WO2017088700A1 - 预警决策的方法、节点及子*** - Google Patents
预警决策的方法、节点及子*** Download PDFInfo
- Publication number
- WO2017088700A1 WO2017088700A1 PCT/CN2016/106325 CN2016106325W WO2017088700A1 WO 2017088700 A1 WO2017088700 A1 WO 2017088700A1 CN 2016106325 W CN2016106325 W CN 2016106325W WO 2017088700 A1 WO2017088700 A1 WO 2017088700A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- traffic
- server
- analysis result
- weight
- service request
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/141—Denial of service attacks against endpoints in a network
Definitions
- the present invention relates to the field of distributed denial of service (DDoS) early warning technology, and in particular, to a method, a node and a subsystem for early warning decision making.
- DDoS distributed denial of service
- a DDoS attack occupies a large amount of network resources through a large number of legitimate service requests to achieve the purpose of the network.
- DDoS attacks can be identified through traffic analysis. When DDoS attacks are identified, traffic cleaning is performed to remove attacks or abnormal service requests.
- the request data for accessing the server in the equipment room reaches the equipment room network device (such as a router) through an Internet Service Provider (ISP) network device.
- ISP Internet Service Provider
- the service request from the ISP network device to the equipment room network device of the equipment room will reach the load balancing device in a mirrored manner, and then distributed to each distributed traffic analysis device through the load balancing device.
- the traffic analysis device periodically performs traffic analysis on the service request distributed to the device, and specifically calculates the traffic component and the traffic size of the service request in each traffic analysis period according to the IP address. Then, the traffic analysis device sends the traffic analysis result to the decision device.
- the decision device determines whether the traffic of the server in each equipment room is abnormal according to the summarized traffic analysis result.
- the DDoS attack may occur.
- the cleaning device is notified that the service request to the network device of the equipment room is towed, and then the device is returned to the network device of the equipment room after the cleaning process is completed. If the server does not have abnormal traffic, the processing is not performed.
- the service request in the absence of a DDoS attack, is normally forwarded to the server in the equipment room through the equipment ingress network device.
- the service request is forwarded to the network cleaning device through the traffic pull. After the traffic cleaning device processes the service request, the service request is returned to the network access device of the equipment room, and then forwarded. Give the server in the machine room.
- the purpose of the present application is to provide a method, node and subsystem for early warning decision making to solve the problem of poor reliability and security of the existing DDoS early warning system.
- a method for early warning decision is provided, which is respectively implemented in each distributed node that performs early warning decision, and the method includes the following steps: acquiring a traffic analysis result of a partial service request for the same server; Calculating the traffic indicated by the traffic analysis result and the weight of the distributed node, and calculating the traffic of all the service requests for the server, where the weight is that the traffic indicated by the traffic analysis result acquired by the distributed node accounts for all the servers.
- the weight of the traffic requested by the service comparing the traffic of all service requests for the server with the abnormal traffic threshold; and according to the comparison result, determining whether to issue an indication for subsequent processing of the server.
- a node for early warning decision is also provided, the node is a distributed node, and the node includes the following module: a traffic analysis result obtaining module, configured to obtain traffic analysis of a part of the service request for the same server.
- the result is a complete traffic estimation module, configured to calculate, according to the traffic indicated by the traffic analysis result and the weight of the distributed node, the traffic of all the service requests for the server, where the weight is the traffic analysis obtained by the distributed node.
- the result indicates that the traffic of the server accounts for the traffic of all the service requests of the server; the threshold comparison module is configured to compare the traffic of all the service requests for the server with the abnormal traffic threshold; and determine the control module, according to the comparison result. And determining whether an instruction to perform subsequent processing on the server is issued.
- a system for early warning decision including:
- the first load balancing device is configured to offload the service request to the multiple traffic analysis nodes
- Each traffic analysis node receives the service request, and reports the traffic analysis result to the second load balancing device.
- the second load balancing device offloads the traffic analysis result to the multiple early warning decision amount nodes.
- the present application has the following advantages: there is only one decision device in the existing DDoS early warning system.
- the decision device fails to work normally for some reason, for example, the decision device fails and cannot work normally, or Limited to the processing power of a single decision device, for example, when the amount of data that needs to be processed exceeds the processing power of the decision device, the decision device cannot work properly, and the network defense of the entire computer room will be invalid.
- the technical solution provided by the embodiment adopts a distributed architecture to make early warning decisions. Even if the node that performs the early warning decision cannot work normally, the other normal working nodes can make early warning decisions, thereby effectively improving the reliability of the DDoS early warning system. And security.
- each distributed node that performs the early warning decision has its own weight, which is the weight of the traffic indicated by the distributed node to obtain the traffic analysis result and the traffic of all the service requests for the server. Further, for each distributed node, according to the weight and the traffic indicated by the traffic analysis result of the partial service request for the same server, it is possible to estimate the traffic of all the service requests for the same server. Furthermore, the early warning decision is realized by comparing the estimated flow rate with the abnormal flow threshold.
- a single distributed node can estimate the traffic of all service requests by combining its weights under the premise of obtaining the traffic of some service requests, thereby implementing early warning decision. It can be seen that each of the above distributed nodes can make early warning decisions. When distributed nodes that make early warning decisions cannot work normally, they can still work normally by other distributed nodes that make early warning decisions, improving the reliability of the DDoS early warning system. And security, and improve the processing power of the system.
- FIG. 1 is a schematic diagram of a conventional DDoS early warning system
- FIG. 2 is a flow chart of a method according to an embodiment of the present application.
- FIG. 3 is a schematic diagram of a DDoS early warning system according to another embodiment of the present application.
- FIG. 5 is a schematic diagram of a node according to still another embodiment of the present application.
- node or “load balancing device” as used in the context is a computing device, which refers to an intelligent electronic device that can perform predetermined processing such as numerical calculation and/or logical calculation by running a predetermined program or instruction. It may include a processor and a memory, the processor executing a pre-stored instruction stored in the memory to perform a predetermined process, or performing a predetermined process by hardware such as an ASIC, an FPGA, a DSP, or the like, or a combination of the two.
- predetermined processing such as numerical calculation and/or logical calculation by running a predetermined program or instruction. It may include a processor and a memory, the processor executing a pre-stored instruction stored in the memory to perform a predetermined process, or performing a predetermined process by hardware such as an ASIC, an FPGA, a DSP, or the like, or a combination of the two.
- FIG. 2 is a schematic flowchart diagram of a method for early warning decision according to an embodiment of the present application.
- the method of the embodiment is mainly implemented by a computer device, and is particularly suitable for a DDoS early warning system.
- the traffic analysis device analyzes the traffic composition and traffic size of each IP address according to the IP address in the service request (one IP address corresponds to one server).
- the traffic analysis results of the traffic analysis device are distributed to the various distributed nodes that make the early warning decisions. Even if a person skilled in the art can think of introducing a distributed architecture for early warning decision in the DDoS early warning system, based on the characteristics of the DDoS attack, it is necessary to know the traffic of all the service requests for one server, and then the early warning decision can be made.
- the technical solution provided by the embodiment of the present application calculates, by the distributed nodes that perform the early warning decision, all the service requests for the server according to the traffic and the weight indicated by the traffic analysis result of the partial service request obtained by the same server. Traffic, and then make early warning decisions. It can be seen that, in the technical solution provided by the embodiment of the present application, each distributed node can perform early warning decision according to the fragmented data. Furthermore, when distributed nodes with early warning decisions are not working properly, early warning decisions can still be made by other distributed distributed nodes, thereby improving the reliability and security of the DDoS early warning system. In addition, the total processing capability of the multiple distributed nodes is higher than the processing capability of the single decision device. Therefore, the technical solution provided by the embodiments of the present application also improves the processing capability of the system.
- the method according to the present embodiment includes steps S110-S140.
- step S110 a traffic analysis result of a partial service request for the same server is obtained.
- step S110 the traffic analysis result of the partial service request for the same server in the current traffic analysis period is obtained.
- step S120 based on the traffic indicated by the traffic analysis result and the weight of the distributed node, the traffic for all service requests of the server is calculated.
- step S120 according to the traffic indicated by the traffic analysis result and the weight of the distributed node, the traffic of all service requests for the server in the current traffic analysis period is calculated.
- the weight of the distributed node is the weight of the traffic indicated by the traffic analysis result obtained by the distributed node, and the traffic of all the service requests for the server. Specifically, the weight of the distributed node is the weight of the traffic indicated by the traffic analysis result acquired by the distributed node in the traffic analysis period, and the traffic of all the service requests for the server.
- the traffic analysis result obtained by the distributed node is a traffic analysis result for a partial service request of the foregoing server.
- step S130 the traffic for all service requests of the above server is compared with the abnormal traffic threshold.
- step S130 the traffic of all service requests for the server in the current traffic analysis period is compared with an abnormal traffic threshold.
- the abnormal traffic threshold is determined according to the actual situation, and the embodiment of the present application does not specifically The value is limited.
- step S140 based on the comparison result, it is determined whether an instruction to perform subsequent processing for the server is issued.
- the subsequent processing is not limited.
- downstream processing such as traffic cleaning, traffic black holes, or traffic analysis can be performed.
- the traffic analysis result of the partial service request for the same server is obtained in step S110, which is fragmented data.
- step S120 the traffic of all the service requests for the server is calculated according to the traffic indicated by the traffic analysis result and the weight of the distributed node.
- step S130 the estimated flow rate is compared with the abnormal flow rate threshold, and in step S140, it is determined whether an instruction to perform subsequent processing for the server is issued based on the comparison result.
- each distributed node only obtains the traffic indicated by the traffic analysis result of the partial access traffic, that is, data fragmentation, and how according to the fragmented data. Making early warning decisions is not known to those skilled in the art without creative labor.
- the step S140 may be specifically: when the comparison result meets the predetermined condition, determining to issue an instruction for performing subsequent processing on the server; otherwise, determining not to issue an instruction for performing subsequent processing on the server;
- the condition is that the flow rate for comparison is greater than the abnormal flow rate threshold, or the predetermined condition is that the flow rate for comparison is not less than the abnormal flow rate threshold.
- the predetermined condition is that the flow rate for comparison is greater than the abnormal flow rate threshold, or the predetermined condition is that the flow rate for comparison is not less than the abnormal flow rate threshold.
- step S110 the traffic indicated by the traffic analysis result of the partial service request for the server is compared with the abnormal traffic threshold; if the comparison result meets the predetermined condition, the server is issued for the server.
- step S120 is performed when the comparison result of the traffic indicated by the traffic analysis result of the partial service request of the server and the abnormal traffic threshold is not in compliance with the predetermined condition.
- the abnormal traffic threshold is 10 MBps. If the traffic size indicated by the traffic analysis result for the service request of the same server in the current traffic analysis period is 20 MBps, it is determined that the traffic indicated by the traffic analysis result is greater than the abnormal traffic threshold. And sending an indication for the subsequent processing of the server; if the traffic size indicated by the traffic analysis result of the partial service request for the same server in the current traffic analysis period is 8 MBps, it is further required to calculate the current weight based on the weight of the distributed node. The traffic of all service requests for the server in the traffic analysis period, and then the estimated traffic is compared with the abnormal traffic threshold to determine whether an indication for subsequent processing of the server needs to be issued.
- the method provided by the embodiment of the present application may be implemented in a traffic analysis device, or may be implemented by a separate device.
- the load analysis device distributes the traffic analysis result obtained by the traffic analysis device to each distributed node that performs the early warning decision. Accordingly, in step S110, a partial service request for the same server is obtained from the load balancing device. Traffic analysis results.
- each distributed traffic analysis device obtains a partial service request for the server from the load balancing device, performs traffic analysis on the part of the service request, and obtains traffic analysis for a part of the service request of the server. result.
- the traffic analysis result obtained by the traffic analysis by the device is obtained.
- the embodiment of the present application further adjusts the weight of the distributed node according to a predetermined weight adjustment period to ensure the accuracy of the estimation result.
- each weight adjustment period determining a partial time period in a current weight adjustment period acquired by another distributed node that performs the early warning decision (eg, one weight adjustment period is 60 seconds, and each traffic analysis period is 1 second, Only the traffic indicated by the traffic analysis result for some service requests of the above server in the last two traffic analysis periods in each weight adjustment period, that is, the last 2 seconds); in each weight adjustment period, according to the entire distribution of the early warning decision Calculating the traffic indicated by the traffic analysis result of the partial service request of the server in the above part of the time period, and calculating the traffic of all the service requests for the server in the partial time period; in each weight adjustment period, according to at least The traffic indicated by the traffic analysis result of the partial service request for the server in the part of the time period obtained by the distributed node occupies the weight of the traffic request for all the service requests of the server in the part of the time period, and adjusts the distributed node in the next The weight of the weight adjustment period.
- one weight adjustment period is 60 seconds, and each traffic analysis period is 1 second, Only the
- the traffic analysis period is 1 second and the weight adjustment period is 60 seconds. Then, every 60 seconds, adjust the weight once.
- the interaction with the other distributed nodes may be performed to determine the traffic indicated by the traffic analysis result for the partial service request of the server in the partial time period of the current weight adjustment period acquired by the other distributed nodes that perform the early warning decision;
- the traffic balancing device may be interacted with to determine the traffic indicated by the traffic analysis result for the partial service request of the server during a partial time period within the current weight adjustment period acquired by the other distributed nodes that make the early warning decision.
- the load balancing device may also be requested to obtain the weight of the distributed node according to a predetermined weight adjustment period.
- the traffic analysis result indicates at least the traffic size.
- the flow rate of each traffic component is specified.
- the early warning decision may be made based on the composition of the traffic, or the early warning decision may be made only according to the traffic size.
- step S120 specifically, according to the traffic size indicated by the traffic analysis result and the weight of the distributed node, the traffic size of all service requests for the server is calculated.
- step S130 specifically, the traffic size of all the service requests for the server is compared with the abnormal traffic threshold. If the traffic indicated by the traffic analysis result of the partial service request for the server is compared with the abnormal traffic threshold, the traffic size of all the service requests for the server is compared with the abnormal traffic threshold.
- the traffic analysis result of the partial service request for the server is specifically performed.
- the flow rate corresponding to each of the indicated flow components is compared with the abnormal flow threshold corresponding to each flow component; correspondingly, in the above step S110, specifically, the traffic volume corresponding to the target flow component indicated by the flow analysis result
- the weight of the distributed node corresponding to the target traffic component respectively calculating the traffic size of the target traffic component of all the service requests for the server; in the above step S130, specifically, the target of all the service requests for the server
- the flow rate of the flow component is compared with the abnormal flow threshold corresponding to the target flow component, and the target flow component is a flow component that does not meet the reservation condition.
- step S110 is specifically corresponding to each traffic component indicated by the traffic analysis result.
- the traffic size and the weight of the distributed node corresponding to each traffic component respectively calculate the traffic size of each traffic component of all the service requests for the server; in step S130, specifically, all the service requests for the server are Composition of each flow
- the flow rate of the components is compared with the abnormal flow threshold corresponding to each flow component.
- the step of issuing an indication for subsequent processing of the server includes: for the flow component that the comparison result meets the predetermined condition, is issued for the The server performs an indication of subsequent processing of the traffic component.
- the server in the room is used to process the service request of the e-commerce.
- the request data of the server in the access room reaches the equipment entrance network device through the ISP network device, and the service request from the ISP network device to the equipment room entrance network device completely reaches the first load balancing device by means of mirroring, the first load
- the equalization device distributes the service request to the distributed individual traffic analysis devices.
- the service request carries the IP address and access time of the target server.
- the traffic analysis device counts the traffic composition and the size of each traffic component for the same server per second according to the IP address and access time.
- the traffic analysis device A analyzes the received service request, and the traffic with the access time of 18:10:20, and the IP address of the server B is 20MBps, which can be divided into 20MBps.
- the three flow components are components a, b, and c.
- the traffic volume component a corresponds to a traffic volume of 10 MBps
- the traffic component b corresponds to a traffic volume of 8 MBps
- the traffic component component component c corresponds to a traffic volume of 2 MBps.
- Each traffic analysis device sends the traffic analysis result to the second load balancing device, and the second load balancing device distributes the received traffic analysis result to each distributed node that performs the early warning decision, and the traffic analysis result carries the traffic component and
- the corresponding traffic size also carries the IP address and access time of the target server. For example, if the second load balancing device receives 100 analysis results for the same access time for the same IP address, and 50 distributed nodes for early warning decision, the 100 analysis results are equally divided into the 50 distributions. Node. It should be noted that when a distributed node fails to work normally, the second load balancing device no longer distributes the traffic analysis result to it, but divides the traffic analysis result into distributed distributed nodes.
- the distributed node that makes the early warning decision performs the following operations:
- Step S210 Acquire a traffic analysis result of a partial service request for the same server within one second.
- the traffic analysis result carries the IP address of the server, the access time, and the traffic volume of each traffic component.
- traffic component a 10 MBps
- traffic component of traffic component b 8 MBps.
- the traffic size is 2MBps.
- step S220 the flow rate of each flow component is compared with the abnormal flow threshold corresponding to the flow component, and for the flow component that does not meet the predetermined condition, the step S230 is executed, and the flow composition that meets the predetermined condition is compared. In step, step S250 is performed.
- the abnormal flow threshold corresponding to each flow component can be determined in advance.
- the abnormal flow threshold corresponding to the flow component a is 8 MBps
- the abnormal flow threshold corresponding to the flow component b is 20 MBps
- the abnormal flow threshold corresponding to the flow component c is 2 MBps.
- the other two flow components are not mentioned in the embodiment of the present application, and therefore will not be described.
- Step S230 Estimating, according to the traffic size corresponding to the traffic component that does not meet the predetermined condition, and the weight of the corresponding distributed node, respectively, estimating that the comparison result of all the service requests for the server in the above 1 second does not meet the predetermined condition The size of the flow of the component.
- the predetermined condition is that the traffic size is not less than the abnormal traffic threshold. Then, based on the traffic size of the traffic component b (8 MBps) and the weight of the distributed node corresponding to the traffic component b, the traffic volume of the traffic component b in the total service request for the server in the above 1 second is estimated ( 16MBps).
- Step S240 Comparing the estimated flow rate with the abnormal flow threshold corresponding to the corresponding flow component, and not performing any processing for the flow component that does not meet the predetermined condition, and the flow component that meets the predetermined condition for the comparison result , step S250 is performed.
- Step S250 Send an instruction for the flow rate cleaning of the flow component that matches the predetermined condition with respect to the server.
- the cleaning device cleans the service request to the network equipment of the equipment entrance, filters out the service request of the traffic components a and c, and retains the service request of the traffic component b (normal e-commerce service request), The cleaned service request is returned to the equipment room network device.
- the equipment room network device sends a service request to the corresponding server in the equipment room according to the IP address.
- one second is taken as a flow analysis cycle as an example. It should be noted that in practical applications, the size of the traffic analysis period can be set according to actual needs.
- the load balancing device divides the traffic analysis results into distributed nodes that work normally. It should be noted that, in practical applications, the load balancing device can be configured to distribute traffic analysis results according to different policies.
- FIG. 5 is a node 5 of an early warning decision according to an embodiment of the present application.
- the node 5 is a distributed node, and includes the following modules:
- the traffic analysis result obtaining module 501 is configured to obtain a traffic analysis result of a partial service request for the same server.
- the complete traffic estimation module 502 is configured to calculate traffic of all service requests for the server according to the traffic indicated by the traffic analysis result and the weight of the distributed node, where the weight is the traffic analysis result obtained by the distributed node.
- the indicated traffic accounts for the weight of the traffic requested by the server for all services;
- a threshold comparison module 503 configured to compare traffic of all service requests for the server with an abnormal traffic threshold
- the determining control module 504 is configured to determine, according to the comparison result, whether to issue an instruction for performing subsequent processing on the server.
- the threshold comparison module is further configured to:
- the predetermined condition is that the compared traffic is greater than the abnormal traffic threshold, Or the predetermined condition is that the flow rate for comparison is not less than the abnormal flow rate threshold.
- the threshold comparison module is further configured to:
- the calculating, according to the traffic indicated by the traffic analysis result and the weight of the distributed node, calculating the traffic of all the service requests for the server is performed on the premise that the comparison result does not meet the predetermined condition.
- the method further includes a weight adjustment module, configured to adjust a weight of the distributed node according to a predetermined weight adjustment period.
- the weight adjustment module is specifically configured to:
- each weight adjustment period determining, according to the traffic analysis result indicated by the traffic analysis result of the partial service request of the server in a part of the time period of the local weight adjustment period acquired by the other distributed nodes that perform the early warning decision;
- the traffic indicated in the part of the time period is for the service The weight of the traffic requested by the server for all services, and adjusts the weight of the distributed node in the next weight adjustment period.
- the traffic analysis result obtaining module is specifically configured to:
- the node further includes a service request obtaining module, configured to:
- the traffic result obtaining module is specifically configured to: perform traffic analysis on the part of the service request, and obtain a traffic analysis result for a part of the service request of the server.
- the complete traffic estimation module is specifically configured to:
- the threshold comparison module is specifically configured to: compare a traffic size indicated by a traffic analysis result of a partial service request for the server with the abnormal traffic threshold; and when the comparison result does not meet the predetermined condition, The traffic size of all service requests of the server is compared with the abnormal traffic threshold.
- the threshold comparison module is specifically configured to:
- the traffic size corresponding to each traffic component indicated by the traffic analysis result of the partial service request of the server is compared with an abnormal traffic threshold corresponding to the target traffic component, where the target traffic component is Traffic components that do not meet the booking criteria;
- the complete traffic estimation module is specifically configured to: calculate, according to the traffic size component of the target traffic component indicated by the traffic analysis result, the weight of the distributed node corresponding to the target traffic component, and respectively calculate all service requests for the server
- the target traffic consists of the component's traffic size.
- the indication sending module is specifically configured to:
- An indication of the subsequent processing of the flow component for the server is issued for the traffic component that the comparison result meets the predetermined condition.
- subsequent processing includes: traffic cleaning, traffic black hole, or traffic analysis.
- the embodiment of the present application further provides an early warning decision system, where the system includes a plurality of nodes for performing early warning decisions.
- the method further includes multiple traffic analysis nodes, a first load balancing device and a second load balancing device;
- the first load balancing device is configured to offload the service request to the multiple traffic analysis nodes
- Each traffic analysis node receives the service request, and reports the traffic analysis result to the second load balancing device.
- the second load balancing device offloads the traffic analysis result to the multiple early warning decision amount nodes.
- the present application can be implemented in software and/or a combination of software and hardware.
- the various devices of the present application can be implemented using an application specific integrated circuit (ASIC) or any other similar hardware device.
- the software program of the present application can be executed by a processor to implement the steps or functions described above.
- the software programs (including related data structures) of the present application can be stored in a computer readable recording medium such as a RAM memory, a magnetic or optical drive or a floppy disk and the like.
- some of the steps or functions of the present application may be implemented in hardware, for example, as a circuit that cooperates with a processor to perform various steps or functions.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Multimedia (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (23)
- 一种预警决策的方法,其特征在于,应用于进行预警决策的各个分布式节点,该方法包括以下步骤:获取针对同一服务器的部分服务请求的流量分析结果;根据所述流量分析结果指示的流量和本分布式节点的权重,计算针对所述服务器的全部服务请求的流量,所述权重是本分布式节点获取的流量分析结果指示的流量占针对所述服务器的全部服务请求的流量的权重;将针对所述服务器的全部服务请求的流量与异常流量阈值进行比较;根据比较结果,判断是否发出针对所述服务器进行后续处理的指示。
- 根据权利要求1所述的方法,其特征在于,所述根据比较结果,判断是否发出针对所述服务器进行后续处理的指示,包括:当比较结果符合预定条件,判断发出针对所述服务器进行后续处理的指示;否则,判断不发出针对所述服务器进行后续处理的指示;所述预定条件为进行比较的流量大于所述异常流量阈值,或者所述预定条件为进行比较的流量不小于所述异常流量阈值。
- 根据权利要求2所述的方法,其特征在于,该方法还包括:将所述针对所述服务器的部分服务请求的流量分析结果指示的流量与所述异常流量阈值进行比较;如果比较结果符合所述预定条件,发出针对所述服务器的后续处理的指示;所述根据所述流量分析结果指示的流量和本分布式节点的权重,计算针对所述服务器的全部服务请求的流量的步骤是在比较结果不符合所述预定条件的前提下执行的。
- 根据权利要求1~3任一项所述的方法,其特征在于,该方法还包括:按照预定的权重调整周期,调整本分布式节点的权重。
- 根据权利要求4所述的方法,其特征在于,所述按照预定的权重调整周期,调整本分布式节点的权重的步骤包括:在每个权重调整周期,确定进行预警决策的其它分布式节点获取的本权重调整周期的部分时间段内的针对所述服务器的部分服务请求的流量分析结果指示的流量;在每个所述的权重调整周期,根据进行预警决策的全部分布式节点获取的所述部分时间段内针对所述服务器的部分服务请求的流量分析结果指示的流量,计算所述部分时间段内针对所述服务器的全部服务请求的流量;在每个所述的权重调整周期,至少根据本分布式节点获取的所述部分时间段内针对 所述服务器的部分服务请求的流量分析结果指示的流量占所述部分时间段内针对所述服务器的全部服务请求的流量的权重,调整本分布式节点在下一个权重调整周期的权重。
- 根据权利要求1~3任一项所述的方法,其特征在于,所述获取针对同一服务器的部分服务请求的流量分析结果的步骤包括:从负载均衡设备获取针对同一服务器的部分服务请求的流量分析结果。
- 根据权利要求1~3任一项所述的方法,其特征在于,该方法还包括:从负载均衡设备获取针对所述服务器的部分服务请求;所述获取针对同一服务器的部分服务请求的流量分析结果的步骤包括:对所述部分服务请求进行流量分析,得到针对所述服务器的部分服务请求的流量分析结果。
- 根据权利要求3所述的方法,其特征在于,所述根据所述流量分析结果指示的流量和本分布式节点的权重,计算针对所述服务器的全部服务请求的流量的步骤包括:根据所述流量分析结果指示的流量大小和本分布式节点的权重,计算针对所述服务器的全部服务请求的流量大小;所述将针对所述服务器的全部服务请求的流量与异常流量阈值进行比较的步骤包括:将针对所述服务器的全部服务请求的流量大小与异常流量阈值进行比较;所述将针对所述服务器的部分服务请求的流量分析结果指示的流量与所述异常流量阈值进行比较的步骤包括:将针对所述服务器的部分服务请求的流量分析结果指示的流量大小与所述异常流量阈值进行比较。
- 根据权利要求3所述的方法,其特征在于,所述将针对所述服务器的部分服务请求的流量分析结果指示的流量与所述异常流量阈值进行比较的步骤包括:将针对所述服务器的部分服务请求的流量分析结果指示的各流量组成成分对应的流量大小分别与各流量组成成分对应的异常流量阈值进行比较;所述根据所述流量分析结果指示的流量和本分布式节点的权重,计算针对所述服务器的全部服务请求的流量的步骤包括:根据所述流量分析结果指示的目标流量组成成分对应的流量大小和目标流量组成成分对应的本分布式节点的权重,分别计算针对所述服务器的全部服务请求的目标流量组成成分的流量大小,所述目标流量组成成分为不符合预订条件的流量组成成分;所述将针对所述服务器的全部服务请求的流量与异常流量阈值进行比较的步骤包 括:将针对所述服务器的全部服务请求的目标流量组成成分的流量大小分别与目标流量组成成分对应的异常流量阈值进行比较。
- 根据权利要求9所述的方法,其特征在于,所述当比较结果符合预定条件,发出针对所述服务器进行后续处理的指示的步骤包括:针对比较结果符合预定条件的流量组成成分,发出针对所述服务器进行该流量组成成分的后续处理的指示。
- 根据权利要求1~3、10中的任一项所述的方法,其特征在于,所述后续处理包括:流量清洗,流量黑洞,或流量分析。
- 一种预警决策节点,其特征在于,该节点为分布式节点,该节点包括以下模块:流量分析结果获取模块,用于获取针对同一服务器的部分服务请求的流量分析结果;完整流量估计模块,用于根据所述流量分析结果指示的流量和本分布式节点的权重,计算针对所述服务器的全部服务请求的流量,所述权重是本分布式节点获取的流量分析结果指示的流量占所述服务器的全部服务请求的流量的权重;阈值比较模块,用于将针对所述服务器的全部服务请求的流量与异常流量阈值进行比较;判断控制模块,用于根据比较结果,判断是否发出针对所述服务器进行后续处理的指示。
- 根据权利要求12所述的节点,其特征在于,所述阈值比较模块具体用于:当比较结果符合预定条件,判断发出针对所述服务器进行后续处理的指示;否则,判断不发出针对所述服务器进行后续处理的指示;所述预定条件为进行比较的流量大于所述异常流量阈值,或者所述预定条件为进行比较的流量不小于所述异常流量阈值。
- 根据权利要求12所述的节点,其特征在于,所述阈值比较模块还用于:将针对所述服务器的部分服务请求的流量分析结果指示的流量与所述异常流量阈值进行比较;所述根据所述流量分析结果指示的流量和本分布式节点的权重,计算针对所述服务器的全部服务请求的流量是在比较结果不符合所述预定条件的前提下执行的。
- 根据权利要求12~14任一项所述的节点,其特征在于,还包括权重调整模块,用于按照预定的权重调整周期,调整本分布式节点的权重。
- 根据权利要求15所述的节点,其特征在于,所述权重调整模块具体用于:在每个权重调整周期,确定进行预警决策的其它分布式节点获取的本权重调整周期的部分时间段内针对所述服务器的部分服务请求的流量分析结果指示的流量;在每个所述的权重调整周期,根据进行预警决策的全部分布式节点获取的所述部分时间段内针对所述服务器的部分服务请求的流量分析结果指示的流量,计算所述部分时间段内针对所述服务器的全部服务请求的流量;在每个所述的权重调整周期,至少根据本分布式节点获取的所述部分时间段内针对所述服务器的部分服务请求的流量分析结果指示的流量占所述部分时间段内针对所述服务器的全部服务请求的流量的权重,调整本分布式节点在下一个权重调整周期的权重。
- 根据权利要求12~14任一项所述的节点,其特征在于,所述流量分析结果获取模块具体用于:从负载均衡设备获取针对同一服务器的部分服务请求的流量分析结果。
- 根据权利要求12~14任一项所述的节点,其特征在于,该节点还包括服务请求获取模块,用于:从负载均衡设备获取针对所述服务器的部分服务请求;所述流量结果获取模块具体用于:对所述部分服务请求进行流量分析,得到针对所述服务器的部分服务请求的流量分析结果。
- 根据权利要求14所述的节点,其特征在于,所述完整流量估计模块具体用于:根据所述流量分析结果指示的流量大小和本分布式节点的权重,计算针对所述服务器的全部服务请求的流量大小;所述阈值比较模块具体用于:将针对所述服务器的部分服务请求的流量分析结果指示的流量大小与所述异常流量阈值进行比较;以及在比较结果不符合所述预定条件时,将针对所述服务器的全部服务请求的流量大小与异常流量阈值进行比较。
- 根据权利要求14所述的节点,其特征在于,所述阈值比较模块具体用于:将针对所述服务器的部分服务请求的流量分析结果指示的各流量组成成分对应的流量大小分别与各流量组成成分对应的异常流量阈值进行比较;以及在有流量组成成分对应的流量大小与对应的异常流量阈值的比较结果不符合预定条件时,将针对所述服务器的全部服务请求的目标流量组成成分的流量大小分别与目标流量组成成分对应的异常流量阈值进行比较,所述目标流量组成成分为不符合预订条件的流量组成成分;所述完整流量估计模块具体用于:根据所述流量分析结果指示的目标流量组成成分对应的流量大小和目标流量组成成分对应的本分布式节点的权重,分别计算针对所述服 务器的全部服务请求的目标流量组成成分的流量大小。
- 根据权利要求20所述的节点,其特征在于,所述指示发送模块具体用于:针对比较结果符合预定条件的流量组成成分,发出针对所述服务器进行该流量组成成分的后续处理的指示。
- 根据权利要求12~13、21中的任一项所述的节点,其特征在于,所述后续处理包括:流量清洗,流量黑洞,或流量分析。
- 一种预警决策***,其特征在于,包括:多个如权利要求12~22任一项所述的预警决策节点,多个流量分析节点,第一负载均衡设备和第二负载均衡设备;所述第一负载均衡设备用于服务请求分流给所述多个流量分析节点;各个流量分析节点接收服务请求,向第二负载均衡设备上报流量分析结果;所述第二负载均衡设备将流量分析结果分流给所述多个预警决策额节点。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018526929A JP6811776B2 (ja) | 2015-11-27 | 2016-11-18 | 早期警戒決定方法、ノード、及びサブシステム |
EP16867923.1A EP3382973B1 (en) | 2015-11-27 | 2016-11-18 | Early-warning decision method, node and sub-system |
KR1020187014569A KR20180088392A (ko) | 2015-11-27 | 2016-11-18 | 조기 경고 결정 방법, 노드 및 서브 시스템 |
US15/990,474 US11102240B2 (en) | 2015-11-27 | 2018-05-25 | Early-warning decision method, node and sub-system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510846433.3 | 2015-11-27 | ||
CN201510846433.3A CN106817340B (zh) | 2015-11-27 | 2015-11-27 | 预警决策的方法、节点及子*** |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/990,474 Continuation US11102240B2 (en) | 2015-11-27 | 2018-05-25 | Early-warning decision method, node and sub-system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017088700A1 true WO2017088700A1 (zh) | 2017-06-01 |
Family
ID=58763035
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/106325 WO2017088700A1 (zh) | 2015-11-27 | 2016-11-18 | 预警决策的方法、节点及子*** |
Country Status (6)
Country | Link |
---|---|
US (1) | US11102240B2 (zh) |
EP (1) | EP3382973B1 (zh) |
JP (1) | JP6811776B2 (zh) |
KR (1) | KR20180088392A (zh) |
CN (1) | CN106817340B (zh) |
WO (1) | WO2017088700A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112235167A (zh) * | 2020-12-21 | 2021-01-15 | 北京每日优鲜电子商务有限公司 | 流量报警方法、装置、电子设备和计算机可读介质 |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106817340B (zh) * | 2015-11-27 | 2020-05-08 | 阿里巴巴集团控股有限公司 | 预警决策的方法、节点及子*** |
CN109558247A (zh) * | 2018-12-09 | 2019-04-02 | 江苏华存电子科技有限公司 | 一种避免权重失衡之自动动态调整权重数值轮替模块设计 |
US11477163B2 (en) * | 2019-08-26 | 2022-10-18 | At&T Intellectual Property I, L.P. | Scrubbed internet protocol domain for enhanced cloud security |
CN111130945B (zh) * | 2019-12-30 | 2021-12-28 | 江苏万佳科技开发股份有限公司 | 一种数据监测云平台及使用方法 |
CN111416869A (zh) * | 2020-03-26 | 2020-07-14 | 华泰证券股份有限公司 | 一种分布式集群中节点权重调整的方法 |
CN114584469B (zh) * | 2020-11-17 | 2024-06-18 | ***通信集团山东有限公司 | 网络安全确定方法、电子设备和存储介质 |
CN114331222B (zh) * | 2022-03-03 | 2022-05-27 | 常州市瑞德信息科技有限公司 | 烟花爆竹生产环境下的风险监测预警通信交互方法及*** |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101388885A (zh) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | 分布式拒绝服务攻击的检测方法和*** |
CN101562537A (zh) * | 2009-05-19 | 2009-10-21 | 华中科技大学 | 分布式自优化入侵检测报警关联*** |
CN102143143A (zh) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | 一种网络攻击的防护方法、装置及路由器 |
US8089871B2 (en) * | 2005-03-25 | 2012-01-03 | At&T Intellectual Property Ii, L.P. | Method and apparatus for traffic control of dynamic denial of service attacks within a communications network |
CN102801738A (zh) * | 2012-08-30 | 2012-11-28 | 中国人民解放军国防科学技术大学 | 基于概要矩阵的分布式拒绝服务攻击检测方法及*** |
Family Cites Families (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9444785B2 (en) * | 2000-06-23 | 2016-09-13 | Cloudshield Technologies, Inc. | Transparent provisioning of network access to an application |
KR101111099B1 (ko) * | 2004-09-09 | 2012-02-17 | 아바야 테크놀러지 코퍼레이션 | 네트워크 트래픽 보안 방법들 및 시스템들 |
CN1878141A (zh) | 2005-05-20 | 2006-12-13 | 阿拉克斯拉网络株式会社 | 网络控制装置及其控制方法 |
US20060272018A1 (en) * | 2005-05-27 | 2006-11-30 | Mci, Inc. | Method and apparatus for detecting denial of service attacks |
JP2007179131A (ja) * | 2005-12-27 | 2007-07-12 | Nec Corp | イベント検出システム、管理端末及びプログラムと、イベント検出方法 |
CN1838588A (zh) | 2006-04-26 | 2006-09-27 | 南京大学 | 基于高速网络数据处理平台的入侵检测方法和*** |
US8160056B2 (en) * | 2006-09-08 | 2012-04-17 | At&T Intellectual Property Ii, Lp | Systems, devices, and methods for network routing |
JP2008092069A (ja) | 2006-09-29 | 2008-04-17 | Oki Electric Ind Co Ltd | 観測設定管理システム、観測設定管理方法及び観測設定プログラム |
US20090182818A1 (en) * | 2008-01-11 | 2009-07-16 | Fortinet, Inc. A Delaware Corporation | Heuristic detection of probable misspelled addresses in electronic communications |
US7746808B2 (en) * | 2008-06-10 | 2010-06-29 | At&T Intellectual Property Ii, L.P. | Algorithms and estimators for summarization of unaggregated data streams |
US8782755B2 (en) * | 2009-03-20 | 2014-07-15 | Citrix Systems, Inc. | Systems and methods for selecting an authentication virtual server from a plurality of virtual servers |
US8914878B2 (en) * | 2009-04-29 | 2014-12-16 | Juniper Networks, Inc. | Detecting malicious network software agents |
US20120047581A1 (en) * | 2010-08-12 | 2012-02-23 | Anirban Banerjee | Event-driven auto-restoration of websites |
KR20130006750A (ko) * | 2011-06-20 | 2013-01-18 | 한국전자통신연구원 | 서비스 거부 공격 탐지 방법 및 장치 |
US9843488B2 (en) * | 2011-11-07 | 2017-12-12 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
CN102769607B (zh) * | 2011-12-30 | 2015-01-07 | 北京安天电子设备有限公司 | 一种基于网络数据包检测恶意代码的方法和*** |
CN103001825B (zh) * | 2012-11-15 | 2016-03-02 | 中国科学院计算机网络信息中心 | Dns流量异常的检测方法和*** |
US20140157405A1 (en) * | 2012-12-04 | 2014-06-05 | Bill Joll | Cyber Behavior Analysis and Detection Method, System and Architecture |
US9015839B2 (en) * | 2013-08-30 | 2015-04-21 | Juniper Networks, Inc. | Identifying malicious devices within a computer network |
US20150172096A1 (en) * | 2013-12-17 | 2015-06-18 | Microsoft Corporation | System alert correlation via deltas |
US9614745B2 (en) * | 2014-01-09 | 2017-04-04 | Citrix Systems, Inc. | Systems and methods for cloud-based probing and diagnostics |
US10284619B2 (en) | 2014-01-22 | 2019-05-07 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for scalable distributed network traffic analytics in telco |
US9565204B2 (en) * | 2014-07-18 | 2017-02-07 | Empow Cyber Security Ltd. | Cyber-security system and methods thereof |
US20160036837A1 (en) * | 2014-08-04 | 2016-02-04 | Microsoft Corporation | Detecting attacks on data centers |
US20160182542A1 (en) * | 2014-12-18 | 2016-06-23 | Stuart Staniford | Denial of service and other resource exhaustion defense and mitigation using transition tracking |
CN106161333B (zh) * | 2015-03-24 | 2021-01-15 | 华为技术有限公司 | 基于sdn的ddos攻击防护方法、装置及*** |
US10438207B2 (en) * | 2015-04-13 | 2019-10-08 | Ciena Corporation | Systems and methods for tracking, predicting, and mitigating advanced persistent threats in networks |
CN105007312A (zh) * | 2015-07-03 | 2015-10-28 | 叶秀兰 | 一种云计算服务器自适应负载均衡控制方法及控制*** |
US9838409B2 (en) * | 2015-10-08 | 2017-12-05 | Cisco Technology, Inc. | Cold start mechanism to prevent compromise of automatic anomaly detection systems |
CN106817340B (zh) * | 2015-11-27 | 2020-05-08 | 阿里巴巴集团控股有限公司 | 预警决策的方法、节点及子*** |
US10616251B2 (en) * | 2017-02-23 | 2020-04-07 | Cisco Technology, Inc. | Anomaly selection using distance metric-based diversity and relevance |
-
2015
- 2015-11-27 CN CN201510846433.3A patent/CN106817340B/zh active Active
-
2016
- 2016-11-18 WO PCT/CN2016/106325 patent/WO2017088700A1/zh active Application Filing
- 2016-11-18 KR KR1020187014569A patent/KR20180088392A/ko unknown
- 2016-11-18 JP JP2018526929A patent/JP6811776B2/ja active Active
- 2016-11-18 EP EP16867923.1A patent/EP3382973B1/en active Active
-
2018
- 2018-05-25 US US15/990,474 patent/US11102240B2/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8089871B2 (en) * | 2005-03-25 | 2012-01-03 | At&T Intellectual Property Ii, L.P. | Method and apparatus for traffic control of dynamic denial of service attacks within a communications network |
CN101388885A (zh) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | 分布式拒绝服务攻击的检测方法和*** |
CN101562537A (zh) * | 2009-05-19 | 2009-10-21 | 华中科技大学 | 分布式自优化入侵检测报警关联*** |
CN102143143A (zh) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | 一种网络攻击的防护方法、装置及路由器 |
CN102801738A (zh) * | 2012-08-30 | 2012-11-28 | 中国人民解放军国防科学技术大学 | 基于概要矩阵的分布式拒绝服务攻击检测方法及*** |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112235167A (zh) * | 2020-12-21 | 2021-01-15 | 北京每日优鲜电子商务有限公司 | 流量报警方法、装置、电子设备和计算机可读介质 |
Also Published As
Publication number | Publication date |
---|---|
KR20180088392A (ko) | 2018-08-03 |
CN106817340A (zh) | 2017-06-09 |
EP3382973A1 (en) | 2018-10-03 |
US20180278646A1 (en) | 2018-09-27 |
EP3382973B1 (en) | 2020-09-09 |
JP2018535612A (ja) | 2018-11-29 |
EP3382973A4 (en) | 2019-07-03 |
CN106817340B (zh) | 2020-05-08 |
US11102240B2 (en) | 2021-08-24 |
JP6811776B2 (ja) | 2021-01-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017088700A1 (zh) | 预警决策的方法、节点及子*** | |
US10484250B2 (en) | Systems and methods for determining network configurations using historical and real-time network metrics | |
KR101077135B1 (ko) | 웹 서비스 대상 응용계층 디도스 공격 탐지 및 대응 장치 | |
US10291539B2 (en) | Methods, systems, and computer readable media for discarding messages during a congestion event | |
CN107770132B (zh) | 一种对算法生成域名进行检测的方法及装置 | |
US8341742B2 (en) | Network attack detection devices and methods | |
US20190215403A1 (en) | Charging Method, Apparatus, and System | |
US8086731B2 (en) | Method, system and apparatus for collecting statistics of characteristic value with threshold | |
WO2017016454A1 (zh) | 防范ddos攻击的方法和装置 | |
US20190104174A1 (en) | Load processing method and apparatus | |
CN106254394B (zh) | 一种攻击流量的记录方法和装置 | |
WO2018120915A1 (zh) | 一种DDoS攻击检测方法及设备 | |
EP3295612A1 (en) | Uplink performance management | |
WO2021043146A1 (zh) | 检测方法、装置及*** | |
CN110519266B (zh) | 一种基于统计学方法的cc攻击检测的方法 | |
CN109120424B (zh) | 一种带宽调度方法及装置 | |
CN107547561B (zh) | 一种进行ddos攻击防护处理的方法及装置 | |
WO2021147370A1 (zh) | 故障检测模型的训练方法、装置及*** | |
TWI723120B (zh) | 預警決策的方法、節點及子系統 | |
EP2892187A1 (en) | Method and device for processing and tracking tacacs+ session | |
JP6325993B2 (ja) | サービス監視装置、および、サービス監視方法 | |
WO2021147371A1 (zh) | 故障检测方法、装置及*** | |
TWI717454B (zh) | 量化防禦結果的方法、裝置及系統 | |
KR101587845B1 (ko) | 디도스 공격을 탐지하는 방법 및 장치 | |
CN111193760B (zh) | 一种信息发送方法、装置及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16867923 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 20187014569 Country of ref document: KR Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2018526929 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2016867923 Country of ref document: EP |