CN112291089A - Application system identification and definition method based on flow - Google Patents

Application system identification and definition method based on flow Download PDF

Info

Publication number
CN112291089A
CN112291089A CN202011144215.2A CN202011144215A CN112291089A CN 112291089 A CN112291089 A CN 112291089A CN 202011144215 A CN202011144215 A CN 202011144215A CN 112291089 A CN112291089 A CN 112291089A
Authority
CN
China
Prior art keywords
application system
application
definition
name
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011144215.2A
Other languages
Chinese (zh)
Inventor
申杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quanzhi Technology Hangzhou Co ltd
Original Assignee
Quanzhi Technology Hangzhou Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Quanzhi Technology Hangzhou Co ltd filed Critical Quanzhi Technology Hangzhou Co ltd
Priority to CN202011144215.2A priority Critical patent/CN112291089A/en
Publication of CN112291089A publication Critical patent/CN112291089A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/906Clustering; Classification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a flow-based application system identification and definition method, in particular to the fields of a plurality of identification and definition application systems such as safe big data, application safety, data safety, big data processing, network data analysis and the like, and specifically comprises the following steps: log formatting → application system preprocessing → application system structure recognition → application system structure classification → application system definition computation → application system name merging. The method takes big data as a core, efficiently discovers and identifies the definition of the application system through the structure classification and the path similarity of the application system, and combines, defines and counts the application systems in massive logs by combining the application system definition configuration of big data automatic learning or the application system definition configuration of manual management.

Description

Application system identification and definition method based on flow
Technical Field
The invention relates to the field of multiple identification and definition application systems of safety big data, application safety, data safety, big data processing, network data analysis and the like, in particular to an identification and definition method of an application system based on flow.
Background
In the big data era, enterprises develop and operate a large number of business systems in order to meet the ever-changing user demands, such as: the order system, the product system, the price system, the payment system, various mobile terminals and the WeChat terminal system are operated in a cluster mode along with the fact that the access amount of users is higher and higher, a large number of servers are needed to provide computing capacity at the back end, and the users can access the same application system through IP or a plurality of domain names. In such scenarios, identification and definition of the application becomes particularly important in auditing and data analysis of access behavior of the application from the bypass traffic plane.
Bypass traffic products are now simple to identify and define applications, typically defining an application system with the HOST of a URL, which is typically either a domain name + port or an IP + port. However, in an actual business scenario, the application system may be presented in many forms, for example, a plurality of IP + ports may correspond to one application system, and in such a scenario, both the statistics of the number of application systems and the access statistics of the application systems may become very different from the actual situation, and may even affect data analysis and operation decision.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In order to solve the influence of inaccurate identification and definition of the application system on the statistics of the number of the application systems and the access behaviors, the invention provides a new way to realize the accurate identification and definition of the application system from the bypass traffic level through the way of learning and similarity comparison of the data structures of the application system, so as to better perform the statistical analysis on the number of the application systems and the access behaviors.
In order to achieve the purpose, the invention provides the following technical scheme: a method for identifying and defining an application system based on flow specifically comprises the following steps:
the method comprises the following steps: log formatting: restoring the HTTP flow into a log;
step two: application system pretreatment: extracting and preliminarily defining an application system from a log of HTTP traffic restoration so as to facilitate redefinition of the application system;
step three: and (3) identifying the structure of the application system: after the application system names are initially defined, whether different application system names belong to the same application system needs to be identified, so that the same application system has a path structure with very high similarity, and therefore, the path structure of each initially defined application system name needs to be identified;
step four: classifying the application system structure: after the path structures of all the preliminarily defined application systems are identified, similarity comparison is required, the application systems are classified after the similarity comparison, and the comparison efficiency is required to be improved in the similarity comparison process, so that the preliminarily defined application systems are required to be classified according to the path structures;
step five: the application system defines the calculation: carrying out accurate application similarity comparison on the classified preliminarily defined application systems, and calculating accurate application system definitions;
step six: application system name merging: the real application system name is calculated for the HOST in the log.
In a preferred embodiment, in the first step, the log for restoring the HTTP traffic contains a request header, a request body, a request URL, a request method, a return header, and a return content of the HTTP.
In a preferred embodiment, in the second step, the application system preprocessing specifically includes the following steps:
(1) extracting content from a request header of the log according to the HOST field, wherein the content is used as a primary application system name;
(2) the preliminarily extracted application system name has various malformed data under the scene of an attack scanning process, so that the application system name needs to be preliminarily checked in the step, and abnormal domain names, IPv4 and IPv6 formats are excluded.
In a preferred embodiment, in the third step, the identifying the application system structure specifically includes the following processes:
(1) extracting a request URL in the log;
(2) calculating an MD5 value for the path of the request URL;
(3) calculating a path structure of the preliminarily defined application system, wherein the structure comprises two fields: number of paths and path list.
In a preferred embodiment, in the fourth step, the classifying of the application system structure specifically includes the following processes:
(1) applications with too few URL paths in the application system are excluded: the flow contains more applications, and the application processes less services, so the similarity is very high, and the applications need to be eliminated;
(2) the classification is performed according to the preliminarily defined path number of the application system, and the applications with higher probability are classified together to improve the comparison performance.
In a preferred embodiment, in the step five, the application system definition calculation specifically includes the following processes:
(1) defining a calculation formula: similarity (number of same paths between applications)/total number of paths of applications 100;
(2) the computing application defines a data structure: application system name, list of application system names that need to be merged.
In a preferred embodiment, in the sixth step, the merging of the names of the application systems specifically includes the following steps:
(1) extracting the HOST name from the log;
(2) traversing the application system definition list, and checking whether the HOST is in a combined application name list;
(3) if yes, returning the application name of the application definition configuration;
(4) if not, the HOST name is returned.
The invention has the technical effects and advantages that:
the method takes big data as a core, efficiently discovers and identifies the definition of the application system through the structure classification and the path similarity of the application system, and combines, defines and counts the application systems in massive logs by combining the application system definition configuration of big data automatic learning or the application system definition configuration of manual management.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention.
FIG. 1 is a flow chart of a traffic-based application system identification and definition method of the present invention.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these example embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more example embodiments. In the following description, numerous specific details are provided to give a thorough understanding of example embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, steps, and so forth. In other instances, well-known structures, methods, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The invention provides a method for identifying and defining an application system based on flow as shown in figure 1, which specifically comprises the following steps:
the method comprises the following steps: log formatting: restoring the HTTP flow into a log, wherein the log comprises a request head, a request body, a request URL, a request method, a return head and return content of the HTTP;
step two: application system pretreatment: extracting and preliminarily defining an application system from a log restored by HTTP traffic so as to facilitate the redefinition of the application system, wherein the specific flow is as follows:
(1) extracting content from a request header of the log according to the HOST field, wherein the content is used as a primary application system name;
(2) the preliminarily extracted application system name has various malformed data under the scene of an attack scanning process, so that the application system name needs to be preliminarily checked in the step, and abnormal domain names, IPv4 and IPv6 formats are excluded;
step three: and (3) identifying the structure of the application system: after the application system names are initially defined, it is necessary to identify whether different application system names belong to the same application system, so that the same application system has a path structure with very high similarity, and therefore, it is necessary to identify the path structure of each initially defined application system name, and the specific flow is as follows:
(1) extracting a request URL in the log;
(2) calculating an MD5 value for the path of the request URL;
(3) calculating a path structure of the preliminarily defined application system, wherein the structure comprises two fields: number of paths and path list;
step four: classifying the application system structure: after the path structures of all preliminarily defined application systems are identified, similarity comparison is required, the application systems are classified after the comparison, and the comparison efficiency is required to be improved in the similarity comparison process, so that the preliminarily defined application systems are classified according to the path structures, and the specific process is as follows:
(1) applications with too few URL paths in the application system are excluded: the flow contains more applications, and the application processes less services, so the similarity is very high, and the applications need to be eliminated;
(2) classifying according to the preliminarily defined path number of the application system, and classifying the applications with higher possibility together to improve the comparison performance;
step five: the application system defines the calculation: and for the classified preliminarily defined application systems, carrying out accurate application similarity comparison and calculating accurate application system definitions, wherein the specific process is as follows:
(1) defining a calculation formula: similarity (number of same paths between applications)/total number of paths of applications 100;
(2) the computing application defines a data structure: the name of the application system and a list of names of the application systems needing to be combined;
step six: application system name merging: for the HOST in the log, calculating the real application system name, the specific flow is as follows:
(1) extracting the HOST name from the log;
(2) traversing the application system definition list, and checking whether the HOST is in a combined application name list;
(3) if yes, returning the application name of the application definition configuration;
(4) if not, the HOST name is returned.
The implementation mode is specifically as follows: in the actual operation process, firstly, the HTTP flow is reduced into a log containing a request head, a request body, a request URL, a request method, a return head and return contents of the HTTP, after the log is formatted, the contents are extracted from the request head of the log according to HOST fields to be used as a primary application system name, wherein the primary extracted application system name has various malformed data under the scene of an attack scanning process, so that the primary application system name is required to be preliminarily checked in the step, abnormal domain names, IPv4 and IPv6 formats are excluded to facilitate the redefinition of the application system, and thus, the primary application system name can be obtained, after the primary application system name is defined, the request URL in the log is required to be extracted as whether different application system names belong to the same application system or not, and the MD5 value of the path of the request URL is calculated, meanwhile, the path structure (path number and path list) of the preliminarily defined application system is calculated, so that the same application system has a path structure with very high similarity, in addition, because more applications are included in the flow, the service processed in the application process is less, the similarity is very high, the applications need to be excluded, then the applications can be classified according to the path number of the preliminarily defined application system, the applications with high possibility are classified together to improve the comparison performance, for the classified preliminarily defined application system, the similarity comparison needs to be accurately performed, the accurate application system definition, specifically the application system name and the application system name list needing to be combined are calculated through a formula (similarity (equal to the path number between the applications)/total path number of the applications is 100), and then, and extracting the HOST name from the log, traversing the application system definition list, checking whether the HOST is in the combined application name list, if so, returning the application name configured by the application definition, and if not, returning the HOST name, thus finishing the identification and definition of the application system.
While certain exemplary embodiments of the present invention have been described above by way of illustration only, it will be apparent to those of ordinary skill in the art that the described embodiments may be modified in various different ways without departing from the spirit and scope of the invention. Accordingly, the drawings and description are illustrative in nature and should not be construed as limiting the scope of the invention.
The points to be finally explained are: first, although the present invention has been described in detail by the general description and the specific embodiments, on the basis of the present invention, the above embodiments are only used for illustrating the technical solution of the present invention, and not for limiting the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention;
secondly, the method comprises the following steps: in the drawings of the disclosed embodiments of the present invention, only the structures related to the disclosed embodiments are referred to, and other structures may refer to general designs, and the same embodiment and different embodiments of the present invention may be combined with each other without conflict.

Claims (7)

1. A flow-based application system identification and definition method is characterized in that: the method specifically comprises the following steps:
the method comprises the following steps: log formatting: restoring the HTTP flow into a log;
step two: application system pretreatment: extracting and preliminarily defining an application system from a log of HTTP traffic restoration so as to facilitate redefinition of the application system;
step three: and (3) identifying the structure of the application system: after the application system names are initially defined, whether different application system names belong to the same application system needs to be identified, so that the same application system has a path structure with very high similarity;
step four: classifying the application system structure: after the path structures of all preliminarily defined application systems are identified, similarity comparison is required, the application systems are classified after the similarity comparison, and the comparison efficiency is required to be improved in the similarity comparison process;
step five: the application system defines the calculation: carrying out accurate application similarity comparison on the classified preliminarily defined application systems, and calculating accurate application system definitions;
step six: application system name merging: the real application system name is calculated for the HOST in the log.
2. A traffic-based application system identification and definition method according to claim 1, characterized in that: in the first step, the log for restoring the HTTP traffic contains a request header, a request body, a request URL, a request method, a return header, and a return content of the HTTP.
3. A traffic-based application system identification and definition method according to claim 1, characterized in that: in the second step, the application system preprocessing specifically includes the following steps:
(1) extracting content from a request header of the log according to the HOST field, wherein the content is used as a primary application system name;
(2) the preliminarily extracted application system name has various malformed data under the scene of an attack scanning process, so that the application system name needs to be preliminarily checked in the step, and abnormal domain names, IPv4 and IPv6 formats are excluded.
4. A traffic-based application system identification and definition method according to claim 1, characterized in that: in the third step, the application system structure identification specifically includes the following procedures:
(1) extracting a request URL in the log;
(2) calculating an MD5 value for the path of the request URL;
(3) calculating a path structure of the preliminarily defined application system, wherein the structure comprises two fields: number of paths and path list.
5. A traffic-based application system identification and definition method according to claim 1, characterized in that: in the fourth step, the structural classification of the application system specifically includes the following processes:
(1) applications with too few URL paths in the application system are excluded: the flow contains more applications, and the application processes less services, so the similarity is very high, and the applications need to be eliminated;
(2) the classification is performed according to the preliminarily defined path number of the application system, and the applications with higher probability are classified together to improve the comparison performance.
6. A traffic-based application system identification and definition method according to claim 1, characterized in that: in the fifth step, the application system definition calculation specifically includes the following processes:
(1) defining a calculation formula: similarity (number of same paths between applications)/total number of paths of applications 100;
(2) the computing application defines a data structure: application system name, list of application system names that need to be merged.
7. A traffic-based application system identification and definition method according to claim 1, characterized in that: in the sixth step, the merging of the application system names specifically includes the following steps:
(1) extracting the HOST name from the log;
(2) traversing the application system definition list, and checking whether the HOST is in a combined application name list;
(3) if yes, returning the application name of the application definition configuration;
(4) if not, the HOST name is returned.
CN202011144215.2A 2020-10-23 2020-10-23 Application system identification and definition method based on flow Pending CN112291089A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011144215.2A CN112291089A (en) 2020-10-23 2020-10-23 Application system identification and definition method based on flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011144215.2A CN112291089A (en) 2020-10-23 2020-10-23 Application system identification and definition method based on flow

Publications (1)

Publication Number Publication Date
CN112291089A true CN112291089A (en) 2021-01-29

Family

ID=74424822

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011144215.2A Pending CN112291089A (en) 2020-10-23 2020-10-23 Application system identification and definition method based on flow

Country Status (1)

Country Link
CN (1) CN112291089A (en)

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6286006B1 (en) * 1999-05-07 2001-09-04 Alta Vista Company Method and apparatus for finding mirrored hosts by analyzing urls
US20020042821A1 (en) * 1999-10-04 2002-04-11 Quantified Systems, Inc. System and method for monitoring and analyzing internet traffic
US6487555B1 (en) * 1999-05-07 2002-11-26 Alta Vista Company Method and apparatus for finding mirrored hosts by analyzing connectivity and IP addresses
US20040260787A1 (en) * 2003-06-19 2004-12-23 Nokia Corporation URL-format links in log records
US20050165889A1 (en) * 2000-10-04 2005-07-28 Urchin Software Corporation System and method for monitoring and analyzing internet traffic
WO2010116036A1 (en) * 2009-04-09 2010-10-14 Valtion Teknillinen Tutkimuskeskus Method and device for identifying applications which generate data traffic flows
US8055626B1 (en) * 2005-08-09 2011-11-08 Google Inc. Detecting mirrors on the web
US20120023127A1 (en) * 2010-07-23 2012-01-26 Kirshenbaum Evan R Method and system for processing a uniform resource locator
US20120047180A1 (en) * 2010-08-23 2012-02-23 Kirshenbaum Evan R Method and system for processing a group of resource identifiers
WO2014101402A1 (en) * 2012-12-31 2014-07-03 华为技术有限公司 Application identification method, and data mining method, device and system
US20140304401A1 (en) * 2013-04-06 2014-10-09 Citrix Systems, Inc. Systems and methods to collect logs from multiple nodes in a cluster of load balancers
US9178848B1 (en) * 2007-07-23 2015-11-03 Google Inc. Identifying affiliated domains
US20180007090A1 (en) * 2016-06-30 2018-01-04 Fortinet, Inc. Classification of top-level domain (tld) websites based on a known website classification
WO2018047027A1 (en) * 2016-09-12 2018-03-15 Politecnico Di Torino A method for exploring traffic passive traces and grouping similar urls
US20180109561A1 (en) * 2016-10-19 2018-04-19 Advanced Micro Devices, Inc. Systems and methods for trusted cluster attestation
US10616274B1 (en) * 2017-11-30 2020-04-07 Facebook, Inc. Detecting cloaking of websites using model for analyzing URL redirects
CN111368227A (en) * 2018-12-25 2020-07-03 阿里巴巴集团控股有限公司 URL processing method and device
CN111654489A (en) * 2020-05-27 2020-09-11 杭州迪普科技股份有限公司 Network security situation sensing method, device, equipment and storage medium

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6487555B1 (en) * 1999-05-07 2002-11-26 Alta Vista Company Method and apparatus for finding mirrored hosts by analyzing connectivity and IP addresses
US6286006B1 (en) * 1999-05-07 2001-09-04 Alta Vista Company Method and apparatus for finding mirrored hosts by analyzing urls
US20020042821A1 (en) * 1999-10-04 2002-04-11 Quantified Systems, Inc. System and method for monitoring and analyzing internet traffic
US20050165889A1 (en) * 2000-10-04 2005-07-28 Urchin Software Corporation System and method for monitoring and analyzing internet traffic
US20040260787A1 (en) * 2003-06-19 2004-12-23 Nokia Corporation URL-format links in log records
US8055626B1 (en) * 2005-08-09 2011-11-08 Google Inc. Detecting mirrors on the web
US9178848B1 (en) * 2007-07-23 2015-11-03 Google Inc. Identifying affiliated domains
WO2010116036A1 (en) * 2009-04-09 2010-10-14 Valtion Teknillinen Tutkimuskeskus Method and device for identifying applications which generate data traffic flows
US20120023127A1 (en) * 2010-07-23 2012-01-26 Kirshenbaum Evan R Method and system for processing a uniform resource locator
US20120047180A1 (en) * 2010-08-23 2012-02-23 Kirshenbaum Evan R Method and system for processing a group of resource identifiers
WO2014101402A1 (en) * 2012-12-31 2014-07-03 华为技术有限公司 Application identification method, and data mining method, device and system
US20140304401A1 (en) * 2013-04-06 2014-10-09 Citrix Systems, Inc. Systems and methods to collect logs from multiple nodes in a cluster of load balancers
US20180007090A1 (en) * 2016-06-30 2018-01-04 Fortinet, Inc. Classification of top-level domain (tld) websites based on a known website classification
WO2018047027A1 (en) * 2016-09-12 2018-03-15 Politecnico Di Torino A method for exploring traffic passive traces and grouping similar urls
US20180109561A1 (en) * 2016-10-19 2018-04-19 Advanced Micro Devices, Inc. Systems and methods for trusted cluster attestation
US10616274B1 (en) * 2017-11-30 2020-04-07 Facebook, Inc. Detecting cloaking of websites using model for analyzing URL redirects
CN111368227A (en) * 2018-12-25 2020-07-03 阿里巴巴集团控股有限公司 URL processing method and device
CN111654489A (en) * 2020-05-27 2020-09-11 杭州迪普科技股份有限公司 Network security situation sensing method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN109587008B (en) Method, device and storage medium for detecting abnormal flow data
CN110032583B (en) Fraudulent party identification method and device, readable storage medium and terminal equipment
CN110634471B (en) Voice quality inspection method and device, electronic equipment and storage medium
CN113254255B (en) Cloud platform log analysis method, system, device and medium
CN112506925A (en) Data retrieval system and method based on block chain
CN113949577A (en) Data attack analysis method applied to cloud service and server
CN111078513A (en) Log processing method, device, equipment, storage medium and log alarm system
CN112564991A (en) Application identification method and device and storage medium
CN113762377A (en) Network traffic identification method, device, equipment and storage medium
CN112118249A (en) Security protection method and device based on log and firewall
CN110427375A (en) The recognition methods of field classification and device
CN114676423B (en) Data processing method and server for dealing with cloud computing office threats
CN116055448A (en) Identification data management platform for electric power operation
CN106933919A (en) The connection method of tables of data and device
CN111625342A (en) Data tracing method, device and server
CN109857842B (en) Method and device for recognizing fault-reporting text
US11412063B2 (en) Method and apparatus for setting mobile device identifier
CN112291089A (en) Application system identification and definition method based on flow
CN116340172A (en) Data collection method and device based on test scene and test case detection method
CN111651987B (en) Identity discrimination method and device, computer readable storage medium and electronic equipment
CN110032596B (en) Method and system for identifying abnormal traffic user
CN111507397A (en) Abnormal data analysis method and device
CN112445939A (en) Social network group discovery system, method and storage medium
CN115994172B (en) Method, device, equipment and medium for determining service access relation
CN113489622B (en) Method, system, equipment and storage medium for extracting network equipment fingerprint

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210129

RJ01 Rejection of invention patent application after publication