特征检测共享接入主机的流程图;Fig. 2 is the flow chart of detecting shared access host according to the change characteristic of IP packet identification among the present invention;

图3为本发明结合IP包端口和IP包标识变化特征检测共享接入主机的流程图;Fig. 3 is the flow chart that the present invention combines IP packet port and IP packet identification change feature to detect shared access host;

图4为本发明根据IP包端口变化特征检测共享接入主机的流程图。Fig. 4 is a flow chart of the present invention to detect shared access hosts according to the change characteristics of IP packet ports.

具体实施方式Detailed ways

本发明主要从TCP/IP层面上判断是否有多个用户或多台主机通过同一个IP或账号接入网络并使用互联网网络资源。The present invention mainly judges from the TCP/IP level whether there are multiple users or multiple hosts accessing the network through the same IP or account and using Internet network resources.

在网络中,当一台主机获占用一个IP地址访问互联网上的不同资源时,随着传输控制协议/因特网协议(TCP/IP)连接数的递增,主机IP端口是按+1递增的;同时用于标识IP包的IP包标识(Identification)也是随着连接的交互,逐步增量+1、+2的。而通过网络地址转换(NAT)方式访问互联网时,私网IP地址通过NAT转换后端口进行了随机的变化,但变化后IP包标识(Identification)还保留为原来私网IP包Identifcation。在私网内不同私网主机的IP包标识分配是随机的,其范围为0-65535(该Identification是由操作系统内核定的,不同的操作系统ID不同。)。这样当多私网主机同时通过NAT方式访问网络资源时,通过NAT转换后的IP包端口和Identification都发生了很大的变化,端口有一定的跳跃,同时Identification也会有很大的跳跃。例如:当公网主机连续访问几个不同的互联网资源时,其IP端口分别为3024、3025、3026逐渐递增,随着连接数的增加,其IP包Identification分别为54231、54232、54233、54234、54236,也是按+1、+2递增;而当两台主机同时通过NAT方式访问互联网资源时,通过NAT转换后IP的端口分别为2315、7238、5320,其变化没有规律,IP的Identification分别为76482、1684、31217、348等,其变化也很不规律。In the network, when a host occupies an IP address to access different resources on the Internet, as the number of Transmission Control Protocol/Internet Protocol (TCP/IP) connections increases, the IP port of the host increases by +1; at the same time The IP packet identification (Identification) used to identify the IP packet also gradually increases by +1 and +2 as the connection interacts. When accessing the Internet through Network Address Translation (NAT), the port of the private network IP address is changed randomly after NAT conversion, but the IP packet identification (Identification) after the change is still retained as the original private network IP packet Identifcation. In the private network, the IP packet identification distribution of different private network hosts is random, and its range is 0-65535 (the Identification is determined by the operating system kernel, and different operating system IDs are different.). In this way, when multiple private network hosts access network resources through NAT at the same time, the IP packet port and Identification after NAT conversion have undergone great changes, and the port has a certain jump, and the Identification will also have a big jump. For example: when the host on the public network continuously accesses several different Internet resources, its IP ports are 3024, 3025, and 3026, which gradually increase. 54236 is also incremented by +1 and +2; and when two hosts access Internet resources through NAT at the same time, the IP ports after NAT conversion are 2315, 7238, and 5320 respectively, and the changes are irregular, and the Identification of the IPs are respectively 76482, 1684, 31217, 348, etc., their changes are also very irregular.

根据上述分析的多私网主机同时通过NAT方式访问网络资源时其IP包标识和IP包源端口号的变化特征,通过对IP包Identification、IP包端口号检测分析来快速准确的检测出互联网中的使用NAT方式共享上网的应用。本发明中通过网络侧的一个接入监控系统来获取网络数据和根据网络数据检测出互联网中使用NAT方式共享上网的应用。According to the change characteristics of the IP packet identification and IP packet source port number of multiple private network hosts accessing network resources through NAT at the same time in the above analysis, the detection and analysis of IP packet Identification and IP packet port number can be quickly and accurately detected. An application that uses NAT to share the Internet. In the present invention, an access monitoring system on the network side is used to obtain network data and detect applications using NAT mode to share Internet access in the Internet according to the network data.

参阅图1所示,接入监控系统包括数据转发装置,与数据转发装置连接的分流过滤服务器,与分流过滤服务器连接的统计分析服务器。其中:Referring to FIG. 1 , the access monitoring system includes a data forwarding device, a streaming filtering server connected to the data forwarding device, and a statistical analysis server connected to the streaming filtering server. in:

数据转发装置用于从被监控主机群的出口处或网络的出口处引入接入网络的所有网络数据,通过接入独立的宽带来采集所述网络数据传送到分流过滤服务器。在图1中数据转发装置采用分光器,设置在城域网接口与骨干网接口处,分光器是一种可以把一个网络上的数据引出到另一个分支网络中的现有网络设备。所述转发装置也可以是支持端口数据镜像的交换机中用于数据镜像的镜像模块,利用该镜像模块得到通过出口接入网络的网络数据的拷贝;数据转发装置还可以是一个交换机,该交换机专门用于从出口处旁路接入网络的网络数据。当然,也可以是其他能够从出口处得到网络数据的拷贝的其他网络设备。The data forwarding device is used to introduce all network data connected to the network from the exit of the monitored host group or the exit of the network, collect the network data through access to an independent broadband and transmit it to the splitting and filtering server. In Figure 1, the data forwarding device adopts an optical splitter, which is installed at the interface of the metropolitan area network and the backbone network. The optical splitter is an existing network device that can lead data on one network to another branch network. The forwarding device can also be a mirroring module for data mirroring in a switch that supports port data mirroring, and the mirroring module can be used to obtain a copy of the network data that is connected to the network through the outlet; the data forwarding device can also be a switch, and the switch is dedicated to It is used to bypass the network data entering the network from the egress. Of course, it can also be other network devices that can obtain a copy of the network data from the egress.

分流过滤服务器用于从分光器传送来的网络数据中分离出指定类型的数据包,对分流出的数据包解析出有用的数据,并将这些数据上报到统计分析服务器,对于非指定类型的数据则丢弃。指定类型的数据包主要是TCP数据包,另外还可包括用户认证、计费的Radius数据包,该数据包中携带有用户的IP地址和用户账户,根据该Radius数据包能够记录用户IP地址与用户账户之间的对应关系。The split filter server is used to separate the specified type of data packets from the network data transmitted by the optical splitter, analyze the useful data from the split data packets, and report these data to the statistical analysis server. For non-specified types of data is discarded. The data packets of the specified type are mainly TCP data packets, and also include Radius data packets for user authentication and billing. The data packets carry the user's IP address and user account. According to the Radius data packet, the user's IP address and user account can be recorded. Correspondence between user accounts.

统计分析服务器上配置有分析规则,按该分析规则对分流过滤出的数据进行分析统计,提供多用户共享上网的依据。分析规则至少包括用于分析IP包Identification变化特征的设定值,另外还可包括分析IP包端口变化特征的设定值,IP地址和账户的对应关系等。The analysis rules are configured on the statistical analysis server, and the data filtered out by the diversion and filtering are analyzed and counted according to the analysis rules, and the basis for multi-users to share the Internet is provided. The analysis rule includes at least the set value for analyzing the change characteristic of the IP packet Identification, and may also include the set value for analyzing the change characteristic of the port of the IP packet, the corresponding relationship between the IP address and the account, and the like.

所述分流过滤服务器与统计分析服务器可以为同一个服务器,也可以为相互独立的服务器。The distribution filtering server and the statistical analysis server may be the same server, or may be independent servers.

参阅图2所示,检测多个用户或多台主机通过同一个IP或账号接入网的过程如下:Referring to Figure 2, the process of detecting multiple users or multiple hosts accessing the network through the same IP or account is as follows:

步骤1:由分光器从网络中分流接入互联网的所有网络数据,并引入到接入监控系统中的分流过滤服务器。Step 1: All network data connected to the Internet is split from the network by the optical splitter, and introduced to the split filtering server in the access monitoring system.

步骤2:分流过滤服务器进行过滤分析,根据IP包中的协议类型从网络数据中提取出TCP数据包和Radius数据包,丢弃多余的其他数据包。Step 2: The distribution filtering server performs filtering analysis, extracts TCP data packets and Radius data packets from network data according to the protocol type in the IP packet, and discards other redundant data packets.

步骤3:分流过滤服务器从TCP数据包中提取源IP地址和IP包Identification,并将这些数据上报统计分析服务器。Step 3: The distribution filtering server extracts the source IP address and IP packet Identification from the TCP data packet, and reports these data to the statistical analysis server.

若获取了Radius数据包,则从该数据包中提取出用户IP地址和对应的账户信息,并上报到统计分析服务器。If the Radius data packet is obtained, the user IP address and corresponding account information are extracted from the data packet, and reported to the statistical analysis server.

步骤4:统计分析服务器收到源IP地址和对应的IP包Identification后,分析相同源IP地址的TCP数据的IP包Identification的变化特征,判断该IP地址所对应的用户是否为共享上网用户。统计分析服务若收到IP地址和对应的账户信息,则记录IP地址与账户之间的对应关系。Step 4: After the statistical analysis server receives the source IP address and the corresponding IP packet Identification, it analyzes the change characteristics of the IP packet Identification of the TCP data of the same source IP address, and judges whether the user corresponding to the IP address is a shared Internet user. If the statistical analysis service receives the IP address and the corresponding account information, it will record the correspondence between the IP address and the account.

分析IP包Identification的变化特征可以通过以下两种方式进行:There are two ways to analyze the change characteristics of IP packet Identification:

1、通过计算连续的且IP地址相同的两个TCP数据包的IP包标识的差值,将该差值与对应的设定值进行比较,若差值大于该设定值,则确定该源IP地址所对应的主机为共享接入主机,否则不能确定主机为共享接入主机(这种情况下可以默认为非共享接入主机)。例如:在连续的一段时间内来自同一个IP地址的两个数据包的Identification分别为79231和4171,则证明有两个用户使用该公网IP共享上网。在考虑IP包Identification变化特征时,其跳跃一般大于200就认为可疑了。1. By calculating the difference between the IP packet identifiers of two consecutive TCP packets with the same IP address, compare the difference with the corresponding set value, if the difference is greater than the set value, determine the source The host corresponding to the IP address is a shared access host, otherwise it cannot be determined that the host is a shared access host (in this case, it can be a non-shared access host by default). For example, if the Identifications of two data packets from the same IP address are 79231 and 4171 for a continuous period of time, it proves that there are two users using this public network IP to share the Internet. When considering the change characteristics of the IP packet Identification, it is generally considered suspicious if the jump is greater than 200.

在这种方式下,由于统计分析服务器只对相同IP地址的两个连续TCP数据包中的IP包标识变化进行比较,因此,在不能判断接入IP所对应的用户为共享上网用户时,可以只保存最新的IP地址及其对应的IP包标识。In this way, since the statistical analysis server only compares the IP packet identification changes in two consecutive TCP packets of the same IP address, when it cannot be judged that the user corresponding to the access IP is a shared Internet user, it can Only the latest IP address and its corresponding IP packet identifier are saved.

2、通过设定一个检测周期,在该检测周期到时,计算该周期中源IP地址相同的IP包标识中最大IP包标识与最小IP包标识的差值,将该差值与对应的设定值进行比较,若差值大于该设定值,则确定该源IP地址所对应的主机为共享接入主机,否则不能确定主机为共享接入主机(这种情况下可以默认为非共享接入主机)。这种情况下的设定值与前一种方式中的设定值应有所区别,与设定的检测周期长短有关。该检测周期长短可根据实际需要设定,如设定为1分钟、5分钟或1小时等均可。2. By setting a detection period, when the detection period expires, calculate the difference between the largest IP packet identifier and the smallest IP packet identifier among the IP packet identifiers with the same source IP address in this period, and compare the difference with the corresponding set If the difference is greater than the set value, it is determined that the host corresponding to the source IP address is a shared access host, otherwise it cannot be determined that the host is a shared access host (in this case, it can be defaulted as a non-shared access host into the host). The set value in this case should be different from the set value in the previous method, which is related to the length of the set detection cycle. The length of the detection period can be set according to actual needs, such as 1 minute, 5 minutes or 1 hour.

在确定了用户通过共享IP地址上网后,根据IP地址与账户的对应关系可以获取对应的用户账户信息,输出共享上网的账户报表,同时还可输出作为分析依据的数据。After it is determined that the user accesses the Internet through the shared IP address, the corresponding user account information can be obtained according to the corresponding relationship between the IP address and the account, and the account report of the shared Internet access can be output, and the data used as the analysis basis can also be output at the same time.

由于IP包Identification随机分配,两台或多台主机同时通过NAT方式访问互联网资源时,一般情况下IP包Identification的变化比较大,但也可能存在变化较小的情况,因此,可以结合端口变化来检测共享接入主机。其处理过程如图3所示:Due to the random allocation of IP packet Identification, when two or more hosts access Internet resources through NAT at the same time, the change of IP packet Identification is relatively large under normal circumstances, but there may also be small changes. Therefore, it can be combined with port changes. Detect shared access hosts. Its processing process is shown in Figure 3:

步骤10:由分光器从网络中分流接入互联网的所有网络数据,并引入到接入监控系统中的分流过滤服务器。Step 10: The optical splitter splits all network data connected to the Internet from the network, and introduces it to the splitting and filtering server in the access monitoring system.

步骤11:分流过滤服务器进行过滤分析,根据IP包中的协议类型从网络数据中提取出TCP数据包和Radius数据包。Step 11: The distribution filtering server performs filtering analysis, and extracts TCP data packets and Radius data packets from network data according to the protocol type in the IP packet.

步骤12:分流过滤服务器从TCP数据包中提取源端口号、源IP地址和IP包Identification,并将这些数据上报统计分析服务器。Step 12: The distribution filtering server extracts the source port number, source IP address and IP packet Identification from the TCP data packet, and reports these data to the statistical analysis server.

若获取了Radius数据包,则从该数据包中提取出用户IP地址和对应的账户信息,并上报到统计分析服务器。If the Radius data packet is obtained, the user IP address and corresponding account information are extracted from the data packet, and reported to the statistical analysis server.

步骤13:统计分析服务器分析相同源IP地址的端口号变化特征,判断该IP地址所对应的用户是否为共享上网用户,若不能确定其为共享上网用户,则进行步骤14,若确定是共享上网用户,则输出相应信息并继续判断下一个IP地址对应的主机。Step 13: The statistical analysis server analyzes the port number change characteristics of the same source IP address, and judges whether the user corresponding to the IP address is a shared Internet user, if it cannot be determined that it is a shared Internet user, then proceed to step 14, if it is determined to be a shared Internet user user, then output corresponding information and continue to judge the host computer corresponding to the next IP address.

分析TCP数据的端口变化特征可以通过以下两种方式进行:Analyzing the port change characteristics of TCP data can be performed in the following two ways:

1、是通过计算连续的且IP地址相同的两个TCP数据包的端口号之间的差值,将该差值与对应的设定值进行比较,若差值大于该设定值,则确定该源IP地址所对应的主机为共享接入主机,否则不能确定主机为共享接入主机(这种情况下可以默认为非共享接入主机)。例如:在连续的一段时间内来自同一个IP地址的两个TCP数据包的端口分别为3024和4140,则证明有两个用户使用该公网IP共享上网。在考虑端口变化特征时,在一段短时间内,端口跳跃一般大于100就可以认为有两个用户使用该公网IP共享上网了。1. By calculating the difference between the port numbers of two consecutive TCP packets with the same IP address, the difference is compared with the corresponding set value, and if the difference is greater than the set value, it is determined The host corresponding to the source IP address is a shared access host, otherwise it cannot be determined that the host is a shared access host (in this case, it can be a non-shared access host by default). For example, if the ports of two TCP data packets from the same IP address are 3024 and 4140 for a continuous period of time, it proves that there are two users using this public network IP to share the Internet. When considering port change characteristics, in a short period of time, if the port hops are generally greater than 100, it can be considered that there are two users using the public network IP to share the Internet.

在这种方式下,由于统计分析服务器只对相同IP地址的两个连续TCP数据包中的端口变化进行比较,因此,在不能判断接入IP地址所对应的用户为共享上网用户时,对于端口号而言,可以只保存最新的IP地址对应的端口号。In this way, since the statistical analysis server only compares the port changes in two consecutive TCP packets of the same IP address, when it cannot be judged that the user corresponding to the access IP address is a shared Internet user, the port In terms of numbers, only the port number corresponding to the latest IP address can be saved.

2、通过设定一个检测周期,在该检测周期到时,计算该周期中源IP地址相同的端口号中最大端口号与最小端口号之间的差值,将该差值与对应的设定值进行比较,若差值大于该设定值,则确定该源IP地址所对应的主机为共享接入主机,否则不能确定主机为共享接入主机(这种情况下可以默认为非共享接入主机)。这种情况下的设定值与前一种方式中的设定值应有所区别,与设定的检测周期长短有关,而检测周期长短可根据实际需要设定,如设定为1分钟、5分钟或1小时等均可。2. By setting a detection cycle, when the detection cycle expires, calculate the difference between the largest port number and the smallest port number among the port numbers with the same source IP address in this cycle, and compare the difference with the corresponding setting If the difference is greater than the set value, it is determined that the host corresponding to the source IP address is a shared access host, otherwise it cannot be determined that the host is a shared access host (in this case, the default is non-shared access host). The set value in this case should be different from the set value in the previous method, which is related to the length of the set detection cycle, and the length of the detection cycle can be set according to actual needs, such as 1 minute, 5 minutes or 1 hour, etc. are all available.

步骤14、统计分析服务器分析IP包Identification的变化特征,判断该IP地址所对应的用户是否为共享上网用户,其判断方式与上述的步骤4相同。Step 14, the statistical analysis server analyzes the change characteristics of the IP packet Identification, and judges whether the user corresponding to the IP address is a shared Internet user, and the judgment method is the same as the above step 4.

同样,统计分析服务若收到IP地址和对应的账户信息,则记录IP地址与账户之间的对应关系。在确定了用户通过共享IP地址上网后,根据IP地址与账户的对应关系可以获取对应的用户账户信息,输出共享上网的账户报表,同时还可输出作为分析依据的数据。Similarly, if the statistical analysis service receives the IP address and corresponding account information, it will record the correspondence between the IP address and the account. After it is determined that the user accesses the Internet through the shared IP address, the corresponding user account information can be obtained according to the corresponding relationship between the IP address and the account, and the account report of the shared Internet access can be output, and the data used as the analysis basis can also be output at the same time.

另外,也可只通过端口变化来检测共享接入主机,如图4所示,其处理过程如下:In addition, the shared access host can also be detected only through port changes, as shown in Figure 4, and the processing process is as follows:

步骤20:由分光器从网络中分流接入互联网的所有网络数据,并引入到接入监控系统中的分流过滤服务器。Step 20: Splitting all network data connected to the Internet from the network by the optical splitter, and introducing it to the splitting and filtering server in the access monitoring system.

步骤21:分流过滤服务器进行过滤分析,根据IP包中的协议类型从网络数据中提取出TCP数据包和Radius数据包,丢弃多余的其他数据包。Step 21: The distribution filtering server performs filtering analysis, extracts TCP data packets and Radius data packets from the network data according to the protocol type in the IP packet, and discards other redundant data packets.

步骤22:分流过滤服务器从TCP数据包中提取源IP地址和源端口号,并将这些数据上报统计分析服务器。Step 22: The distribution filtering server extracts the source IP address and source port number from the TCP data packet, and reports these data to the statistical analysis server.

步骤23:统计分析服务器收到源IP地址和对应的源端口号后,分析相同源IP地址的TCP数据的源端口变化特征,判断该IP地址所对应的用户是否为共享上网用户。分析TCP数据的端口变化特征的方式与上述相同,其余的处理过程与前述同理,不再赘述。Step 23: After receiving the source IP address and the corresponding source port number, the statistical analysis server analyzes the source port change characteristics of the TCP data with the same source IP address, and determines whether the user corresponding to the IP address is a shared Internet user. The method of analyzing the port change characteristics of the TCP data is the same as the above, and the rest of the processing process is the same as the above, and will not be described again.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (14)

1. one kind is detected the method for sharing the access main frame in network, it is characterized in that comprising the steps:
A, from network, obtain the network data of access network;
B, from described network data, extract transmission control protocol tcp data bag, and from this tcp data bag, extract source IP address and corresponding IP bag sign;
C, according to the variation characteristic of the IP bag sign of the tcp data bag of identical source IP address, determine whether the pairing main frame of this source IP address is to share to insert main frame, wherein, variation characteristic according to the IP bag sign of the tcp data bag of identical source IP address determines whether specifically to comprise for sharing the process that inserts main frame:
Calculate the difference of the IP bag sign of continuous and two tcp data bags that source IP address is identical;
Described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference; Or,
In the sense cycle of setting then, calculate the difference of maximum IP bag sign and minimum IP bag sign in the IP bag sign that source IP address is identical in this cycle;
Described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference.
2. the method for claim 1 is characterized in that, also extracts source port number from described tcp data bag in step B.
3. method as claimed in claim 2 is characterized in that, also comprises step before step C:
C1, according to the source port number variation characteristic of the tcp data bag of identical source IP address, determine whether the pairing main frame of this source IP address is to share to insert main frame, and can not determine that main frame is to share then to carry out step C when inserting main frame.
4. method as claimed in claim 3 is characterized in that step C1 comprises step:
Calculate the difference of the source port number of continuous and two tcp data bags that source IP address is identical;
Described difference is compared with corresponding set point,, otherwise carry out step C if this difference, determines then that the pairing main frame of this source IP address inserts main frame for sharing greater than the set point of correspondence.
5. method as claimed in claim 3 is characterized in that step C1 comprises step:
In the sense cycle of setting then, calculate the difference between the maximum source port number and minimum source port number in the source port number that source IP address is identical in this cycle;
Described difference is compared with corresponding set point,, otherwise carry out step C if this difference, determines then that the pairing main frame of this source IP address inserts main frame for sharing greater than the set point of correspondence.
6. as each described method of claim 1 to 5, it is characterized in that, from described network data, also extract the Radius packet, and write down IP address in this packet and the corresponding relation between the account.
7. method as claimed in claim 6 is characterized in that, for after sharing the access main frame, utilizes source IP address to search described corresponding relation to obtain and to export corresponding accounts information at definite main frame.
8. method as claimed in claim 6 is characterized in that, obtains the network data of described access network from network exit by Port Mirroring or beam split mode.
9. one kind is detected the method for sharing the access main frame in network, it is characterized in that comprising the steps:
(1) from network, obtains the network data of access network;
(2) from described network data, extract transmission control protocol tcp data bag, and from this tcp data bag, extract source IP address and corresponding source port number;
(3) according to the variation characteristic of the source port number of the tcp data bag of identical source IP address, determine whether the pairing main frame of this source IP address is to share to insert main frame, wherein, variation characteristic according to the source port number of the tcp data bag of identical source IP address determines whether specifically to comprise for sharing the process that inserts main frame:
Calculate the difference of the source port number of continuous and two tcp data bags that source IP address is identical, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference; Or
In the sense cycle of setting then, calculate the difference between the maximum source port number and minimum source port number in the source port number that source IP address is identical in this cycle, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference.
10. method as claimed in claim 9 is characterized in that, also extracts the Radius packet from described network data, and writes down IP address in this packet and the corresponding relation between the account.
11. method as claimed in claim 10 is characterized in that, for after sharing the access main frame, utilizes source IP address to search described corresponding relation to obtain and to export corresponding accounts information at definite main frame.
12. method as claimed in claim 9 is characterized in that, obtains the network data of described access network from network exit by Port Mirroring or beam split mode.
13. one kind is inserted supervisory control system, it is characterized in that comprising:
Data forwarding device is arranged on monitored main frame group's the exit or the exit of network, is used to transmit the network data by this exit access network;
The shunt filtering server, be connected with described data forwarding device, be used for obtaining network data from described data forwarding device, from this network data, extract transmission control protocol tcp data bag and parse the information that needs, wherein this parses the information that needs and comprises: source IP address and corresponding IP bag sign, or, source port number, source IP address and corresponding IP bag sign, or, source IP address and corresponding source port number;
Statistic analysis server, be connected with described shunt filtering server, determine to share the main frame that inserts according to the analysis rule of information that parses and configuration, wherein, when the information that parses was the IP bag sign of source IP address and correspondence, this analysis rule was that the IP that analyzes the tcp data bag of identical source IP address wraps the variation characteristic of sign; When the information that parses is the IP bag sign of source port number, source IP address and correspondence, this analysis rule is the variation characteristic of the source port number of the tcp data bag of the identical source IP address of analysis, whether the main frame of determining this source IP address correspondence is to share to insert main frame, and can not determine that main frame is when share inserting main frame, determine according to the variation characteristic of the IP bag sign of the tcp data bag of analyzing identical source IP address; When the information that parses was the source port number of source IP address and correspondence, this analysis rule was the variation characteristic of the source port number of the tcp data bag of the identical source IP address of analysis;
The variation characteristic of the source port number of the tcp data bag of the identical source IP address of described analysis comprises: the difference of calculating the source port number of continuous and two tcp data bags that source IP address is identical, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference, or, in the sense cycle of setting then, calculate the difference between the maximum source port number and minimum source port number in the source port number that source IP address is identical in this cycle, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference;
The variation characteristic of the IP bag sign of the tcp data bag of the identical source IP address of described analysis comprises: the difference of calculating the IP bag sign of continuous and two tcp data bags that source IP address is identical, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference, or, in the sense cycle of setting then, calculate the difference of maximum IP bag sign and minimum IP bag sign in source IP address is identical in this cycle the IP bag sign, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference.
14. access supervisory control system as claimed in claim 13 is characterized in that, described data forwarding device is an optical splitter, perhaps is the mirror image module that is used for mirror image data in the switch, perhaps for being used to transmit the switch of described network data.
CN2005100711324A 2005-05-20 2005-05-20 Method and system for detecting shared access hosts in network Expired - Fee Related CN1866951B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2005100711324A CN1866951B (en) 2005-05-20 2005-05-20 Method and system for detecting shared access hosts in network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2005100711324A CN1866951B (en) 2005-05-20 2005-05-20 Method and system for detecting shared access hosts in network

Publications (2)

Publication Number Publication Date
CN1866951A CN1866951A (en) 2006-11-22
CN1866951B true CN1866951B (en) 2010-09-22

Family

ID=37425835

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2005100711324A Expired - Fee Related CN1866951B (en) 2005-05-20 2005-05-20 Method and system for detecting shared access hosts in network

Country Status (1)

Country Link
CN (1) CN1866951B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100562020C (en) 2007-03-30 2009-11-18 华为技术有限公司 Detection method, statistical analysis server and detection system
CN101599857B (en) * 2009-06-25 2011-12-07 成都市华为赛门铁克科技有限公司 Method, device and network detection system for detecting number of host computers accessed to sharing
CN101800681B (en) * 2010-03-23 2014-02-05 中兴通讯股份有限公司 On-line detection method, equipment and system for SOHO router
CN102546364B (en) * 2010-12-22 2014-12-10 深圳市恒扬科技有限公司 Network data distribution method and device
CN102523263B (en) * 2011-12-06 2014-03-05 中国联合网络通信集团有限公司 Method, device and system for monitoring the number of shared access hosts
KR101621346B1 (en) 2012-06-20 2016-05-16 후아웨이 테크놀러지 컴퍼니 리미티드 Method, node, mobile terminal and system for identifying network tethering behavior
CN102984163B (en) * 2012-12-06 2015-09-30 华为技术有限公司 Control the method and system of multiple host access networks of same IP address
CN103501351A (en) * 2013-10-22 2014-01-08 广东睿江科技有限公司 Monitoring method and monitoring device of network export
CN104023089B (en) * 2014-06-30 2017-12-26 北京奇虎科技有限公司 The system of selection of the accelerated method, application acceleration device of application and device
CN108259263A (en) * 2017-12-01 2018-07-06 国家电网公司 Data analysing method, apparatus and system
CN111131339A (en) * 2020-04-01 2020-05-08 深圳市云盾科技有限公司 NAT equipment identification method and system based on IP identification number
CN111970175B (en) * 2020-08-26 2022-06-21 武汉绿色网络信息服务有限责任公司 Method and device for malicious sharing detection of network-access account

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6629137B1 (en) * 2000-04-26 2003-09-30 Telefonaktiebolaget L.M. Ericsson Network interface devices methods system and computer program products for connecting networks using different address domains through address translation
CN1479499A (en) * 2002-08-26 2004-03-03 丽台科技股份有限公司 Network address translation system and method thereof
CN1611053A (en) * 2001-06-27 2005-04-27 英特尔公司 Network address translation of incoming SIP connections

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6629137B1 (en) * 2000-04-26 2003-09-30 Telefonaktiebolaget L.M. Ericsson Network interface devices methods system and computer program products for connecting networks using different address domains through address translation
CN1611053A (en) * 2001-06-27 2005-04-27 英特尔公司 Network address translation of incoming SIP connections
CN1479499A (en) * 2002-08-26 2004-03-03 丽台科技股份有限公司 Network address translation system and method thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Steven M. Bellovin.A Technique for Counting NATted Hosts.2002,1-10. *

Also Published As

Publication number Publication date
CN1866951A (en) 2006-11-22

Similar Documents

Publication Publication Date Title
US7752307B2 (en) Technique of analyzing an information system state
US10257224B2 (en) Method and apparatus for providing forensic visibility into systems and networks
KR100561628B1 (en) Anomaly Traffic Detection Method at the Network Level Using Statistical Analysis
KR101010302B1 (en) Management System and Method for IRC and HTPT Botnet Security Control
US9794272B2 (en) Method and apparatus for monitoring malicious traffic in communication networks
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
EP2661049B1 (en) System and method for malware detection
CN111935172A (en) Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium
US20140075557A1 (en) Streaming Method and System for Processing Network Metadata
US20060161816A1 (en) System and method for managing events
CN106533724B (en) Method, device and system for monitoring and optimizing Network Function Virtualization (NFV) network
CN104937886A (en) Log analysis device, information processing method and program
CN1866951B (en) Method and system for detecting shared access hosts in network
JP2016508353A (en) Improved streaming method and system for processing network metadata
KR100748246B1 (en) Intrusion Detection Log Collection Engine and Traffic Statistics Collection Engine
CN111654486A (en) Server equipment judgment and identification method
CN105007175A (en) Openflow-based flow depth correlation analysis method and system
HK1204728A1 (en) System and method for generating blacklist of requests to access from network
KR20110067871A (en) Network access device and method for traffic monitoring and control using OAM packet in IP network
CN104021348B (en) Real-time detection method and system of dormant P2P (Peer to Peer) programs
WO2024021495A1 (en) Method and apparatus for identifying flooding attack in cloud platform, and device and storage medium
KR100825257B1 (en) Detailed processing of log data of abnormal traffic
WO2017070965A1 (en) Data processing method based on software defined network and related device
CN109309679A (en) A network scanning detection method and detection system based on TCP flow state
JP6325993B2 (en) Service monitoring apparatus and service monitoring method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100922

Termination date: 20190520