CN115412462B - Detection method for inter-domain route interruption - Google Patents

Detection method for inter-domain route interruption Download PDF

Info

Publication number
CN115412462B
CN115412462B CN202211359410.6A CN202211359410A CN115412462B CN 115412462 B CN115412462 B CN 115412462B CN 202211359410 A CN202211359410 A CN 202211359410A CN 115412462 B CN115412462 B CN 115412462B
Authority
CN
China
Prior art keywords
prefix
autonomous domain
autonomous
domain
library
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211359410.6A
Other languages
Chinese (zh)
Other versions
CN115412462A (en
Inventor
张沛
黄小红
文柯达
张毓
何方舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202211359410.6A priority Critical patent/CN115412462B/en
Publication of CN115412462A publication Critical patent/CN115412462A/en
Application granted granted Critical
Publication of CN115412462B publication Critical patent/CN115412462B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0811Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a method for detecting inter-domain route interruption, which comprises the steps of obtaining a route updating message from a boundary router at intervals of preset time; updating an autonomous domain prefix visibility library according to an originating autonomous domain in the message, a prefix corresponding to the originating autonomous domain and an autonomous domain to which the boundary router belongs; determining prefix visibility characteristics and autonomous domain visibility characteristics of the current time period based on the updated autonomous domain prefix visibility library; the prefix visibility characteristics and the autonomous domain visibility characteristics in the current time period and the historical time period are respectively input into a preset dynamic prefix detection model and a preset dynamic autonomous domain detection model, the dynamic prefix detection model outputs the detection result of whether the prefix is interrupted, and the dynamic autonomous domain detection model outputs the detection result of whether the autonomous domain is interrupted. The method and the device detect whether inter-domain route interruption occurs or not from the prefix and the dimension of the starting autonomous domain, and can accurately detect the time and the position of the interruption.

Description

Detection method for inter-domain route interruption
Technical Field
The embodiment of the application relates to the technical field of networks, in particular to a method for detecting inter-domain route interruption.
Background
With the rapid development of the internet, the number of Autonomous Systems (AS) is in an explosive growth trend, and the network topology is in a complicated and diversified trend. Routing information is exchanged between autonomous domains through a Border Gateway Protocol (BGP), when a link has sudden conditions such as interruption, error configuration, attack, and the like, a change in routing between autonomous domains is caused, and inter-domain routing interruption caused by some routing changes may cause connection interruption, bandwidth reduction, traffic congestion, and the like of an application service, which seriously affects the performance of the network and the service.
Disclosure of Invention
In view of this, an object of the embodiments of the present application is to provide a method for detecting inter-domain route interruption, which can detect inter-domain route interruption.
Based on the above purpose, an embodiment of the present application provides a method for detecting inter-domain route interruption, including:
acquiring a route updating message from a boundary router at intervals of preset time;
analyzing the route updating message to obtain an origin autonomous domain, a prefix corresponding to the origin autonomous domain and an autonomous domain to which the boundary router belongs;
updating a pre-constructed autonomous domain prefix visibility library according to the originating autonomous domain, the prefix corresponding to the originating autonomous domain and the autonomous domain to which the boundary router belongs; the autonomous domain prefix visibility library is constructed according to the acquired autonomous domain in the routing table, the prefix corresponding to the autonomous domain and the autonomous domain to which the border router belongs;
determining prefix visibility characteristics and autonomous domain visibility characteristics of the current time period based on the updated autonomous domain prefix visibility library; the prefix visibility characteristics are the number of autonomous domains to which the boundary routers corresponding to the prefixes belong, and the autonomous domain visibility characteristics are the number of autonomous domains to which the boundary routers of all the prefixes corresponding to the originating autonomous domains belong;
inputting the prefix visibility characteristic of the current time period and the prefix visibility characteristic recorded in the historical time period into a preset dynamic prefix detection model, and outputting a detection result of whether the prefix is interrupted by the dynamic prefix detection model;
and inputting the visibility characteristics of the autonomous domain in the current time period and the recorded visibility characteristics of the autonomous domain in the historical time period into a preset dynamic autonomous domain detection model, and outputting a detection result of whether the autonomous domain is interrupted or not by the dynamic autonomous domain detection model.
Optionally, the type of the route update packet is prefix declaration, and updating the autonomous domain prefix visibility library includes:
extracting the corresponding relation of the autonomous domain of origin, prefix and border router announced in the message;
updating a prefix autonomous domain library according to the announced prefix and the corresponding originating autonomous domain; the prefix autonomous domain library is constructed according to the prefixes in the routing table and the corresponding starting autonomous domains;
and updating the prefix visibility library of the autonomous domain according to the updated prefix autonomous domain library.
Optionally, the updating the prefix autonomous domain library according to the announced prefix and the corresponding originating autonomous domain includes:
inquiring the prefix autonomous domain library according to the announced prefix, and if no record of the prefix exists in the prefix autonomous domain library, adding the prefix and the corresponding originating autonomous domain into the prefix autonomous domain library;
the updating the prefix visibility library of the autonomous domain according to the updated prefix autonomous domain library comprises:
if the prefix exists in the prefix autonomous domain library, judging whether the originating autonomous domain corresponding to the prefix recorded in the prefix autonomous domain library is the same as the announced originating autonomous domain corresponding to the prefix, and if so, adding the corresponding relation of the announced prefix, the originating autonomous domain and the border autonomous domain into the autonomous domain prefix visibility library; and if not, deleting the autonomous domain to which the border router corresponding to the announced prefix belongs in the autonomous domain prefix visibility library.
Optionally, the type of the route update packet is prefix withdrawal, and updating the autonomous domain prefix visibility library includes:
extracting the corresponding relation between the withdrawn prefixes in the message and the autonomous domain to which the border router belongs;
inquiring the prefix autonomous domain library according to the withdrawn prefixes, and determining corresponding originating autonomous domains;
and deleting the corresponding relation of the autonomous domain, withdrawn prefixes and the autonomous domain to which the border router belongs, which is recorded in the autonomous domain prefix visibility library, according to the autonomous domain.
Optionally, the detection result is prefix interrupt and/or autonomous domain interrupt, and the method further includes:
comparing the interrupted origin autonomous domain with a preset important autonomous domain, and comparing the interrupted prefix with a preset important prefix;
when the autonomous domain of the interruption is judged to be an important autonomous domain and/or the prefix of the interruption is judged to be an important prefix according to the comparison result, determining the important domain name corresponding to the autonomous domain of the interruption and/or the prefix of the interruption;
and determining the network service influenced by the interrupted starting autonomous domain and/or the interrupted prefix according to the important domain name.
Optionally, the detection result is a plurality of autonomous domain interrupts, and the method further includes:
and clustering the starting autonomous domains of the interrupts according to a pre-constructed autonomous domain topological structure, and determining the associated autonomous domains of the interrupts.
Optionally, clustering the autonomous domains from which the interrupts originate according to a pre-constructed autonomous domain topology structure, and determining the associated autonomous domains of the interrupts, includes:
generating a region topological graph of a preset region according to the topological structure of the autonomous region; the area topological graph takes autonomous domains included in the preset area as nodes, and directed edges among the nodes are determined according to reachability among the autonomous domains;
according to the regional topological graph, weak connected components which take an interrupted self-control domain as nodes are determined;
and comparing the number of the nodes on the weak connected component with a preset number threshold, and if the number of the nodes is greater than the number threshold, taking each node on the weak connected component as an associated autonomous domain.
Optionally, the number threshold is a dynamic number threshold determined according to an average value and a standard deviation of the number of nodes in a certain time period.
Optionally, after determining the associated autonomous domain of the interrupt, the method further includes:
and determining the root autonomous domain in which the interruption occurs from the associated autonomous domain by using a preset ranking algorithm.
Optionally, determining, by using a preset ranking algorithm, a root autonomous domain in which an interruption occurs from the associated autonomous domain, where the determining includes:
constructing an associated directed graph by taking each associated autonomous domain as a node, wherein the direction of edges among the nodes is opposite to the direction of corresponding edges in the regional topological graph;
and iteratively calculating the weight value of each node in the associated directed graph by using the ranking algorithm, and taking the node with the maximum weight value as the root-originated autonomous domain.
As can be seen from the above, in the inter-domain route interruption detection method provided in the embodiment of the present application, the route update packet is obtained from the border router at predetermined intervals, the prefix visibility library of the autonomous domain is updated according to the content of the packet, and the prefix visibility feature and the visibility feature of the autonomous domain in the current time period are determined based on the updated prefix visibility library of the autonomous domain; inputting the prefix visibility characteristics in the current time period and the historical time period into a dynamic prefix detection model, outputting a detection result of whether the prefix is interrupted by the model, inputting the visibility characteristics of the autonomous domain in the current time period and the historical time period into the dynamic autonomous domain detection model, and outputting the detection result of whether the autonomous domain is interrupted by the model. The method and the device detect whether inter-domain route interruption occurs or not from the prefix and the dimension of the starting autonomous domain, and can accurately detect the time and the position of the interruption.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only the embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a prefix detection process according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an autonomous domain detection process according to an embodiment of the present application;
FIG. 4 is a schematic structural diagram of an apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It should be noted that technical terms or scientific terms used in the embodiments of the present application should have a general meaning as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in the embodiments of the present application is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
As described in the background section, an inter-domain routing interruption will cause part of prefixes in the autonomous domain to be unreachable, resulting in an interruption of related network services, and finally causing the user to fail to use the corresponding network services normally. The related inter-domain route interruption detection method generally identifies the abnormal change of the dynamic update of the route through a statistical method, or extracts the characteristics of the update information of the route through a machine learning method, and uses the extracted characteristics to perform unsupervised learning or labeled supervised learning so as to distinguish the abnormal route event, and can also use the domain knowledge to analyze the characteristics of inter-domain route interruption and provide a corresponding search method. However, the above detection method can detect whether inter-domain route interruption occurs, and cannot accurately determine the position where the interruption occurs and the associated domain where the interruption occurs.
In view of this, embodiments of the present application provide a method for detecting inter-domain route interruption, where a location where route interruption occurs is determined based on dimensions of an autonomous domain and a prefix, and an associated autonomous domain where the route interruption occurs is detected based on a network topology result and is traced to a source accurately, so that accuracy of inter-domain route interruption detection can be improved.
Hereinafter, the technical means of the present application will be described in further detail by specific examples.
As shown in fig. 1, 2, and 3, an embodiment of the present application provides a method for detecting inter-domain route interruption, including:
s101: acquiring a route updating message from a boundary router at intervals of preset time;
s102: analyzing the route updating message to obtain an origin autonomous domain, a prefix corresponding to the origin autonomous domain and an autonomous domain to which the boundary router belongs;
in this embodiment, the monitoring device is used to periodically obtain the routing table and the routing update packet of the border router of each autonomous domain, so as to realize the collection of inter-domain routing information. In some modes, the monitoring device may be a predetermined router in a network space, and the router has certain computing resources and storage resources and has data acquisition and processing performance. Or directly acquiring the routing table and the routing update message of each autonomous domain from a third party organization. The routing table records complete routing information among autonomous domains, including reachable path AS path attribute of prefixes, corresponding relationship between an autonomous domain and a prefix corresponding to the autonomous domain (the autonomous domain is an autonomous domain announcing the prefix) and an autonomous domain to which a border router belongs (the autonomous domain to which the border router collecting the routing table and routing update messages belongs), and the like; the route update message records route update information such as prefix withdraw and prefix declaration of the route between autonomous domains, wherein the route update information comprises updated original autonomous domains and corresponding prefixes of the updated original autonomous domains and corresponding relations of autonomous domains to which the border routers belong. The specific data items of the routing table and the routing update message are not listed one by one.
Optionally, because the data volume of the complete routing table is large, the change rate of the data content is small, the data volume of the routing update message is small, and the data content is routing change information, the monitoring device may obtain the routing table once at a first time (for example, several hours) with a long interval, and obtain the routing update message once at a second time (for example, several minutes) with a short interval, thereby avoiding wasting resources.
S103: updating a pre-constructed autonomous domain prefix visibility library according to the originating autonomous domain, the prefix corresponding to the originating autonomous domain and the autonomous domain to which the boundary router belongs; the autonomous domain prefix visibility library is constructed according to the acquired autonomous domain in the routing table, the prefix corresponding to the autonomous domain and the autonomous domain to which the boundary router belongs;
in this embodiment, after the routing table is obtained, a prefix autonomous domain library is established according to the prefixes and their corresponding originating autonomous domains in the routing table, where all prefixes and originating autonomous domains corresponding to the prefixes are stored in the prefix autonomous domain library in a key-value pair form, and each key-value pair is: and taking the prefix as a key, taking the number of the starting autonomous domain corresponding to the prefix as a value, and if a plurality of starting autonomous domains corresponding to the prefix exist, taking the value as a set formed by the numbers of the plurality of starting autonomous domains.
After a prefix autonomous domain library is established, according to a preset important IP address, inquiring an important prefix matched with the important IP address from the prefix autonomous domain library, establishing an important prefix knowledge base comprising all the important prefixes, and according to the important prefixes in the prefix autonomous domain library and the corresponding originating autonomous domains thereof, establishing an important address knowledge base comprising all the important prefixes and the corresponding originating autonomous domains thereof.
In some embodiments, after obtaining the routing table, an autonomous domain prefix visibility library for maintaining a correspondence is established according to a correspondence between an autonomous domain from which a border router belongs, a prefix, and an autonomous domain to which the border router belongs in the routing table, where the meaning of the autonomous domain prefix visibility library may be understood as that an autonomous domain to which the border router belongs (or may be referred to as an autonomous domain to which an observation router belongs) notifies a monitoring device that the monitoring device finds a path to a certain prefix, and an end point of the path is an autonomous domain from which the prefix belongs. The autonomous domain prefix visibility library stores the corresponding relation among the autonomous domain, the prefix and the autonomous domain to which the border router belongs in a key value pair mode, and each key value pair is as follows: the number of the autonomous domain of origin is taken as a key, the corresponding prefix is taken as a secondary key, and the number of the autonomous domain to which the corresponding border router belongs is taken as a value. Since the originating autonomous domain may announce one or more prefixes, the originating autonomous domain may correspond to multiple prefixes; the same prefix may correspond to one or more autonomous domains to which the border router belongs (in some special cases, the same prefix is declared by a plurality of autonomous domains), and if there are a plurality of autonomous domains to which the border router corresponding to the prefix belongs, the value corresponding to the prefix as a secondary key is a set formed by the numbers of the autonomous domains to which the border routers belong. The key-value pairs in the autonomous domain prefix visibility library can be understood as which prefixes are announced by the originating autonomous domain and each prefix is observed by which autonomous domains the border routers belong to.
After establishing the prefix visibility base of the autonomous domain according to the routing table, updating the prefix visibility base of the autonomous domain according to the routing update message at a certain time interval. In some embodiments, the autonomous domain prefix visibility library is updated for route update packets whose update type is prefix announcement and prefix withdrawal.
The prefix declaration type routing update message can resolve the corresponding relation of the autonomous domain of the origin, the prefix and the border router; for the route updating message of the prefix announcement type, the method for updating the prefix visibility library of the autonomous domain comprises the following steps:
extracting the corresponding relation of the autonomous domain, the prefix and the autonomous domain to which the border router belongs, which are announced in the message;
updating a prefix autonomous domain library according to the prefix and the corresponding originating autonomous domain;
and updating the prefix visibility library of the autonomous domain according to the updated prefix autonomous domain library.
In this embodiment, for a route update packet of the prefix declaration type, a correspondence relationship between an origin autonomous domain where a prefix declaration occurs, a prefix, and an autonomous domain to which a border router belongs is extracted, where the correspondence relationship represents a prefix observed by the autonomous domain to which the border router belongs and the origin autonomous domain declaring the prefix. Then, updating a prefix autonomous domain library according to the prefixes and the corresponding originating autonomous domain; when updating, inquiring a prefix autonomous domain library according to the updated prefix, judging whether a key value pair corresponding to the prefix exists, and if not, adding the prefix and the corresponding starting autonomous domain into the prefix autonomous domain library; if yes, judging whether the starting autonomous domain corresponding to the prefix recorded in the prefix autonomous domain library is the same as the starting autonomous domain corresponding to the prefix in the message, and if so, adding the corresponding relation of the prefix, the starting autonomous domain and the boundary autonomous domain in the message into the autonomous domain prefix visibility library; if the two types of information are different, in the autonomous domain prefix visibility library, for the key value pair of the originating autonomous domain and the corresponding prefix in the message, the autonomous domain to which the corresponding border router belongs in the message is deleted, for example, the history observed by the autonomous domain 1 to which the border router belongs declares prefix 1 for the originating autonomous domain 1, and the history observed this time that the originating autonomous domain 2 declares prefix 1 needs to be deleted from the history of the autonomous domain 1 to which the border router belongs.
For the route updating message with the updating type of prefix withdrawal, the corresponding relation between the prefix and the autonomous domain to which the border router belongs can be analyzed; the method for updating the prefix visibility base of the autonomous domain comprises the following steps:
extracting the corresponding relation between the withdrawn prefixes in the message and the autonomous domain to which the border router belongs;
inquiring a prefix autonomous domain library according to the prefix, and determining a corresponding originating autonomous domain;
and deleting the corresponding relation of the autonomous domain, the withdrawn prefix and the autonomous domain to which the border router belongs, which is recorded in the autonomous domain prefix visibility library according to the autonomous domain.
In this embodiment, for the prefix withdrawal packet, the corresponding relationship between the withdrawn prefix in the packet and the autonomous domain to which the corresponding border router belongs is extracted, where the corresponding relationship represents a prefix that cannot be observed by the autonomous domain to which the border router belongs. Inquiring a prefix autonomous domain library according to the withdrawn prefixes in the message, determining an originating autonomous domain corresponding to the prefixes recorded in the prefix autonomous domain library, inquiring an autonomous domain prefix visibility library according to the recorded originating autonomous domain, judging whether a corresponding relation exists between the originating autonomous domain and the withdrawn prefixes in the message and between the originating autonomous domain and the autonomous domain to which the border router belongs, and if so, deleting the corresponding relation, namely deleting the autonomous domain to which the border router in the corresponding relation belongs.
S104: determining prefix visibility characteristics and autonomous domain visibility characteristics of the current time period based on the updated autonomous domain prefix visibility library; the prefix visibility characteristics are the number of autonomous domains to which the boundary routers corresponding to the prefixes belong, and the autonomous domain visibility characteristics are the number of autonomous domains to which the boundary routers of all the prefixes corresponding to the originating autonomous domains belong;
in this embodiment, after the prefix visibility library of the autonomous domain is updated according to the route update packet acquired at the predetermined time interval, based on the updated prefix visibility library of the autonomous domain, the number of autonomous domains to which the boundary router corresponding to each prefix in the library belongs is counted, that is, for the secondary key corresponding to each prefix in the library, the size of the autonomous domain set to which the boundary router corresponding to the secondary key belongs is counted, and the number of elements in the set is used as the prefix visibility feature of the corresponding prefix. Counting the number of autonomous domains to which the boundary router corresponding to each autonomous origin domain in the library belongs, namely determining all secondary keys corresponding to the keys for the keys corresponding to each autonomous origin domain in the library, counting the size of the autonomous domain set to which the boundary router corresponding to all the secondary keys belongs, and taking the sum of the number of elements in the set corresponding to all the secondary keys as the visibility characteristic of the autonomous domain corresponding to the autonomous origin autonomous domain.
S105: inputting the prefix visibility characteristic of the current time period and the prefix visibility characteristic recorded in the historical time period into a preset dynamic prefix detection model, and outputting a detection result of whether the prefix is interrupted by the dynamic prefix detection model;
in this embodiment, after extracting the prefix visibility feature of the current time period, the prefix visibility feature of the current time period and the prefix visibility feature of the historical time period recorded before are spliced into a prefix feature sequence according to a time sequence, a dynamic prefix detection model is input, the dynamic prefix detection model processes the input prefix feature sequence, and a detection result of whether a prefix corresponding to the prefix feature sequence is interrupted is output.
In some embodiments, a dynamic prefix detection model is constructed for each prefix, prefix visibility characteristics of a prefix within a period of time from a current time to a previous time are spliced into a prefix characteristic sequence of the prefix according to a time sequence, the prefix characteristic sequence is input into the dynamic prefix detection model corresponding to the prefix, and a detection result of whether the prefix is interrupted is output by the model.
The dynamic prefix detection model and the dynamic autonomous domain detection model can be obtained through training based on the long-short term memory network model. Taking a dynamic prefix detection model as an example, generating a training sample based on prefix visibility characteristics by adopting a sliding window mechanism, wherein the training sample comprises a historical prefix characteristic sequence and a label value, the historical prefix characteristic sequence is formed by prefix visibility characteristics in a certain time period, and the label value is a real characteristic value of the last characteristic value in the historical prefix characteristic sequence in the next time period; training by adopting a mean square error model optimization algorithm; after the training is finished, the average value and the standard deviation of the prediction error obtained in the last round of training of the long-short term memory network model are counted, and the error threshold of the model is determined according to the average value and the standard deviation, for example, the sum of the average value and the standard deviation of a preset multiple is used as the error threshold.
When the dynamic prefix detection model is used for prediction, the historical prefix characteristic sequence before the current time period and the prefix characteristic value of the current time period are input into the model, the model processes the input historical prefix characteristic sequence to obtain the predicted prefix characteristic value of the current time period, then the difference value between the predicted prefix characteristic value and the prefix characteristic value of the current time period is calculated, and if the difference value is larger than an error threshold value, the interruption of the prefix in the current time period can be judged. Wherein the historical prefix feature sequence is a prefix feature sequence determined within a certain time period before the current time period.
S106: and inputting the visibility characteristics of the autonomous domain in the current time period and the recorded visibility characteristics of the autonomous domain in the historical time period into a preset dynamic autonomous domain detection model, and outputting a detection result of whether the autonomous domain is interrupted or not by the dynamic autonomous domain detection model.
In this embodiment, after extracting the visibility feature of the autonomous domain in the current time period, the visibility feature of the autonomous domain in the current time period and the visibility feature of the autonomous domain in the past recorded time period are spliced into an autonomous domain feature sequence according to a time sequence, a dynamic autonomous domain detection model is input, the dynamic autonomous domain detection model processes the input autonomous domain feature sequence, and a detection result of whether the autonomous domain corresponding to the autonomous domain feature sequence is interrupted is output.
In some embodiments, a dynamic autonomous domain detection model is constructed for each autonomous domain, visibility features of autonomous domains within a period from a current time to a previous time are spliced into an autonomous domain feature sequence of the autonomous domain according to a time sequence, the autonomous domain feature sequence is input into the dynamic autonomous domain detection model corresponding to the autonomous domain, and a detection result of whether the autonomous domain is interrupted or not is output by the model.
In some embodiments, when the detection result output by the model is prefix interrupt and/or autonomous domain interrupt, the method further includes:
comparing the interrupted origin autonomous domain with a preset important autonomous domain, and comparing the interrupted prefix with a preset important prefix;
when the starting autonomous domain of the interruption is judged to be an important autonomous domain and/or the prefix of the interruption is judged to be an important prefix according to the comparison result, determining the important domain name corresponding to the interrupted autonomous domain and/or the interrupted prefix;
based on the important domain names, network services affected by the disrupted autonomous domain and/or disrupted prefix are determined.
In this embodiment, when the dynamic prefix detection model outputs prefix interrupt and/or the dynamic autonomous domain detection model outputs autonomous domain interrupt, the network service affected by the prefix and/or autonomous domain interrupt may be further determined according to the prefix and/or autonomous domain interrupt.
In some embodiments, important domain names and important IP addresses of important websites are obtained through analysis by a specific organization or by capturing network traffic, an important domain name knowledge base including all important domain names is established, and an important address knowledge base including all important IP addresses is established. Based on the important address knowledge base, matching prefixes in the prefix autonomous domain base with important IP addresses in the important address knowledge base, taking prefixes matched with the important IP addresses as the important prefixes, establishing the important prefix knowledge base comprising all the important prefixes, inquiring the prefix autonomous domain base according to the important prefixes to obtain the originating autonomous domain corresponding to the important prefixes, taking the inquired originating autonomous domain as the important autonomous domain, and establishing the important autonomous domain knowledge base comprising all the important autonomous domains.
After the interrupted prefix is determined through model detection, the interrupted prefix is matched with each important prefix in an important prefix knowledge base, and whether the interrupted prefix is an important prefix or not is determined. And after determining the interrupted autonomous domain through model detection, matching the interrupted autonomous domain with each important autonomous domain in an important autonomous domain knowledge base to determine whether the interrupted autonomous domain is an important autonomous domain. If the interrupted prefix is an important prefix and/or the interrupted autonomous domain is an important autonomous domain, the corresponding important domain name is further determined according to the important prefix and/or the important autonomous domain, and the network service influenced by the interrupted prefix and/or the interrupted autonomous domain is determined by the important determination. Thus, the detection method of this embodiment may not only detect the prefix and/or autonomous domain where the interruption occurs, but also determine the network service affected by the route interruption.
In some embodiments, when the detection result is a plurality of autonomous domain interrupts, the method further comprises:
and clustering the starting autonomous domains of the interrupts according to a pre-constructed autonomous domain topological structure, and determining the associated autonomous domains of the interrupts.
In this embodiment, each originating autonomous domain corresponds to one dynamic autonomous domain detection model, each dynamic autonomous domain detection model is used to detect whether the originating autonomous domain corresponding to the model is interrupted, and when all detection results output by the multiple dynamic autonomous domain detection models are originating autonomous domain interruptions, it is determined that the multiple originating autonomous domains are interrupted. And further clustering a plurality of originating autonomous domains generating the interrupt according to the topology structure of the autonomous domains, and determining the associated autonomous domains generating the interrupt according to the clustering result.
In some embodiments, after the routing table is obtained, a network topology relation base is established according to the routing table, and the autonomous domain topology relation between autonomous domains can be established based on the network topology relation base. And the network topology relation library stores the path relation among autonomous domains in the form of a directed graph.
In some modes, the routing table and the routing update packet acquired by the monitoring device are unstructured data, and after the unstructured routing table and the routing update packet are analyzed by using a predetermined analysis tool, the structured routing table and the routing update packet are obtained, and various libraries are constructed based on the structured routing table and the routing update packet. Taking a method for constructing a network topology relation library AS an example, analyzing structured routing tables one by one to obtain reachable path AS path attributes in each routing table, analyzing each autonomous domain on the AS path and a path relation between autonomous domains, and constructing a directed graph according to the autonomous domains and the path relation; for example, the AS path includes AS1, AS2, and AS3, and the transmission paths are AS1 to AS2, and AS2 to AS3, the constructed directed graph points to node AS2 for node AS1, and point to node AS3 for node AS 2.
In this embodiment, clustering the autonomous domains from which interrupts originate according to a pre-constructed autonomous domain topology structure, and determining the associated autonomous domains of the interrupts include:
generating a region topological graph of a preset region according to the topological structure of the autonomous region; the topological graph of the area takes autonomous domains included in a preset area as nodes, and directed edges among the nodes are determined according to the accessibility among the autonomous domains;
according to the regional topological graph, determining weak connection components which take the interrupted self-control domain as nodes;
and comparing the number of the nodes on the weak connected component with a preset number threshold, and if the number of the nodes is greater than the number threshold, taking each node on the weak connected component as an associated autonomous domain.
In this embodiment, an area topology map of a predetermined area may be generated based on the network topology relationship library. Inquiring an autonomous domain and an reachable autonomous domain of the autonomous domain from a network topology relation library, taking the autonomous domain as a node according to the inquired autonomous domain and reachable autonomous domain, and connecting a directed edge between the autonomous domain and the reachable autonomous domain to construct a regional topology map of the predetermined region. Then, determining a weakly connected component formed by the interrupted autonomous domain based on the regional topological graph, wherein the weakly connected component comprises a plurality of nodes; and counting the number of the nodes on the weak connected component, comparing the number of the nodes with a set number threshold, and if the number of the nodes is greater than the number threshold, judging the nodes on the weak connected component as an associated autonomous domain with interruption. In this way, the method of the present embodiment may not only detect the autonomous domain in which the interrupt occurs, but also determine the associated autonomous domain in which the interrupt occurs.
In some embodiments, for each node on the weakly connected component, the average value and the standard deviation of the number of nodes in a certain time period are counted, and the sum of the average value and the standard deviation of a predetermined multiple is used as the dynamic data threshold of the time period. And in the time period, comparing the counted number of the nodes with a dynamic number threshold value, and judging whether the nodes are associated autonomous domains or not.
In some embodiments, after determining the associated autonomous domain of the interrupt, further comprising: and selecting the interrupted root autonomous domain from the associated autonomous domains by using a preset ranking algorithm. Optionally, the weight of each autonomous domain in the associated autonomous domain may be calculated by using a PageRank algorithm, and the root autonomous domain having the interruption may be selected according to the weight of each autonomous domain. Specifically, each associated autonomous domain is used as a node to construct an associated directed graph, the direction of edges among the nodes is opposite to that of corresponding edges in the regional topological graph, a PageRank algorithm is used for iteratively calculating the weight value of each node in the associated directed graph, and the node with the largest weight value is used as a root autonomous domain, so that the tracing of the interrupt autonomous domain is realized.
It should be noted that the method of the embodiment of the present application may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the multiple devices may only perform one or more steps of the method of the embodiment, and the multiple devices interact with each other to complete the method.
It should be noted that the above description describes certain embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
As shown in fig. 4, an embodiment of the present application further provides a device for detecting inter-domain route interruption, including:
the acquisition module is used for acquiring a route updating message from the boundary router at intervals of preset time;
the analysis module is used for analyzing the routing update message to obtain an origin autonomous domain, a prefix corresponding to the origin autonomous domain and an autonomous domain to which the boundary router belongs;
the updating module is used for updating a pre-constructed autonomous domain prefix visibility library according to the originating autonomous domain, the prefix corresponding to the originating autonomous domain and the autonomous domain to which the boundary router belongs; the autonomous domain prefix visibility library is constructed according to the acquired autonomous domain in the routing table, the prefix corresponding to the autonomous domain and the autonomous domain to which the boundary router belongs;
the feature extraction module is used for determining prefix visibility features and autonomous domain visibility features of the current time period based on the updated autonomous domain prefix visibility library; the prefix visibility characteristics are the number of autonomous domains to which the boundary routers corresponding to the prefixes belong, and the autonomous domain visibility characteristics are the number of autonomous domains to which the boundary routers of all the prefixes corresponding to the originating autonomous domains belong;
the prefix detection module is used for inputting the prefix visibility characteristics of the current time period and the prefix visibility characteristics recorded in the historical time period into a preset dynamic prefix detection model, and outputting a detection result of whether the prefix is interrupted or not by the dynamic prefix detection model;
and the autonomous domain detection module is used for inputting the visibility characteristics of the autonomous domain in the current time period and the recorded visibility characteristics of the autonomous domain in the historical time period into a preset dynamic autonomous domain detection model, and outputting a detection result of whether the autonomous domain is interrupted or not by the dynamic autonomous domain detection model.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functions of the modules may be implemented in the same or multiple software and/or hardware when implementing the embodiments of the present application.
The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Fig. 5 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The electronic device of the foregoing embodiment is used for implementing the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described again here.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, for storing information may be implemented in any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the present disclosure, also technical features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the application. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the application, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the application are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that the embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures, such as Dynamic RAM (DRAM), may use the discussed embodiments.
The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present disclosure are intended to be included within the scope of the disclosure.

Claims (10)

1. A method for detecting inter-domain route interruption is characterized by comprising the following steps:
acquiring a route updating message from a boundary router at intervals of preset time;
analyzing the route updating message to obtain an origin autonomous domain and a prefix corresponding to the origin autonomous domain and an autonomous domain to which a boundary router belongs;
updating a pre-constructed autonomous domain prefix visibility library according to the originating autonomous domain, the prefix corresponding to the originating autonomous domain and the autonomous domain to which the boundary router belongs; the autonomous domain prefix visibility library is constructed according to the acquired autonomous domain of the origin in the routing table, the prefix corresponding to the autonomous domain and the autonomous domain to which the border router belongs;
determining prefix visibility characteristics and autonomous domain visibility characteristics of the current time period based on the updated autonomous domain prefix visibility library; the prefix visibility characteristics are the number of autonomous domains to which the boundary routers corresponding to the prefixes belong, and the autonomous domain visibility characteristics are the number of autonomous domains to which the boundary routers of all the prefixes corresponding to the originating autonomous domains belong;
inputting the prefix visibility characteristic of the current time period and the prefix visibility characteristic recorded in the historical time period into a preset dynamic prefix detection model, and outputting a detection result of whether the prefix is interrupted by the dynamic prefix detection model;
and inputting the visibility characteristics of the autonomous domain in the current time period and the recorded visibility characteristics of the autonomous domain in the historical time period into a preset dynamic autonomous domain detection model, and outputting a detection result of whether the autonomous domain is interrupted or not by the dynamic autonomous domain detection model.
2. The method of claim 1, wherein the type of the route update packet is a prefix announcement, and updating the autonomous domain prefix visibility library comprises:
extracting the corresponding relation of the autonomous domain, the prefix and the autonomous domain to which the border router belongs, which are announced in the message;
updating a prefix autonomous domain library according to the announced prefix and the corresponding originating autonomous domain; the prefix autonomous domain library is constructed according to the prefixes in the routing table and the corresponding starting autonomous domains;
and updating the prefix visibility library of the autonomous domain according to the updated prefix autonomous domain library.
3. The method of claim 2, wherein updating a prefix autonomous domain library according to the announced prefix and the corresponding originating autonomous domain comprises:
inquiring the prefix autonomous domain library according to the announced prefix, and if no record of the prefix exists in the prefix autonomous domain library, adding the prefix and the corresponding originating autonomous domain into the prefix autonomous domain library;
the updating the prefix visibility library of the autonomous domain according to the updated prefix autonomous domain library comprises:
if the prefix exists in the prefix autonomous domain library, judging whether the originating autonomous domain corresponding to the prefix recorded in the prefix autonomous domain library is the same as the announced originating autonomous domain corresponding to the prefix, and if so, adding the announced prefix, the originating autonomous domain and the corresponding relation of the autonomous domains to which the border router belongs to the autonomous domain prefix visibility library; and if not, deleting the autonomous domain to which the border router corresponding to the announced prefix belongs in the autonomous domain prefix visibility library.
4. The method of claim 2, wherein the type of the route update packet is prefix withdraw, and updating the autonomous domain prefix visibility library comprises:
extracting the corresponding relation between the withdrawn prefix and the autonomous domain to which the border router belongs from the message;
inquiring the prefix autonomous domain library according to the withdrawn prefixes, and determining corresponding originating autonomous domains;
and deleting the corresponding relation of the autonomous domain, withdrawn prefixes and the autonomous domain to which the border router belongs, which is recorded in the autonomous domain prefix visibility library, according to the autonomous domain.
5. The method according to claim 1, wherein the detection result is prefix interrupt and/or autonomous domain interrupt, and the method further comprises:
comparing the interrupted origin autonomous domain with a preset important autonomous domain, and comparing the interrupted prefix with a preset important prefix;
when the autonomous domain of the interruption is judged to be an important autonomous domain and/or the prefix of the interruption is judged to be an important prefix according to the comparison result, determining the important domain name corresponding to the autonomous domain of the interruption and/or the prefix of the interruption;
and determining the network service influenced by the interrupted starting autonomous domain and/or the interrupted prefix according to the important domain name.
6. The method of claim 1, wherein the detection results are a plurality of autonomous domain interrupts, the method further comprising:
and clustering the starting autonomous domains of the interrupts according to a pre-constructed autonomous domain topological structure, and determining the associated autonomous domains of the interrupts.
7. The method of claim 6, wherein clustering the autonomous domains from which interrupts originate according to a pre-constructed autonomous domain topology to determine the associated autonomous domain for the interrupt comprises:
generating a region topological graph of a preset region according to the topological structure of the autonomous region; the area topological graph takes autonomous domains included in the preset area as nodes, and directed edges among the nodes are determined according to reachability among the autonomous domains;
according to the regional topological graph, weak connected components which take an interrupted self-control domain as nodes are determined;
and comparing the number of the nodes on the weak connected component with a preset number threshold, and if the number of the nodes is greater than the number threshold, taking each node on the weak connected component as an associated autonomous domain.
8. The method of claim 7, wherein the quantity threshold is a dynamic quantity threshold determined according to a mean and a standard deviation of the number of nodes over a period of time.
9. The method of claim 8, wherein after determining the associated autonomous domain for the interrupt, further comprising:
and determining the root autonomous domain in which the interruption occurs from the associated autonomous domain by using a preset ranking algorithm.
10. The method according to claim 9, wherein determining a root autonomous domain from which an interruption occurred from the associated autonomous domains using a preset ranking algorithm comprises:
constructing an associated directed graph by taking each associated autonomous domain as a node, wherein the direction of edges among the nodes is opposite to the direction of corresponding edges in the regional topological graph;
and iteratively calculating the weight value of each node in the associated directed graph by using the ranking algorithm, and taking the node with the maximum weight value as the root-originated autonomous domain.
CN202211359410.6A 2022-11-02 2022-11-02 Detection method for inter-domain route interruption Active CN115412462B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211359410.6A CN115412462B (en) 2022-11-02 2022-11-02 Detection method for inter-domain route interruption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211359410.6A CN115412462B (en) 2022-11-02 2022-11-02 Detection method for inter-domain route interruption

Publications (2)

Publication Number Publication Date
CN115412462A CN115412462A (en) 2022-11-29
CN115412462B true CN115412462B (en) 2023-03-24

Family

ID=84169388

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211359410.6A Active CN115412462B (en) 2022-11-02 2022-11-02 Detection method for inter-domain route interruption

Country Status (1)

Country Link
CN (1) CN115412462B (en)

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1299466C (en) * 2004-07-23 2007-02-07 北京邮电大学 Resolving device and method for service grade standard in multiple field heterogeneous IP network
DE102005025421A1 (en) * 2005-06-02 2006-12-07 Siemens Ag A method for providing spare paths as a quick response to the failure of a link between two routing domains
DE102005025420B4 (en) * 2005-06-02 2008-12-24 Nokia Siemens Networks Gmbh & Co.Kg A method for providing spare paths as a quick response to the failure of a link between two routing domains
US20120102228A1 (en) * 2009-03-16 2012-04-26 Filippo Cugini Inter-domain advertisements in multi-domain networks
CN101656638B (en) * 2009-09-08 2011-10-19 中国科学院计算技术研究所 Inter-domain prefix hijacking detection method for error configuration
CN103442008B (en) * 2013-08-29 2016-08-31 上海瀛联体感智能科技有限公司 A kind of routing safety detecting system and detection method
CN106992891B (en) * 2017-04-20 2019-11-19 中国科学院计算技术研究所 A kind of routing configuration method for detecting abnormality and system for ospf network
CN109558727B (en) * 2018-10-25 2021-07-09 中国科学院计算技术研究所 Routing security detection method and system
CN112702221B (en) * 2019-10-23 2022-12-27 中国电信股份有限公司 BGP abnormal route monitoring method and device
CN113328990B (en) * 2021-04-21 2022-09-09 北京邮电大学 Internet route hijacking detection method based on multiple filtering and electronic equipment
CN113268550A (en) * 2021-04-21 2021-08-17 北京邮电大学 Method and system for scheduling autonomous domain system, electronic device and storage medium

Also Published As

Publication number Publication date
CN115412462A (en) 2022-11-29

Similar Documents

Publication Publication Date Title
JP5722783B2 (en) Providing customization information to users based on trend identification
CN107404408B (en) Virtual identity association identification method and device
CN111600746B (en) Network fault positioning method, device and equipment
CN111314285B (en) Method and device for detecting route prefix attack
CN113268550A (en) Method and system for scheduling autonomous domain system, electronic device and storage medium
CN113726786B (en) Abnormal access behavior detection method and device, storage medium and electronic equipment
CN110730128B (en) Information propagation path processing method and device, electronic equipment and storage medium
CN115412462B (en) Detection method for inter-domain route interruption
CN112887208B (en) Route leakage detection method, device and equipment
JP6813451B2 (en) Anomaly detection system and anomaly detection method
CN115955458A (en) Method and device for identifying content distribution network address
Kobayashi et al. amulog: A general log analysis framework for comparison and combination of diverse template generation methods
CN111159196A (en) Block chain data storage and acquisition method and device based on fragmentation
KR101345095B1 (en) Method and system for bgp routing data processing based on cluster
CN115426245B (en) Cloud platform network fault automatic detection method, equipment and computer readable medium
CN114157713B (en) Method and system for capturing hidden service traffic
US20230362079A1 (en) Anomaly Detection for Cloud Computing Platforms
CN115412377B (en) Detection method of malicious autonomous system
US20230362178A1 (en) Detecting and Performing Root Cause Analysis for Anomalous Events
CN114070819B (en) Malicious domain name detection method, device, electronic device and storage medium
CN116828509B (en) Network blind area detection method and system
CN113157048B (en) Behavior data analysis method based on multi-terminal time axis and related components
CN114553512B (en) Ethernet packet filtering method and device for power edge computing chip
CN114745743A (en) Network analysis method and device based on knowledge graph
JP4615495B2 (en) Route analysis apparatus and computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant