CN114301644A - Network anomaly detection system and method - Google Patents
Network anomaly detection system and method Download PDFInfo
- Publication number
- CN114301644A CN114301644A CN202111552377.4A CN202111552377A CN114301644A CN 114301644 A CN114301644 A CN 114301644A CN 202111552377 A CN202111552377 A CN 202111552377A CN 114301644 A CN114301644 A CN 114301644A
- Authority
- CN
- China
- Prior art keywords
- data
- exception
- counter
- network
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000001514 detection method Methods 0.000 title claims abstract description 47
- 238000013480 data collection Methods 0.000 claims abstract description 19
- 230000002159 abnormal effect Effects 0.000 claims description 44
- 238000012545 processing Methods 0.000 claims description 19
- 238000004891 communication Methods 0.000 claims description 11
- 230000005856 abnormality Effects 0.000 description 8
- 238000012544 monitoring process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 240000006394 Sorghum bicolor Species 0.000 description 2
- 235000011684 Sorghum saccharatum Nutrition 0.000 description 2
- 235000009430 Thespesia populnea Nutrition 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012958 reprocessing Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a network anomaly detection system, comprising: the network card belongs to hardware, the network card driver, the shared memory, the receiving related hardware counter, the sending related hardware counter, the data collection module and the exception handling module belong to a kernel layer, and the exception detection process belongs to an application layer: the data collection module is used for collecting the data of the hardware counter of the receiver; the shared memory is used for sharing the hardware counter data; the anomaly detection process is used for detecting whether an anomaly problem occurs in the network or not through the data of the hardware counter; the exception handling module is used for handling exception problems when the exception exists in the network. The invention also provides a network anomaly detection method, which can reduce the cost of continuously capturing the data packets by the processor and can detect the network anomaly more accurately.
Description
Technical Field
The invention relates to a network anomaly detection system and a network anomaly detection method.
Background
When a data packet is transmitted by the conventional ethernet, the data packet needs to be processed by a kernel network protocol stack and then sent to the network card, a processor needs to participate in the middle of the data packet, and multiple memory copies are needed in user mode, kernel, network card and other layers. Remote Direct Memory Access (RDMA) offloads processing and transmission of data packets to a network card by using a dedicated network card, the data transmission process does not need participation of a processor, and the network card can directly read and write an application Memory, so that zero copy of data is realized, and the advantages of low delay and high bandwidth are realized.
While RDMA networks require the deployment of dedicated network adapters (network cards), the current use of network cards is common, produced by milo corporation. The company also provides a corresponding network card driver to ensure that the user can normally use the network card for communication. Meanwhile, in order to monitor the abnormity and the error generated in the use process of the network card, the driver provides dozens of hardware counters to count the error or the abnormity generated in the use process of the network card. The data of the hardware counter is stored in a port folder driven by the network card. Including hardware counters for the entire device and counters for each port. In addition, the partial counter also distinguishes between the sender and the receiver (distinguished by different prefix names of the counter, for example, in an actual hardware counter, the receiver hardware counter is represented by an rq prefix, and the sender hardware counter is represented by an sq prefix). RDMA allows the distinction between the two because the RDMA network service receiver updates the receiver counter locally after receiving some exception packets, and returns an error to the sender. So that the sender can also locally update the sender counter.
At present, network monitoring using a hardware counter is mainly focused on network traffic statistics and restrictions by simple network data packet or network traffic counting in the conventional ethernet field. However, many of these solutions need to be optimized from the design of the network card itself, and the hardware protocol needs to be modified, which is difficult to deploy and high in cost. The prior art does not give a detailed solution for hardware counters either and is limited to only one type of counter. In the prior art, in order to solve the conventional ethernet network anomaly, anomaly detection is mostly performed through experience or anomalies in data packets and data streams by analyzing captured data packets and data streams. However, this method requires constant collection of network traffic and data packets, has a certain impact on the performance of the server, and puts stress on the processor.
For RDMA networks, this is done by RDMA network-based packet capture software, and reprocessing is required for the format of the network packets. Meanwhile, the widely used milo network card driver provides a large number of hardware counters for the hardware network card, and the counters not only count the transmission quantity and the flow of network data packets, but also provide a large number of data for monitoring data packet errors. This part of the counter is not currently being used.
Disclosure of Invention
Accordingly, a system and method for detecting network anomaly is needed.
The invention provides a network anomaly detection system, which comprises: the network card belongs to hardware, the network card driver, the shared memory, the receiving related hardware counter, the sending related hardware counter, the data collection module and the exception handling module belong to a kernel layer, and the exception detection process belongs to an application layer: the data collection module is used for collecting the data of the hardware counter of the receiver; the shared memory is used for sharing the hardware counter data; the anomaly detection process is used for detecting whether an anomaly problem occurs in the network or not through the data of the hardware counter; the exception handling module is used for handling exception problems when the exception exists in the network.
Specifically, the data collection module is configured to: collecting data of all hardware counters related to abnormity or errors regularly, judging data quantity while collecting the data, and sending a notice to an abnormity detection process in a user state when the data quantity is higher than a normal value;
and the data is the data difference in the time period between the time point of the current time and the time point collected last time.
Specifically, the shared memory is bound during system initialization, and is used for sharing data in a time period related to the hardware counter between the data collection module and the abnormality detection process, and the shared memory is always valid when the system is started, and is not occupied by other processes on the operating system and is not swapped out on the hard disk.
Specifically, when receiving an exception notification from the kernel, the exception detection process first determines the type of the exception, which is defined by the system according to the combination of the counters. For the 00000 type, outputting abnormal information to the user, and judging and processing by the user; for other exception types, the exception detection process immediately creates a new thread, namely an exception judgment thread, for processing, and the thread judges whether each binary bit on the exception type data is 1 or not to judge which counters are abnormal.
Specifically, the anomaly detection process is specifically configured to:
(1) when the message counter discarded by only the port is abnormal, the delay and the availability connected with other hosts are tested firstly: when the delay is higher, the occurrence of congestion is determined, and other hosts are reminded to temporarily slow down the speed of sending the data packet; if the delay is not so high, it is very likely that a malicious host forges a data packet and continuously tries to break the connection of other hosts, at this time, the exception handling process sends a request to other hosts by using the Ethernet, checks the connection number and trend of the local virtual machine in the period and the exception information of the local counter, and cuts off the connection in time;
(2) when the access error counter has data larger than 2, it shows that the data packet carries an erroneous remote memory access key, which is a threat of information stealing by a potential forged data packet, and the abnormal type is sent to all the hosts of the cluster for further processing;
(3) if only one of the repeated request number counter and the out-of-order request number counter has less than 4 abnormal data, the network is considered to be temporary network fluctuation, and no additional processing is needed;
(4) when the number of the repeated requests and the number of the out-of-order requests are more than 3, and the count of the message counter discarded by the port in the period is 0, the threat that the information is stolen by a potential fake data packet is shown, a malicious program has taken other key information in the data packet, and only the request number in the remaining data packet is not guessed correctly, and the request number is tried to be cracked all the time, the abnormal type is sent to all the host computers of the cluster for further processing.
Specifically, the exception handling module is specifically configured to:
when receiving the notice of other host about the abnormal type, reading the hardware counter data related to the sending end in the local system, and comparing with the local system according to the hardware counter corresponding to the abnormal type.
Specifically, the exception handling module is further specifically configured to:
checking data of a remote access error counter of a sending end in a local machine, if the data volume is large and abnormal in the period, indicating that the malicious access is sent from the local machine, sending a host identification and an abnormal type of the malicious access to a victim host, and informing the victim; the victim temporarily cuts off the communication port of the corresponding host, refuses the access of the network address and the host identifier and gives an alarm to the user; and after the abnormal malicious program is processed, recovering the communication port.
The invention provides a network anomaly detection method, which comprises the following steps: the data collection module periodically collects data of a hardware counter related to a receiver in a time period; when the data of the counter is not 0, the abnormal detection module is informed; the abnormity detection module creates a thread for processing after receiving the notification, and the thread judges the abnormity type; if the abnormal condition is caused by the special hardware counter, each bit in the abnormal type is further judged, so that the abnormal condition is determined; the host and other hosts on the cluster use Ethernet communication to inform other hosts that an exception occurs and inform the exception type; the exception handling modules on other hosts check local hardware counters related to a sender, and compare the local hardware counters with the exception types of the victim host; if the counter of the host has data, the abnormal condition caused by the host is described, and then the self identification of the host is notified; and the victim host refuses the access of the malicious host by forbidding the network identification and gives an alarm to the user.
Specifically, the method further comprises:
and if the abnormal condition is caused by the common counter, directly alarming with the user.
Specifically, the method further comprises:
if not, the process ends.
Compared with the prior art, the method and the device have the advantages that the network card hardware counter provided by the Millesian network card driver is fully utilized to monitor and judge the abnormity of the network, the flow of a data packet and the like are not required to be monitored, the cost of a processor in the aspects of monitoring the flow and the data can be reduced, and the method and the device have better performance advantages. Meanwhile, the characteristics of the remote direct memory access technology and the counter provided by the driver are combined to detect the network abnormality, so that the abnormality is identified more accurately and more carefully.
Drawings
FIG. 1 is a diagram of a network anomaly detection system according to a preferred embodiment of the present invention;
FIG. 2 is a diagram illustrating a representative counter for each bit in a 5-bit binary exception access type according to an embodiment of the present invention;
fig. 3 is a flowchart of a network anomaly detection method according to an embodiment of the present invention.
Detailed Description
The premise of the application is that it is assumed that the malicious program does not acquire the root authority of the host, and only initiates some malicious attacks from the perspective of user application.
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a diagram illustrating an architecture of a network anomaly detection system according to a preferred embodiment of the present invention.
The network anomaly detection system includes: the MILOSI network card belongs to hardware, and belongs to MILOSI network card drive, shared memory, related hardware counter receiving, related hardware counter transmitting, data collecting module and exception handling module of a kernel layer, and an exception detection process of an application layer. Wherein:
the data collection module is used for collecting the data of the hardware counter of the receiver; the shared memory is used for sharing counter data; the anomaly detection process is used for detecting an anomaly problem; the exception handling module is used for handling exception problems.
Each machine in the cluster stores information and unique identification of all machines in the cluster, information updating is carried out when a new machine is added into the cluster, and identification and network addresses are provided for all other machines when the machine is added, and the information updating is carried out through the traditional Ethernet. It should be noted that the identification is assigned by a controller on the cluster and the ordinary host does not have the right to change to prevent denial of access to the host from being made impossible.
The following is explained one by one:
the data collection module is a kernel-level data collection module implemented on an operating system kernel. It is mainly used for: (1) and collecting data of all hardware counters related to the abnormity or the error regularly, wherein the data is the data difference in the time period between the current time point and the last collected time point. (2) And judging the data volume while collecting the data, and sending a notice to the user-mode abnormity detection process when the data volume is more than 6.
The present embodiment utilizes a network link (netlink) in the system for two-way full duplex communication between the kernel mode and the user mode to notify exception handling. The notification will carry the type of exception for the exception detection process to handle. The present embodiment uses a 5-bit binary number to identify the type of anomaly.
Where 00000 represents the exception except the above-mentioned five counters to be processed, and each binary bit on the number is assigned to 1, which represents the exception (i.e. 10000/01000/00100/00010/00001 respectively) caused by the repeat request number counter, the out-of-order request number counter, the invalid access counter, the access error counter, and the port-discarded packet counter, please refer to fig. 2. Besides, the type can identify mixed abnormal counters; for example, when the repeat request number counter and the out-of-order request number counter are abnormal, the flag is 11000.
The shared memory is bound during system initialization, and is used for sharing data in a time period related to the hardware counter between the data collection module and the abnormality detection process, wherein the shared memory is always effective when the system is started, and cannot be occupied by other processes on the operating system or swapped out to the hard disk.
The anomaly detection process is realized in a user mode and is a daemon process used for processing the abnormal condition. The data collection thread is sent its own process number at initialization so that the data collection thread can send an exception to itself. When receiving an exception notification from the kernel, the process first determines the type of the exception, and outputs exception information (including a network exception that may exist and data of a corresponding hardware counter in the time period, which is obtained from the shared memory) to a user for 00000 type, and the user determines and processes the exception. For other exception types, the exception detection process immediately creates a new thread (exception handling thread) to handle. The thread judges whether each binary bit on the abnormal type data is 1 or not to judge which counters are abnormal. This embodiment classifies this in combination with experience:
(1) when the message counter discarded by only the port is abnormal (the 5 th bit in the abnormal type has a problem), the delay and the availability of the connection with other hosts are tested firstly. When the delay is relatively high, the occurrence of congestion is determined, and other hosts are reminded to temporarily slow down the speed of sending the data packet. If the delay is not so high, it is likely that a malicious host will forge the packet and try to break the connection of other hosts. At the moment, the exception handling process sends a request to other hosts by using the Ethernet, checks the connection quantity and trend of the local virtual machine in the period and the exception information of a local counter, and cuts off the local virtual machine in time;
(2) when data greater than 2 appears in the access error counter (error type 00010). The error indicates that the packet carries the remote memory access key with the error. This is a potential threat to information theft by counterfeit packets. Therefore, the exception type needs to be sent to all the hosts of the cluster for further processing.
(3) If only one of the repeated request number counter and the out-of-order request number counter has less than 4 abnormal data, the network fluctuation can be considered as temporary network fluctuation, and no additional processing is needed. (i.e., the exception number is 10000 or 01000).
(4) When the number of repeated requests and the number of out-of-order requests have more than 3 exceptions and the count of the message counter discarded by the port in the period of time is 0 (namely, the exception type is 10000/01000 or 11000), it indicates that the packet is a potential threat of packet stealing information falsification. The malicious program has taken other critical information in the packet and only left the request number in the packet without guessing correctly and has been trying to break. Therefore, the exception type needs to be sent to all the hosts of the cluster for further processing.
And the exception handling module is used for receiving the notice of the exception types of other hosts and handling the notice. Specifically, the method comprises the following steps:
as mentioned above, when some abnormality of the hardware counter of the receiving party is detected, the abnormality is often caused by a malicious program at the sending end, and the abnormality processing module receives a notification about the abnormality type from other hosts. And at the moment, the exception handling module reads hardware counter data related to a sending end in the local system. Then, the data is compared with the local data according to the hardware counter corresponding to the exception type, for example, when the access error counter has data greater than 2 (the error type is 00010), the exception handling module checks the data of the remote access error counter at the sending end in the local data. If there is an exception with a large amount of data during this period, it indicates that the malicious access is sent from the local machine. The host then sends its host identity and exception type to the victim host, thus notifying the victim. The notification is made over a conventional ethernet network. Then the victim will temporarily cut off the communication port of the corresponding host, and refuse the access of the network address and the host identifier, and alarm the user. And after the abnormal malicious program is processed, recovering the communication port.
Fig. 3 is a flow chart of a network anomaly detection method according to a preferred embodiment of the present invention.
The data collection module periodically collects and receives data for a time period for an associated hardware counter.
And when the data of the counter is not 0, informing the abnormity detection module through netlink.
And the abnormity detection module creates a thread for processing after receiving the notification. Firstly, judging the abnormal type, and if the abnormal type is caused by a common counter, directly alarming with a user.
If the special counter is selected by the embodiment, each bit in the exception type is further judged, so that which exception is determined.
The host then communicates with other hosts on the cluster using ethernet, notifying the other hosts that an exception has occurred, and informing of the type of exception.
The exception handling modules on the other hosts examine local hardware counters associated with the sender and contrast them with the exception type of the victim host. If the own counter has data, the exception caused by the local computer is described, and then the identification of the host computer is informed to the victim. If not, the process ends.
The victim host may then deny access to the malicious host by disabling the network identification and alerting the user.
The method and the device judge the type of the potential network abnormity and the source of the network abnormity through monitoring the data fluctuation of a hardware counter provided by the MILOSI network card drive. The application is applicable to clusters based on Remote Direct Memory Access (RDMA) networks. The method and the system can timely communicate with the problem machines through interaction among the machines connected with each other in the cluster and locally stored connection information so as to solve network abnormity and guarantee the safety of the cluster communication environment.
Meanwhile, the system utilizes the MILOSI network card to drive a series of hardware counters, performs regular data analysis on the hardware counters, and enables machines in the cluster to cooperate with each other to complete detection and processing of the RDMA network by distinguishing the hardware counters of a receiver and a sender. The method and the device can reduce the cost of continuously capturing the data packets by the processor, and meanwhile, the counters are provided by the network card drive, so that the analysis of the abnormity is more accurate.
Although the present invention has been described with reference to the presently preferred embodiments, it will be understood by those skilled in the art that the foregoing description is illustrative only and is not intended to limit the scope of the invention, as claimed.
Claims (10)
1. A network anomaly detection system, the system comprising: the network card belongs to hardware, the network card driver of the kernel layer, the shared memory, the hardware counter related to receiving, the hardware counter related to sending, the data collection module and the exception handling module, the exception detection process of the application layer, and the method is characterized in that:
the data collection module is used for collecting the data of the hardware counter of the receiver;
the shared memory is used for sharing the hardware counter data;
the anomaly detection process is used for detecting whether an anomaly problem occurs in the network or not through the data of the hardware counter;
the exception handling module is used for handling exception problems when the exception exists in the network.
2. The system of claim 1, wherein the data collection module is configured to: collecting data of all hardware counters related to abnormity or errors regularly, judging data quantity while collecting the data, and sending a notice to an abnormity detection process in a user state when the data quantity is higher than a normal value;
and the data is the data difference in the time period between the time point of the current time and the time point collected last time.
3. The system of claim 2, wherein the shared memory is bound at system initialization for sharing data for a period of time on a hardware counter between the data collection module and the exception detection process, and wherein the shared memory is always valid when the system is turned on, and is not occupied by other processes on the operating system and is not swapped out to the hard disk.
4. The system according to claim 3, wherein the exception detection process, when receiving an exception notification from the kernel, first determines the type of the exception, which is defined by the system according to the value of the counter, and for the type 00000, outputs the exception information to the user, which is determined and processed by the user; for other exception types, the exception detection process immediately creates a new thread, namely an exception judgment thread, for processing, and the thread judges whether each binary bit on the exception type data is 1 or not to judge which counters are abnormal.
5. The system of claim 4, wherein the anomaly detection process is specifically configured to:
when the message counter discarded by only the port is abnormal, the delay and the availability connected with other hosts are tested firstly: when the delay is higher, the occurrence of congestion is determined, and other hosts are reminded to temporarily slow down the speed of sending the data packet; if the delay is not so high, it is very likely that a malicious host forges a data packet and continuously tries to break the connection of other hosts, at this time, the exception handling process sends a request to other hosts by using the Ethernet, checks the connection number and trend of the local virtual machine in the period and the exception information of the local counter, and cuts off the connection in time;
when the access error counter has data larger than 2, it shows that the data packet carries an erroneous remote memory access key, which is a threat of information stealing by a potential forged data packet, and the abnormal type is sent to all the hosts of the cluster for further processing;
if only one of the repeated request number counter and the out-of-order request number counter has less than 4 abnormal data, the network is considered to be temporary network fluctuation, and no additional processing is needed;
when the number of the repeated requests and the number of the out-of-order requests are more than 3, and the count of the message counter discarded by the port in the period is 0, the threat that the information is stolen by a potential fake data packet is shown, a malicious program has taken other key information in the data packet, and only the request number in the remaining data packet is not guessed correctly, and the request number is tried to be cracked all the time, the abnormal type is sent to all the host computers of the cluster for further processing.
6. The system of claim 5, wherein the exception handling module is specifically configured to:
when receiving the notice of other host about the abnormal type, reading the hardware counter data related to the sending end in the local system, and comparing with the local system according to the hardware counter corresponding to the abnormal type.
7. The system of claim 6, wherein the exception handling module is further specifically configured to:
checking data of a remote access error counter of a sending end in a local machine, if the data volume is large and abnormal in the period, indicating that the malicious access is sent from the local machine, sending a host identification and an abnormal type of the malicious access to a victim host, and informing the victim; the victim temporarily cuts off the communication port of the corresponding host, refuses the access of the network address and the host identifier and gives an alarm to the user; and after the abnormal malicious program is processed, recovering the communication port.
8. A network anomaly detection method using the network anomaly detection system according to claim 1, said method comprising:
the data collection module periodically collects data of a hardware counter related to a receiver in a time period;
when the data of the counter is not 0, the abnormal detection module is informed;
the abnormity detection module creates a thread for processing after receiving the notification, and the thread judges the abnormity type;
if the abnormal condition is caused by the special hardware counter, each bit in the abnormal type is further judged, so that the abnormal condition is determined;
the host and other hosts on the cluster use Ethernet communication to inform other hosts that an exception occurs and inform the exception type;
the exception handling modules on other hosts check local hardware counters related to a sender, and compare the local hardware counters with the exception types of the victim host;
if the counter of the host has data, the abnormal condition caused by the host is described, and then the self identification of the host is notified;
and the victim host refuses the access of the malicious host by forbidding the network identification and gives an alarm to the user.
9. The method of claim 8, wherein the method further comprises:
and if the abnormal condition is caused by the common counter, directly alarming with the user.
10. The method of claim 9, wherein the method further comprises:
if not, the process ends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111552377.4A CN114301644B (en) | 2021-12-17 | 2021-12-17 | Network anomaly detection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111552377.4A CN114301644B (en) | 2021-12-17 | 2021-12-17 | Network anomaly detection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301644A true CN114301644A (en) | 2022-04-08 |
| CN114301644B CN114301644B (en) | 2024-03-19 |
Family
ID=80968254
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111552377.4A Active CN114301644B (en) | 2021-12-17 | 2021-12-17 | Network anomaly detection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301644B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726633A (en) * | 2022-04-14 | 2022-07-08 | 中国电信股份有限公司 | Flow data processing method and device, storage medium and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103248467A (en) * | 2013-05-14 | 2013-08-14 | 中国人民解放军国防科学技术大学 | In-chip connection management-based RDMA communication method |
| CN107733837A (en) * | 2016-08-11 | 2018-02-23 | 杭州迪普科技股份有限公司 | Method for detecting abnormality and device based on application layer Network Abnormal message |
| CN109165519A (en) * | 2018-09-12 | 2019-01-08 | 杭州和利时自动化有限公司 | A kind of method and system based on controller defending against network storm |
| CN109194499A (en) * | 2018-08-01 | 2019-01-11 | 湖北微源卓越科技有限公司 | Network data flow frequency converter method |
| US20200287922A1 (en) * | 2019-03-08 | 2020-09-10 | Cisco Technology, Inc. | Anomaly detection for a networking device based on monitoring related sets of counters |
| CN113364652A (en) * | 2021-06-30 | 2021-09-07 | 脸萌有限公司 | Network card flow testing method, device, network equipment, system and readable medium |
-
2021
- 2021-12-17 CN CN202111552377.4A patent/CN114301644B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103248467A (en) * | 2013-05-14 | 2013-08-14 | 中国人民解放军国防科学技术大学 | In-chip connection management-based RDMA communication method |
| CN107733837A (en) * | 2016-08-11 | 2018-02-23 | 杭州迪普科技股份有限公司 | Method for detecting abnormality and device based on application layer Network Abnormal message |
| CN109194499A (en) * | 2018-08-01 | 2019-01-11 | 湖北微源卓越科技有限公司 | Network data flow frequency converter method |
| CN109165519A (en) * | 2018-09-12 | 2019-01-08 | 杭州和利时自动化有限公司 | A kind of method and system based on controller defending against network storm |
| US20200287922A1 (en) * | 2019-03-08 | 2020-09-10 | Cisco Technology, Inc. | Anomaly detection for a networking device based on monitoring related sets of counters |
| CN113364652A (en) * | 2021-06-30 | 2021-09-07 | 脸萌有限公司 | Network card flow testing method, device, network equipment, system and readable medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726633A (en) * | 2022-04-14 | 2022-07-08 | 中国电信股份有限公司 | Flow data processing method and device, storage medium and electronic equipment |
| CN114726633B (en) * | 2022-04-14 | 2023-10-03 | 中国电信股份有限公司 | Traffic data processing method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301644B (en) | 2024-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101036369B (en) | Offline analysis of packets | |
| US7240130B2 (en) | Method of transmitting data through an 12C router | |
| JP2005004745A (en) | Bus router between integrated circuits | |
| CN101460983A (en) | Malicious attack detection system and an associated method of use | |
| US7630304B2 (en) | Method of overflow recovery of I2C packets on an I2C router | |
| JP2006279930A (en) | Method and device for detecting and blocking unauthorized access | |
| GB2403315A (en) | System for detecting and resetting a device coupled to an inter-integrated circuit router | |
| JP3920280B2 (en) | Data transmission method through I2C router | |
| JP4294544B2 (en) | Integrated circuit bus router for improved security | |
| JP4170301B2 (en) | DoS attack detection method, DoS attack detection system, and DoS attack detection program | |
| CN111327592B (en) | Network monitoring method and related device | |
| US8429742B2 (en) | Detection of a denial of service attack on an internet server | |
| CN114301644A (en) | Network anomaly detection system and method | |
| CN113992425A (en) | Method for receiving and transmitting network data packet, network equipment and communication system | |
| JP2003258795A (en) | Computer aggregate operating method, implementation system therefor, and processing program therefor | |
| JP2005006306A (en) | Inter-integrated circuit router error management system and method | |
| KR101446280B1 (en) | System for detecting and blocking metamorphic malware using the Intermediate driver | |
| CN114513398B (en) | Network equipment alarm processing method, device, equipment and storage medium | |
| JP7509310B2 (en) | COMMUNICATION MONITORING DEVICE, COMMUNICATION MONITORING METHOD, AND PROGRAM | |
| JP2005004750A (en) | System and method for analyzing inter-integrated circuit router | |
| CN110866245B (en) | Detection method and detection system for maintaining file security of virtual machine | |
| US10951536B1 (en) | Sequence number recovery in stateful devices | |
| WO2023233711A1 (en) | Information processing method, abnormality determination method, and information processing device | |
| WO2024089723A1 (en) | Cyber attack detection device and cyber attack detection method | |
| CN115801624A (en) | Site fault processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |