CN104539471A - Bandwidth metering method and device and computer equipment - Google Patents
Bandwidth metering method and device and computer equipment Download PDFInfo
- Publication number
- CN104539471A CN104539471A CN201410720574.6A CN201410720574A CN104539471A CN 104539471 A CN104539471 A CN 104539471A CN 201410720574 A CN201410720574 A CN 201410720574A CN 104539471 A CN104539471 A CN 104539471A
- Authority
- CN
- China
- Prior art keywords
- node
- data
- flows
- traffic data
- bandwidth
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供了一种带宽计量方法、装置和计算机设备,其中的方法包括:获取采集的节点出口的流量数据,且所述节点出口用于节点与外网连接;根据所述流量数据在检测出所述节点出现流量突增现象的情况下,根据网络攻击事件的攻击特征和/或节点内设备的网络攻击告警信息判断是否存在网络攻击事件;如果判断结果为不存在网络攻击事件,则将所述流量数据作为用于节点带宽计量的流量数据,否则,不将所述流量数据作为用于节点带宽计量的流量数据。本发明提供的上述技术方案提高了带宽计量的准确性,进而可以避免带宽的其他计量应用所存在的不合理现象。
The present invention provides a bandwidth metering method, device and computer equipment, wherein the method includes: acquiring the flow data collected at the node outlet, and the node outlet is used to connect the node with the external network; When the node has a sudden increase in traffic, it is judged whether there is a network attack event according to the attack characteristics of the network attack event and/or the network attack alarm information of the equipment in the node; if the judgment result is that there is no network attack event, then all The above traffic data is used as the traffic data for node bandwidth metering, otherwise, the above traffic data is not used as the traffic data for node bandwidth metering. The above-mentioned technical solution provided by the present invention improves the accuracy of bandwidth metering, thereby avoiding unreasonable phenomena existing in other metering applications of bandwidth.
Description
技术领域technical field
本发明涉及互联网技术领域,尤其是涉及一种带宽计量方法、装置和计算机设备。The invention relates to the technical field of the Internet, in particular to a bandwidth measurement method, device and computer equipment.
背景技术Background technique
互联网在目前社会中的应用非常广泛,如人们利用互联网进行邮件收发、查阅资料、购物、看视频、听音乐、玩游戏以及聊天等。互联网已经成为人们工作和娱乐生活中的一项重要内容。The Internet is widely used in the current society. For example, people use the Internet to send and receive emails, consult information, shop, watch videos, listen to music, play games, and chat. The Internet has become an important part of people's work and entertainment life.
在互联网的使用过程中,通常会涉及到带宽这一概念,带宽不仅对于接入互联网的家庭、办公室以及公共场合而言非常重要,对于一些互联网公司而言同样非常重要;例如,对于IDC(Internet Data Center,互联网数据中心)节点的拥有方或使用方而言,ISP(Internet Service Provider,互联网服务提供商)会根据IDC节点所使用的外网带宽(也可以称为互联网带宽)收取相应的费用。In the process of using the Internet, the concept of bandwidth is usually involved. Bandwidth is not only very important for families, offices and public places connected to the Internet, but also for some Internet companies; for example, for IDC (Internet For the owner or user of the Data Center (Internet Data Center) node, the ISP (Internet Service Provider, Internet Service Provider) will charge the corresponding fee according to the external network bandwidth (also called Internet bandwidth) used by the IDC node .
目前,带宽计量方法通常包括:定时或者不定时的采集与外网连接的节点出口(如与外网连接的交换机端口)的流量数据,将采集到的流量数据作为计算设备所使用的外网带宽的基础流量数据。At present, bandwidth measurement methods generally include: regularly or irregularly collecting traffic data at the node outlet (such as a switch port connected to the external network) connected to the external network, and using the collected traffic data as the external network bandwidth used by the computing device basic traffic data.
发明人在实现本发明过程中发现,网络攻击事件会导致节点出口的流量异常,此时采集到的流量数据并不是可信的流量数据,这样的流量数据会影响设备所使用的外网带宽计量准确性;进一步的,这样的流量数据还会对带宽的其他计量应用产生不良影响,如对带宽费用计量的合理性产生不良影响。In the process of implementing the present invention, the inventor found that network attack events would cause abnormal traffic at the node outlet, and the traffic data collected at this time was not credible traffic data, and such traffic data would affect the external network bandwidth measurement used by the device Accuracy; further, such traffic data will also have adverse effects on other bandwidth metering applications, such as on the rationality of bandwidth cost metering.
发明内容Contents of the invention
本发明解决的技术问题之一是提高带宽计量的准确性,进而避免带宽的其他计量应用中所存在的不合理现象。One of the technical problems solved by the invention is to improve the accuracy of bandwidth measurement, thereby avoiding unreasonable phenomena existing in other bandwidth measurement applications.
根据本发明一方面的一个实施例,提供了一种带宽计量方法,该方法包括:获取采集的节点出口的流量数据,所述节点出口用于节点与外网连接;根据所述流量数据在检测出所述节点出现流量突增现象的情况下,根据网络攻击事件的攻击特征和/或节点内设备的网络攻击告警信息判断是否存在网络攻击事件;如果判断结果为不存在网络攻击事件,则将所述流量数据作为用于节点带宽计量的流量数据,否则,不将所述流量数据作为用于节点带宽计量的流量数据。According to an embodiment of one aspect of the present invention, a bandwidth metering method is provided, the method comprising: acquiring the collected traffic data of the node outlet, the node outlet is used for connecting the node to the external network; In the case that the node has a sudden increase in traffic, it is judged whether there is a network attack event according to the attack characteristics of the network attack event and/or the network attack alarm information of the equipment in the node; if the judgment result is that there is no network attack event, the The traffic data is used as the traffic data for node bandwidth metering, otherwise, the traffic data is not used as the traffic data for node bandwidth metering.
根据本发明另一方面的一个实施例,提供了一种带宽计量装置,该装置包括:流量数据获取模块,适于获取采集的节点出口的流量数据,所述节点出口用于节点与外网连接;流量数据管理模块,适于根据所述流量数据在检测出所述节点出现流量突增现象的情况下,根据网络攻击事件的攻击特征和/或节点内设备的网络攻击告警信息判断是否存在网络攻击事件;如果判断结果为不存在网络攻击事件,则将所述流量数据作为用于节点带宽计量的流量数据,否则,不将所述流量数据作为用于节点带宽计量的流量数据。According to an embodiment of another aspect of the present invention, a bandwidth metering device is provided, which includes: a traffic data acquisition module, adapted to acquire the collected traffic data of node outlets, and the node outlets are used to connect nodes to external networks The traffic data management module is suitable for judging whether there is a network attack according to the attack characteristics of the network attack event and/or the network attack alarm information of the equipment in the node in the case of detecting a sudden increase in the traffic of the node according to the traffic data. Attack event; if the judgment result is that there is no network attack event, the traffic data is used as the traffic data for node bandwidth metering, otherwise, the traffic data is not used as the traffic data for node bandwidth metering.
根据本发明的另一方面的一个实施例,还提供了一种计算机设备,包括前述带宽计量装置。According to an embodiment of another aspect of the present invention, a computer device is also provided, including the foregoing bandwidth metering apparatus.
由于本发明在确定出与网络连接的节点出口出现流量突增时,进行是否出现网络攻击事件的判断,并在确定出现网络攻击事件的情况下,不会将采集到的流量数据作为用于节点带宽计量的流量数据,使采集到的流量数据中的不可信流量数据不会被用于节点带宽计量,这样,避免了不可信流量数据对设备所使用的外网带宽计量准确性的不良影响;从而本发明提供的技术方案提高了带宽计量的准确性,进而可以避免带宽的其他计量应用所存在的不合理现象。Since the present invention determines whether a network attack event occurs when it is determined that there is a sudden increase in traffic at the node outlet connected to the network, and when it is determined that a network attack event occurs, the collected flow data will not be used as a node The traffic data of bandwidth metering, so that the untrusted traffic data in the collected traffic data will not be used for node bandwidth metering, thus avoiding the adverse impact of untrustworthy traffic data on the accuracy of external network bandwidth metering used by the device; Therefore, the technical solution provided by the present invention improves the accuracy of bandwidth measurement, thereby avoiding unreasonable phenomena existing in other bandwidth measurement applications.
本领域普通技术人员将了解,虽然下面的详细说明将参考图示实施例以及附图进行,但本发明并不仅限于这些实施例。而是,本发明的范围是广泛的,且意在仅通过后附的权利要求限定本发明的范围。Those of ordinary skill in the art will appreciate that although the following detailed description refers to the illustrated embodiments and accompanying drawings, the invention is not limited to these embodiments. Rather, the scope of the invention is broad and it is intended that the scope of the invention be limited only by the appended claims.
附图说明Description of drawings
通过阅读参照以下附图所作的对非限制性实施例所作的详细描述,本发明的其它特征、目的和优点将会变得更明显:Other characteristics, objects and advantages of the present invention will become more apparent by reading the detailed description of non-limiting embodiments made with reference to the following drawings:
图1是根据本发明一个实施例的带宽计量方法的流程图;FIG. 1 is a flow chart of a bandwidth metering method according to an embodiment of the present invention;
图2是根据本发明另一个实施例的带宽计量示意图;Fig. 2 is a schematic diagram of bandwidth metering according to another embodiment of the present invention;
图3是根据本发明另一个实施例的带宽计量方法的流程图;Fig. 3 is a flowchart of a bandwidth metering method according to another embodiment of the present invention;
图4是图3中的疑似网络攻击事件定位审核的流程图;Fig. 4 is a flowchart of the location review of suspected network attack events in Fig. 3;
图5是根据本发明再一个实施例的带宽计量装置示意图。Fig. 5 is a schematic diagram of a bandwidth metering device according to yet another embodiment of the present invention.
附图中相同或相似的附图标记代表相同或相似的部件。The same or similar reference numerals in the drawings represent the same or similar components.
具体实施方式Detailed ways
下面结合附图对本发明作进一步详细描述。The present invention will be described in further detail below in conjunction with the accompanying drawings.
实施例一、带宽计量方法。Embodiment 1. Bandwidth measurement method.
图1是根据本发明实施例一的带宽计量方法的流程图。本实施例的带宽计量也可以称为外网带宽计量。本实施例中的带宽计量应做广义意义上的理解,即带宽计量并不仅仅表示对节点所使用的网络带宽进行计量,还表示对带宽费用等方面所进行的计量。本实施例的方法主要是通过计算机设备中的操作系统或处理控制器来完成。可以将计算机设备中的操作系统或处理控制器称为带宽计量装置。该计算机设备包括但不限于以下中的至少一个:单台计算机、多台计算机组成的计算机组、单个网络服务器、多个网络服务器组成的服务器组以及基于云计算的由大量计算机或网络服务器构成的云;其中,云计算是分布式计算的一种,是由一群松散耦合的计算机集组成的一个超级虚拟计算机。Fig. 1 is a flowchart of a bandwidth measurement method according to Embodiment 1 of the present invention. The bandwidth metering in this embodiment may also be referred to as external network bandwidth metering. The bandwidth metering in this embodiment should be understood in a broad sense, that is, the bandwidth metering not only refers to the metering of the network bandwidth used by nodes, but also refers to the metering of bandwidth fees and other aspects. The method in this embodiment is mainly implemented by an operating system or a processing controller in a computer device. An operating system or processing controller in a computer device may be referred to as a bandwidth meter. The computer equipment includes but is not limited to at least one of the following: a single computer, a computer group composed of multiple computers, a single network server, a server group composed of multiple network servers, and a cloud computing-based network composed of a large number of computers or network servers Cloud; Among them, cloud computing is a kind of distributed computing, which is a super virtual computer composed of a group of loosely coupled computer sets.
图1中,S100、获取采集的节点出口的流量数据。In FIG. 1 , S100. Obtain the collected flow data of the node outlet.
具体的,本实施例中的节点出口用于节点与外网连接,与外网连接的节点出口通常包括与外网连接且通过对这样的出口进行带宽计量可以获知节点所使用的外网带宽的设备端口;本实施例中的节点出口可以是节点与外网连接的一个设备端口,也可以是节点与外网连接的多个设备端口,甚至可以是节点与外网连接的所有设备端口。另外,本实施例中的节点内部通常可以形成内网的形式。Specifically, the node egress in this embodiment is used to connect the node to the external network. The node egress connected to the external network usually includes the node connected to the external network and the bandwidth of the external network used by the node can be obtained by performing bandwidth measurement on such an egress. Device port: The node outlet in this embodiment can be a device port connected to the external network, or multiple device ports connected to the external network, or even all device ports connected to the external network. In addition, the inside of the node in this embodiment can usually form an intranet.
节点出口的一个具体的例子,对于IDC节点而言,与外网连接的节点出口通常为IDC节点中的与ISP端设备连接的设备端口,如IDC节点中的用于与ISP端设备连接的一个或者多个交换机端口。对于其他应用场景而言,节点出口可能是节点中的路由器端口等。本实施例不限制与外网连接的节点出口的具体表现形式。A specific example of a node exit, for an IDC node, the node exit connected to the external network is usually a device port connected to an ISP end device in an IDC node, such as a port used to connect to an ISP end device in an IDC node or multiple switch ports. For other application scenarios, the node egress may be a router port in the node, etc. This embodiment does not limit the specific expression form of the egress of the node connected to the external network.
本实施例的获取采集的节点出口的流量数据的操作可以在流量数据采集过程中执行(即在流量数据采集的同时进行本实施例的带宽计量操作),也可以在流量数据采集过程结束后执行。The operation of obtaining the collected traffic data at the node outlet in this embodiment can be performed during the traffic data collection process (that is, the bandwidth metering operation of this embodiment is performed while the traffic data is collected), and can also be executed after the traffic data collection process ends. .
本实施例中的节点出口的流量数据的采集过程可以为:在接收到采集命令后,从采集命令携带的信息中获取OID(Object identifier,对象标识符),该OID可以明确唯一标识网络设备的某一特征或者状态对象(如设备名称、系统版本、风扇温度或者设备端口流量等),在根据OID确定出对应的设备端口以及流量参数后,采集对应的设备端口的流量数据。The collection process of the flow data of the node outlet in this embodiment may be: after receiving the collection command, obtain an OID (Object identifier, object identifier) from the information carried by the collection command, and the OID can clearly and uniquely identify the network device For a certain characteristic or state object (such as device name, system version, fan temperature, or device port flow, etc.), after determining the corresponding device port and flow parameters according to the OID, collect the flow data of the corresponding device port.
在本实施例中,节点出口的流量数据可以是利用现有的采集工具采集到的节点出口的流量数据,如本实施例可以利用现有的SNMP-Probe(Simple Network Management Protocol-Probe,简单网络管理协议-探针)工具来实现节点出口的流量数据的采集,流量数据的具体采集过程在此不再详细描述。In this embodiment, the flow data of the node outlet can be the flow data of the node outlet collected by existing collection tools, such as this embodiment can use the existing SNMP-Probe (Simple Network Management Protocol-Probe, Simple Network Management Protocol-Probe, simple network The management protocol-probe) tool is used to realize the collection of traffic data at the node outlet, and the specific collection process of traffic data will not be described in detail here.
在本实施例中,采集到的节点出口的流量数据形成流量数据集合,该流量数据集合可以为表或者数据库的形式,如采集到的流量数据可以以RRD(Round Robin Database,环状数据库)的方式存储。In this embodiment, the flow data collected at the node outlet forms a flow data set, which can be in the form of a table or a database, such as the collected flow data can be in the form of RRD (Round Robin Database, ring database) way to store.
在本实施例中,采集获得的节点出口的流量数据不仅应体现出节点出口的总流量,还应该体现出节点出口的流入流量和流出流量;另外,在节点出口包含有多个设备端口的情况下,节点出口的流量数据还可以既体现出每个设备端口的流量,又体现出所有设备端口的总流量。In this embodiment, the collected flow data of the node outlet should not only reflect the total flow of the node outlet, but also reflect the inflow and outflow of the node outlet; in addition, when the node outlet contains multiple device ports In this case, the traffic data at the node outlet can not only reflect the traffic of each device port, but also reflect the total traffic of all device ports.
本实施例的获取采集的节点出口的流量数据可以为按照流量数据存储顺序从采集到的节点出口的流量数据集合中依次被读取出的流量数据。The acquisition of the collected traffic data at the node exit in this embodiment may be the traffic data sequentially read from the collected traffic data set at the node exit according to the storage sequence of the traffic data.
S110、根据上述流量数据判断节点是否出现流量突增现象,如果出现流量突增现象,到S120,否则,到S130。S110. Determine whether the node has a sudden increase in traffic according to the above traffic data. If there is a sudden increase in traffic, go to S120; otherwise, go to S130.
具体的,本实施例可以参考节点出口的历史流量数据来判断节点是否出现流量突增现象,这里的历史流量数据的采集时间应早于S100中获取的流量数据的采集时间,该历史流量数据可以为前几分钟或者前几十分钟采集的流量数据,也可以为前几小时或者前几十小时采集的流量数据,还可以为前几天(如前七天)采集的流量数据,如前几天于同一时间段采集的流量数据。另外,这里的历史流量数据通常为原始采集并存储的流量数据。Specifically, this embodiment can refer to the historical traffic data at the node outlet to determine whether the node has a sudden increase in traffic. The collection time of the historical traffic data here should be earlier than the collection time of the traffic data obtained in S100. The historical traffic data can be It can be the traffic data collected for the previous few minutes or tens of minutes, or the traffic data collected for the previous few hours or tens of hours, or the traffic data collected for the previous few days (such as the previous seven days), such as the previous few days Traffic data collected during the same time period. In addition, the historical traffic data here is usually originally collected and stored traffic data.
本实施例可以将S100中获取到的流量数据与前述历史流量数据进行对比运算,以判断节点是否出现流量突增现象。本实施例中进行对比运算的流量数据可以是节点中与外网连接的其中一个设备端口的流量数据,也可以是节点与外网连接的多个设备端口的流量数据之和,甚至可以是节点与外网连接的所有设备端口的流量数据之和。相应的,历史流量数据是采用一个设备端口的流量数据还是采用多个设备端口的流量数据之和,应与获取到的流量数据保持一致。In this embodiment, the traffic data obtained in S100 can be compared with the aforementioned historical traffic data to determine whether the node has a sudden increase in traffic. In this embodiment, the traffic data for comparison calculation can be the traffic data of one of the device ports connected to the external network in the node, or the sum of the traffic data of multiple device ports connected to the external network in the node, or even the node The sum of traffic data of all device ports connected to the external network. Correspondingly, whether the historical traffic data is the traffic data of one device port or the sum of the traffic data of multiple device ports should be consistent with the obtained traffic data.
判断节点是否出现流量突增现象的一个具体例子为,判断获取到的流量数据相对于历史流量数据的增幅是否超过第一预定增幅阈值,如果获取到的流量数据相对于历史流量数据的增幅超过第一预定增幅阈值,则检测结果为节点出现流量突增现象,否则,检测结果为节点没有出现流量突增现象。该例子中的获取到的流量数据相对于历史流量数据的增幅可以为获取到的流量数据与历史流量数据的差值,也可以为获取到的流量数据和历史流量数据的差值占该历史流量数据的百分比等。这里的历史流量数据可以为从一个历史时间段内的流量数据中挑选出的流量数据,如从某个历史时间段内的流量数据中挑选最大值等。A specific example of judging whether a node has a sudden increase in traffic is to judge whether the increase of the obtained traffic data relative to the historical traffic data exceeds the first predetermined increase threshold. If a predetermined increase threshold is reached, the detection result is that the node has a sudden increase in traffic; otherwise, the detection result is that the node does not have a sudden increase in traffic. In this example, the increase of the obtained traffic data relative to the historical traffic data can be the difference between the obtained traffic data and the historical traffic data, or the difference between the obtained traffic data and the historical traffic data accounts for the historical traffic percentage of data etc. The historical traffic data here may be traffic data selected from traffic data in a historical time period, such as selecting a maximum value from traffic data in a certain historical time period.
判断节点是否出现流量突增现象的另一个具体例子为,判断获取到的流量数据相对于多个历史流量数据均值的增幅是否超过第一预定增幅阈值,如果获取到的流量数据相对于多个历史流量数据均值的增幅超过第一预定增幅阈值,则检测结果为节点出现流量突增现象,否则,检测结果为节点没有出现流量突增现象。该例子中的获取到的流量数据相对于多个历史流量数据均值的增幅可以为获取到的流量数据与多个历史流量数据均值的差值,也可以为获取到的流量数据和多个历史流量数据均值的差值占多个历史流量数据均值的百分比等。Another specific example of judging whether there is a sudden increase in traffic at a node is to judge whether the increase of the obtained traffic data relative to the average value of multiple historical traffic data exceeds the first predetermined growth threshold. If the increase of the average value of the flow data exceeds the first predetermined increase threshold, the detection result indicates that the node has a sudden increase in flow; otherwise, the detection result indicates that the node does not have a flow increase. In this example, the increase of the obtained traffic data relative to the average value of multiple historical traffic data can be the difference between the obtained traffic data and the average value of multiple historical traffic data, or the obtained traffic data and multiple historical traffic data. The percentage of the difference of the data mean value to the mean value of multiple historical traffic data, etc.
本实施例也可以将S100中获取到的流量数据与前述历史流量数据进行其他方式的对比运算,以判断节点是否出现流量突增现象,本实施例不限制判断节点是否出现流量突增现象的具体实现方式。In this embodiment, the traffic data obtained in S100 can also be compared with the aforementioned historical traffic data in other ways to determine whether a node has a sudden increase in traffic. This embodiment does not limit the specific method for determining whether a node has a sudden increase in traffic. Method to realize.
S120、根据网络攻击事件的攻击特征和/或内网中的设备的网络攻击告警信息判断是否存在网络攻击事件,如果判断结果为不存在网络攻击事件,则到S130,如果判断结果为存在网络攻击事件,则到S140。S120, judge whether there is a network attack event according to the attack characteristics of the network attack event and/or the network attack warning information of the equipment in the intranet, if the judgment result is that there is no network attack event, then go to S130, if the judgment result is that there is a network attack event, go to S140.
具体的,本实施例可以仅根据网络攻击事件的攻击特征来判断是否存在网络攻击事件,也可以仅根据节点中的设备(即内网中的设备)的网络攻击告警信息判断是否存在网络攻击事件,还可以将网络攻击事件的攻击特征和节点中的设备的网络攻击告警信息结合起来判断是否存在网络攻击事件。Specifically, this embodiment can judge whether there is a network attack event only according to the attack characteristics of the network attack event, or judge whether there is a network attack event only according to the network attack alarm information of the device in the node (that is, the device in the intranet) , it is also possible to combine the attack characteristics of the network attack event and the network attack alarm information of the equipment in the node to determine whether there is a network attack event.
在通常情况下,在发生网络攻击事件时,节点出口的流入流量(即in方向流量)和节点出口的流出流量(out方向流量)会区别于正常状态下的特征,例如,节点出口的流入流量通常会远远高于节点出口的流出流量,由此,本实施例中的网络攻击事件的攻击特征可以通过节点出口的流入流量和节点出口的流出流量之间的关系来体现;例如,节点出口的流入流量和节点出口的流出流量之间的差值是否超过预定差值;再例如,节点出口的流入流量和节点出口的流出流量之间的比值是否超过预定比值;再例如,节点出口的流入流量占节点出口的流入流量和流出流量之和的百分比是否超过预定百分比。本实施例也可以采用其他形式的网络攻击事件的攻击特征,如节点出口的流量波形等。Under normal circumstances, when a network attack occurs, the inflow traffic at the node exit (that is, in-direction traffic) and the outflow traffic at the node exit (out-direction traffic) will be different from the characteristics in the normal state, for example, the inflow traffic at the node exit Usually it will be much higher than the outgoing flow of the node exit, thus, the attack characteristics of the network attack event in this embodiment can be reflected by the relationship between the incoming flow of the node exit and the outgoing flow of the node exit; for example, the node exit Whether the difference between the inflow flow of the node outlet and the outflow flow of the node outlet exceeds a predetermined difference; another example, whether the ratio between the inflow flow of the node outlet and the outflow flow of the node outlet exceeds a predetermined ratio; another example, the inflow of the node outlet Whether the percentage of the traffic to the sum of the inflow and outflow of the node outlet exceeds a predetermined percentage. In this embodiment, attack characteristics of other forms of network attack events may also be used, such as traffic waveforms at node egress.
本实施例的节点中的设备的网络攻击告警信息即与外网连接的设备所在的内网中的其他网络设备所产生的网络攻击告警信息,其中的其他网络设备如服务器或者网关设备等。The network attack alarm information of the device in the node in this embodiment is the network attack alarm information generated by other network devices in the intranet where the device connected to the external network is located, such as a server or a gateway device.
本实施例在进行本步骤的网络攻击事件判断之前,可以利用与外网连接的节点出口的用于节点带宽计量的历史流量数据对前述确定出的流量突增现象进行进一步的筛查,以避免本方法执行不必要的网络攻击事件的判断操作。这里的用于节点带宽计量的历史流量数据即可信的历史流量数据,例如,用于节点带宽计量的历史流量数据可以为之前已经使用了本发明提供的方法剔除了不可信的流量数据之后的历史流量数据。该用于节点带宽计量的历史流量数据的采集时间应早于S110中所涉及的历史流量数据的采集时间,如用于节点带宽计量的历史流量数据可以为前一个月或者前几个月同期的历史流量数据。另外,该历史流量数据也可以为去年同期的历史流量数据。这里的同期的历史流量数据可以是同日同时或者同月同日同时的历史流量数据,也可以是同日或者同月同日的最高历史流量数据。In this embodiment, before the judgment of the network attack event in this step, the historical traffic data used for node bandwidth measurement at the node outlet connected to the external network can be used to further screen the traffic surge phenomenon determined above, so as to avoid This method performs judgment operations on unnecessary network attack events. Here, the historical flow data used for node bandwidth measurement is credible historical flow data, for example, the historical flow data used for node bandwidth measurement can be obtained after using the method provided by the present invention to remove untrustworthy flow data. Historical traffic data. The collection time of the historical traffic data used for node bandwidth measurement should be earlier than the collection time of the historical traffic data involved in S110, such as the historical traffic data used for node bandwidth measurement can be the previous month or the same period of the previous months Historical traffic data. In addition, the historical traffic data may also be historical traffic data of the same period last year. The historical traffic data of the same period here may be the historical traffic data of the same day or the same month and the same day, or the highest historical traffic data of the same day or the same month and the same day.
本实施例利用与外网连接的节点出口的用于节点带宽计量的历史流量数据对前述确定出的流量突增现象进行进一步的筛查的一个具体例子为:判断获取的流量数据相对于与外网连接的节点出口的用于节点带宽计量的前三个月的同日最高历史流量数据的增幅是否超过第二预定增幅阈值,如果获取到的流量数据相对于最高历史流量数据的增幅超过第二预定增幅阈值,则确定出需要进行后续的网络攻击事件的判断操作,否则,确定出不需要进行后续的网络攻击事件的判断,且本次对采集的节点出口的流量数据的处理过程结束。本具体例子中的获取到的流量数据相对于用于节点带宽计量的前三个月的同日最高历史流量数据的增幅可以为获取到的流量数据与用于节点带宽计量的前三个月中同日最高历史流量数据的差值,也可以为获取到的流量数据和用于节点带宽计量的前三个月的同日最高历史流量数据的差值占该最高历史流量数据的百分比。In this embodiment, a specific example of further screening the traffic sudden increase phenomenon determined above by using the historical traffic data of the node outlet connected to the external network for node bandwidth measurement is: judging that the obtained traffic data is compared with the external network Whether the increase of the highest historical traffic data on the same day in the first three months used for node bandwidth measurement at the node outlet connected to the network exceeds the second predetermined increase threshold, if the increase of the obtained traffic data relative to the highest historical traffic data exceeds the second predetermined increase threshold, it is determined that a subsequent network attack event judgment operation is required; otherwise, it is determined that a subsequent network attack event judgment operation is not required, and the processing of the collected node exit traffic data is completed. In this specific example, the increase of the obtained traffic data relative to the highest historical traffic data on the same day in the previous three months used for node bandwidth measurement can be the obtained traffic data and the same day in the previous three months used for node bandwidth measurement The difference of the highest historical traffic data may also be the percentage of the difference between the acquired traffic data and the highest historical traffic data of the same day in the previous three months used for node bandwidth measurement to the highest historical traffic data.
本实施例的根据网络攻击事件的攻击特征判断是否存在网络攻击事件的一个具体过程包括:根据获取到的流量数据确定节点出口的流入流量和节点出口的流出流量,判断节点出口的流入流量和节点出口的流出流量是否符合一定的条件,如节点出口的流入流量是否远远大于节点出口的流出流量等,如果符合一定的条件,则确定存在网络攻击事件,如果不符合一定的条件,则确定不存在网络攻击事件。A specific process of judging whether there is a network attack event according to the attack characteristics of the network attack event in this embodiment includes: determining the inflow traffic of the node exit and the outflow traffic of the node exit according to the obtained flow data, and judging the inflow traffic of the node exit and the node exit flow. Whether the outflow traffic at the exit meets certain conditions, such as whether the inflow traffic at the node exit is much larger than the outflow traffic at the node exit, etc. If certain conditions are met, it is determined that there is a network attack event; There are cyber attacks.
本实施例的根据节点中的设备的网络攻击告警信息判断是否存在网络攻击事件的一个具体过程包括:获取节点中的其他设备的网络攻击告警信息,判断获取到的网络攻击告警信息所对应的告警时间与获取的流量数据的采集时间是否满足一定的条件,例如,告警时间和采集时间的差值是否在预定时间差值范围内,如果满足一定的条件,则确定出存在网络攻击事件,如果不满足一定的条件,则确定出不存在网络攻击事件。A specific process of judging whether there is a network attack event according to the network attack warning information of the equipment in the node in this embodiment includes: obtaining the network attack warning information of other equipment in the node, and judging the alarm corresponding to the obtained network attack warning information Whether the time and the collection time of the traffic data obtained meet certain conditions, for example, whether the difference between the alarm time and the collection time is within the predetermined time difference range, if certain conditions are met, it is determined that there is a network attack event, if not If certain conditions are met, it is determined that there is no network attack event.
本实施例的根据网络攻击事件的攻击特征和节点中的设备的网络攻击告警信息判断是否存在网络攻击事件的一个具体过程包括:根据获取到的流量数据确定节点出口的流入流量和节点出口的流出流量,判断节点出口的流入流量和节点出口的流出流量是否符合一定的条件,如节点出口的流入流量是否远远大于节点出口的流出流量等,如果判断结果为不符合一定的条件,则本次对采集的与外网连接的节点出口的流量数据的处理过程结束;如果判断结果为符合一定的条件,则获取节点中的其他设备的网络攻击告警信息,判断获取到的网络攻击告警信息所对应的告警时间与获取的流量数据的采集时间是否满足一定的条件,例如,告警时间和采集时间的差值是否在预定时间差值范围内,如果满足一定的条件,则确定出存在网络攻击事件,如果不满足一定的条件,则确定出不存在网络攻击事件。A specific process of judging whether there is a network attack event according to the attack characteristics of the network attack event and the network attack alarm information of the equipment in the node in this embodiment includes: determining the inflow traffic of the node exit and the outflow of the node exit according to the obtained flow data Flow rate, to judge whether the inflow flow at the node exit and the outflow flow at the node exit meet certain conditions, such as whether the inflow flow at the node exit is far greater than the outflow flow at the node exit, etc. If the judgment result does not meet certain conditions, then this time The processing process of the collected traffic data of the node outlet connected to the external network is completed; if the judgment result meets certain conditions, the network attack warning information of other devices in the node is obtained, and the network attack warning information corresponding to the obtained network attack warning information is judged. Whether the alarm time of the alarm time and the collection time of the traffic data obtained meet certain conditions, for example, whether the difference between the alarm time and the collection time is within the predetermined time difference range, if certain conditions are met, it is determined that there is a network attack event, If certain conditions are not met, it is determined that there is no network attack event.
S130、将上述获取的流量数据作为用于节点带宽计量的流量数据,本次对采集的节点出口的流量数据的处理过程结束;另外,如果需要对采集到的节点出口的其他流量数据继续进行处理,则可以返回S100。S130. Use the above-mentioned acquired traffic data as the traffic data for node bandwidth measurement, and the processing of the collected traffic data at the node exit ends this time; in addition, if it is necessary to continue processing other traffic data collected at the node exit , then return to S100.
具体的,本实施例可以在流量数据集合中保留该流量数据,也可以将该流量数据存储于新的流量数据集合中,例如,存储于可信流量数据集合中;该新的流量数据集合可以采用表或者数据库的形式,如可信流量数据可以以RRD的方式存储。Specifically, in this embodiment, the traffic data may be retained in the traffic data set, or the traffic data may be stored in a new traffic data set, for example, stored in a trusted traffic data set; the new traffic data set may In the form of tables or databases, for example, trusted traffic data can be stored in the form of RRD.
在需要按照本实施例的方法对流量数据集合中的所有流量数据进行处理的情况下,在本步骤中还可以判断当前获取的流量数据是否是流量数据集合中的最后一个流量数据,如果是流量数据集合中的最后一个流量数据,则本实施例的带宽计量方法结束,如果不是流量数据集合中的最后一个流量数据,则返回S100。本实施例的流量数据集合可以是基于一个带宽计费周期的流量数据,如基于一个月的流量数据。In the case that all flow data in the flow data set need to be processed according to the method of this embodiment, in this step it can also be judged whether the currently acquired flow data is the last flow data in the flow data set, if it is flow If it is the last traffic data in the data set, the bandwidth measurement method of this embodiment ends, and if it is not the last traffic data in the traffic data set, return to S100. The traffic data set in this embodiment may be traffic data based on a bandwidth billing period, such as traffic data based on one month.
S140、不将流量数据作为用于节点带宽计量的流量数据,本次对采集的节点出口的流量数据的处理过程结束;另外,如果需要对采集到的节点出口的其他流量数据继续进行处理,则可以返回S100。S140. The traffic data is not used as the traffic data for node bandwidth measurement, and the processing process of the collected node outlet traffic data is completed; in addition, if it is necessary to continue processing other collected node outlet traffic data, then Can return to S100.
具体的,本实施例可以直接从流量数据集合中删除该流量数据,也可以不将该流量数据存储于新的流量数据集合中,例如,不将该流量数据存储于可信流量数据集合中。在需要按照本实施例的方法对流量数据集合中的所有流量数据进行处理的情况下,在本步骤中还可以判断当前获取的流量数据是否是流量数据集合中的最后一个流量数据,如果是流量数据集合中的最后一个流量数据,则本实施例的带宽计量方法结束,如果不是流量数据集合中的最后一个流量数据,则返回S100。Specifically, in this embodiment, the traffic data may be directly deleted from the traffic data set, or the traffic data may not be stored in a new traffic data set, for example, the traffic data may not be stored in a trusted traffic data set. In the case that all flow data in the flow data set need to be processed according to the method of this embodiment, in this step it can also be judged whether the currently acquired flow data is the last flow data in the flow data set, if it is flow If it is the last traffic data in the data set, the bandwidth measurement method of this embodiment ends, and if it is not the last traffic data in the traffic data set, return to S100.
本实施例在执行上述记载的各步骤的操作后,可以获得所有的可信流量数据,利用所获得的可信流量数据进行带宽计量可以获得准确的带宽计量值;利用所获得的可信流量数据进行带宽的其他计量应用时,也会产生良好的计量效果,例如,在利用所获得的可信流量数据进行带宽的费用计量时,可以获得合理的带宽费用计量结果。In this embodiment, after performing the operations of the steps described above, all credible traffic data can be obtained, and accurate bandwidth metering values can be obtained by using the obtained credible traffic data for bandwidth measurement; using the obtained credible traffic data Other metering applications of bandwidth will also produce good metering results. For example, when using the obtained credible traffic data to measure bandwidth charges, reasonable bandwidth cost metering results can be obtained.
本实施例所获得的可信流量数据还可以应用于带宽计费方式选择的应用场景,具体的,针对当前的多种带宽计费方式(即多种计费规则)而言,可以利用所获得的可信流量数据针对每一种带宽计费方式分别进行带宽计费处理,从而获得多个带宽计费结果,之后,根据实际计费需求(即预定计费需求)对多个带宽计费结果进行衡量,以便于后续商议更加符合实际计费需求的计费方式,从而使带宽费用计量能够有利于带宽使用者,如降低了带宽使用成本等。本实施例中的多种带宽计费方式可以包括:95计费方式、峰值计费方式以及第三峰值计费方式中的一种或者多种。本实施例不限制带宽计费方式的具体实现过程以及参与带宽计费的带宽计费方式数量。The trusted traffic data obtained in this embodiment can also be applied to the application scenario of bandwidth charging method selection. Specifically, for the current multiple bandwidth charging methods (ie, multiple charging rules), the obtained The trusted traffic data of each bandwidth billing method is separately processed for bandwidth billing, so as to obtain multiple bandwidth billing results. Measurement is carried out to facilitate subsequent negotiation of a billing method that is more in line with actual billing requirements, so that bandwidth cost metering can benefit bandwidth users, such as reducing bandwidth usage costs. The multiple bandwidth charging methods in this embodiment may include: one or more of the 95 charging method, the peak charging method, and the third peak charging method. This embodiment does not limit the specific implementation process of the bandwidth charging method and the number of bandwidth charging methods participating in the bandwidth charging.
实施例二、带宽费用计量方法。本实施例的方法为IDC节点使用外网带宽的流量数据采集、存储、带宽计量以及选择带宽计费方式提供了一套完整的解决方案。下面结合附图2-4对本实施例的方法进行说明。Embodiment 2, bandwidth fee measurement method. The method of this embodiment provides a complete set of solutions for IDC nodes to collect, store, measure bandwidth and select a bandwidth charging method for traffic data using external network bandwidth. The method of this embodiment will be described below with reference to the accompanying drawings 2-4.
本实施例的IDC节点通过内网中的两台交换机与外网连接,如图2所示,IDC节点中的IDC-A外网核心交换机与ISP-A交换机连接,IDC-B外网核心交换机与ISP-B交换机连接。IDC-A外网核心交换机与外网的ISP-A交换机进行数据交互的流量数据(即原始流量数据)由流量采集服务器A利用SNMP_Probe工具定时采集获得,IDC-B外网核心交换机与外网的ISP-B交换机进行数据交互的流量数据(即原始带宽数据)由流量采集服务器B利用SNMP_Probe工具定时采集获得;流量采集服务器A和流量采集服务器B可以将其分别定时采集到的流量数据提供给RRD存储服务器,RRD存储服务器利用RRD的文件形式存储流量数据;计费带宽运算服务针对RRD存储服务器中存储的流量数据执行带宽计量以及遍历带宽计费方式处理。The IDC node of this embodiment is connected with the external network through two switches in the internal network, as shown in Figure 2, the IDC-A external network core switch in the IDC node is connected with the ISP-A switch, and the IDC-B external network core switch Connect with ISP-B switch. The flow data (that is, the original flow data) of data exchange between the IDC-A external network core switch and the external network ISP-A switch is collected by the traffic collection server A using the SNMP_Probe tool regularly, and the IDC-B external network core switch and the external network The flow data (that is, the original bandwidth data) of the ISP-B switch for data interaction is collected regularly by the flow collection server B using the SNMP_Probe tool; the flow data collected by the flow collection server A and the flow collection server B can be provided to RRD respectively The storage server, the RRD storage server uses the RRD file format to store traffic data; the billing bandwidth calculation service performs bandwidth metering and traversal bandwidth billing processing for the traffic data stored in the RRD storage server.
本实施例的更具体一些的数据流向如图3所示。A more specific flow of data in this embodiment is shown in FIG. 3 .
在图3中,DC(Data Center,数据中心)中存储有IDC节点出口的描述信息,如DC的网络管理数据系统中存储有各端口的资产信息以及OID等,SNMP_Probe工具根据接收到的OID采集流量数据(即原始带宽数据),流量数据被存储为RRD的文件形式(如存储于RRD数据库中),针对RRD文件形式存储的流量数据进行疑似攻击定位审核,根据疑似攻击定位审核结果从原始带宽数据中剔除出现网络攻击事件现象时的流量数据;执行了流量数据剔除操作后的流量数据被运用于多种计费方式(即多种计费规则)中,分别进行带宽计费运算,通过对比各种带宽计费运算结果,可以选择一种有利于IDC节点的计费方式,如选择一种带宽计费成本最低的计费方式。另外,上述带宽计费运算结果还可以用于验证ISP方提供的计费运算结果,以对ISP方的带宽计费进行监督。In Figure 3, the DC (Data Center, data center) stores the description information of the IDC node exit, such as the asset information and OID of each port are stored in the network management data system of the DC, and the SNMP_Probe tool collects the information based on the received OID Traffic data (that is, original bandwidth data), the traffic data is stored in the form of RRD files (such as stored in the RRD database), and the suspected attack location review is performed on the traffic data stored in the RRD file format. According to the suspected attack location review results, the original bandwidth The traffic data when a network attack event occurs is removed from the data; the traffic data after the traffic data removal operation is applied to various billing methods (that is, various billing rules), and bandwidth billing calculations are performed separately. By comparing As a result of various bandwidth charging calculations, a charging method that is beneficial to the IDC node can be selected, for example, a charging method with the lowest bandwidth charging cost can be selected. In addition, the above-mentioned bandwidth charging calculation result can also be used to verify the charging calculation result provided by the ISP side, so as to supervise the bandwidth charging of the ISP side.
上述图3中的疑似网络攻击事件定位审核的一个实现过程如图4所示。An implementation process of the location review of suspected network attack events in FIG. 3 is shown in FIG. 4 .
在图4中,在步骤S402,首先获取IDC节点出口对应的网络端口的标识;然后,进入步骤S403,根据该标识从RRD数据库中查询并读取IDC节点出口的当前流量数据(即当前带宽值);接着进入步骤S404,判断相对于近期历史流量数据(如前一分钟或者前七天同一时刻的历史流量数据)的增幅是否超过预定增幅阈值,如果没有超过预定增幅阈值,则保留该流量数据,并返回到步骤S403,根据该标识查询并读取IDC节点出口的当前流量数据的步骤,以便对RRD数据库中的下一个当前流量数据进行判断;如果超过预定增幅阈值,则在步骤S405进行突增报警;进入步骤S408,针对突增报警事件进行筛选,以在步骤S407确定出是否存在疑似攻击事件,对于疑似攻击事件,可以进行进一步的确认,如果进一步确认出存在疑似攻击事件,则在步骤S406,保留该疑似攻击事件,并返回到步骤S403根据该标识查询并读取IDC节点出口的当前流量数据的步骤,以便对RRD数据库中的下一个当前流量数据进行判断;如果进一步确认出不存在疑似攻击事件,则在步骤S409删除该疑似攻击事件,并返回到步骤S403根据该标识查询并读取IDC节点出口的当前流量数据的步骤,以便对RRD数据库中的下一个当前流量数据进行判断。In Fig. 4, in step S402, at first obtain the sign of the corresponding network port of IDC node outlet; Then, enter step S403, query and read the current flow data (being current bandwidth value) of IDC node export from RRD database according to this sign ); then enter step S404, determine whether the increase relative to the recent historical flow data (as the historical flow data of the same moment in the previous minute or the previous seven days) exceeds the predetermined increase threshold, if not exceed the predetermined increase threshold, then keep the flow data, And return to step S403, the step of inquiring and reading the current flow data of the IDC node outlet according to the identification, so as to judge the next current flow data in the RRD database; if it exceeds the predetermined increase threshold, then perform a sudden increase in step S405 Report to the police; enter step S408, screen for the sudden increase alarm event, to determine whether there is a suspected attack event in step S407, for the suspected attack event, further confirmation can be carried out, if it is further confirmed that there is a suspected attack event, then in step S406 , keep the suspected attack event, and return to step S403 to query and read the current flow data of the IDC node outlet according to the identification, so as to judge the next current flow data in the RRD database; if it is further confirmed that there is no suspected attack event attack event, then delete the suspected attack event in step S409, and return to step S403 to query and read the current flow data of the IDC node outlet according to the identification, so as to judge the next current flow data in the RRD database.
上述针对突增报警事件进行筛选可以根据较远期的用于带宽计量的历史流量数据(如前一个月同一时刻或者去年同一时刻的历史流量数据)的增幅是否超过预定增幅阈值来实现。对于疑似攻击事件的进一步确认可以根据网络攻击事件的攻击特征以及节点内设备的网络攻击告警信息来实现,具体请参见上述实施例一中的描述,在此不再重复说明。The above-mentioned screening for sudden increase alarm events can be realized according to whether the growth rate of the relatively long-term historical traffic data used for bandwidth measurement (such as the historical traffic data at the same time in the previous month or the same time last year) exceeds a predetermined growth threshold. The further confirmation of the suspected attack event can be realized according to the attack characteristics of the network attack event and the network attack alarm information of the equipment in the node. For details, please refer to the description in the first embodiment above, and the description will not be repeated here.
实施例三、带宽计量装置。该装置的结构如图5所示。Embodiment 3, bandwidth metering device. The structure of the device is shown in Figure 5.
图5中,带宽计量装置主要包括:流量数据获取模块500以及流量数据获取模块510,且该装置还可以包括:流量数据采集模块520和带宽计费管理模块530。In FIG. 5 , the bandwidth metering device mainly includes: a traffic data acquisition module 500 and a traffic data acquisition module 510 , and the device may further include: a traffic data acquisition module 520 and a bandwidth billing management module 530 .
流量数据获取模块500主要适于获取采集的节点出口的流量数据,该节点出口用于节点与外网连接。The traffic data acquisition module 500 is mainly adapted to acquire the collected traffic data of node outlets, and the node outlets are used to connect the nodes to the external network.
具体的,流量数据获取模块500获取采集的节点出口的流量数据的操作可以在流量数据采集过程中执行(即在流量数据采集的同时进行本实施例的带宽计量操作),也可以在流量数据采集过程结束后执行。流量数据获取模块500获取采集的节点出口的流量数据可以为按照流量数据存储顺序从采集到的节点出口的流量数据集合中依次被读取出的流量数据。该流量数据集合可以是基于一个带宽计费周期的流量数据,如基于一个月的流量数据。Specifically, the operation of the traffic data acquisition module 500 to acquire the collected traffic data at the node outlet can be performed during the traffic data collection process (that is, the bandwidth metering operation of this embodiment is performed while the traffic data is collected), or it can be performed during the traffic data collection Executed after the process ends. The collected traffic data of the node outlet acquired by the traffic data acquisition module 500 may be the traffic data sequentially read from the collected traffic data set of the node outlet according to the storage sequence of the traffic data. The traffic data set may be traffic data based on a bandwidth billing period, such as traffic data based on one month.
流量数据管理模块510主要适于根据流量数据在检测出节点出现流量突增现象的情况下,根据网络攻击事件的攻击特征和/或节点内设备的网络攻击告警信息判断是否存在网络攻击事件;如果判断结果为不存在网络攻击事件,则将上述获取的流量数据作为用于节点带宽计量的流量数据,否则,不将上述获取的流量数据作为用于节点带宽计量的流量数据。The traffic data management module 510 is mainly adapted to judge whether there is a network attack event according to the attack characteristics of the network attack event and/or the network attack alarm information of the equipment in the node in the case of detecting a sudden increase in the traffic of the node according to the traffic data; if If the judgment result is that there is no network attack event, the above-mentioned acquired traffic data is used as the traffic data for node bandwidth metering, otherwise, the above-mentioned acquired traffic data is not used as the traffic data for node bandwidth metering.
具体的,流量数据管理模块510可以参考节点出口的历史流量数据来判断节点是否出现流量突增现象,这里的历史流量数据的采集时间应早于流量数据获取模块500获取的流量数据的采集时间,该历史流量数据可以为前几分钟或者前几十分钟采集的流量数据,也可以为前几小时或者前几十小时采集的流量数据,还可以为前几天(如前七天)采集的流量数据,如前几天于同一时间段采集的流量数据。另外,这里的历史流量数据通常为流量数据采集模块520原始采集并存储的流量数据。Specifically, the traffic data management module 510 can refer to the historical traffic data at the node outlet to determine whether the node has a sudden increase in traffic. The collection time of the historical traffic data here should be earlier than the collection time of the traffic data obtained by the traffic data acquisition module 500. The historical traffic data can be the traffic data collected in the previous few minutes or tens of minutes, or the traffic data collected in the previous few hours or tens of hours, or the traffic data collected in the previous few days (such as the previous seven days). , such as traffic data collected in the same time period in previous days. In addition, the historical traffic data here is usually the traffic data originally collected and stored by the traffic data collection module 520 .
流量数据管理模块510可以将流量数据获取模块500获取到的流量数据与前述历史流量数据进行对比运算,以判断节点是否出现流量突增现象。The traffic data management module 510 can compare the traffic data acquired by the traffic data acquisition module 500 with the aforementioned historical traffic data, so as to determine whether there is a sudden increase in the traffic of the node.
流量数据管理模块510判断节点是否出现流量突增现象的一个具体例子为,流量数据管理模块510判断流量数据获取模块500获取到的流量数据相对于历史流量数据的增幅是否超过第一预定增幅阈值,如果流量数据获取模块500获取到的流量数据相对于历史流量数据的增幅超过第一预定增幅阈值,则检测结果为节点出现流量突增现象,否则,检测结果为节点没有出现流量突增现象。该例子中流量数据获取模块500获取到的流量数据相对于历史流量数据的增幅可以为获取到的流量数据与历史流量数据的差值,也可以为流量数据获取模块500获取到的流量数据和历史流量数据的差值占该历史流量数据的百分比等。上述历史流量数据可以为流量数据管理模块510从一个历史时间段内的流量数据中挑选出的流量数据,如流量数据管理模块510从某个历史时间段内的流量数据中挑选最大值等。A specific example for the traffic data management module 510 to determine whether a sudden increase in traffic occurs at a node is that the traffic data management module 510 judges whether the increase of the traffic data obtained by the traffic data acquisition module 500 relative to the historical traffic data exceeds a first predetermined increase threshold, If the increase of the flow data obtained by the flow data acquisition module 500 relative to the historical flow data exceeds the first predetermined increase threshold, the detection result is that the node has a sudden increase in traffic; otherwise, the detection result is that the node does not have a sudden increase in flow. In this example, the increase rate of the traffic data acquired by the traffic data acquisition module 500 relative to the historical traffic data may be the difference between the acquired traffic data and the historical traffic data, or it may be the difference between the traffic data acquired by the traffic data acquisition module 500 and the historical traffic data. The percentage of the difference in traffic data to the historical traffic data, etc. The historical traffic data mentioned above may be the traffic data selected by the traffic data management module 510 from the traffic data in a historical time period, for example, the traffic data management module 510 selects the maximum value from the traffic data in a certain historical time period.
流量数据管理模块510判断节点是否出现流量突增现象的另一个具体例子为,流量数据管理模块510判断流量数据获取模块500获取到的流量数据相对于多个历史流量数据均值的增幅是否超过第一预定增幅阈值,如果流量数据获取模块500获取到的流量数据相对于多个历史流量数据均值的增幅超过第一预定增幅阈值,则检测结果为节点出现流量突增现象,否则,检测结果为节点没有出现流量突增现象。该例子流量数据获取模块500获取到的流量数据相对于多个历史流量数据均值的增幅可以为获取到的流量数据与多个历史流量数据均值的差值,也可以为获取到的流量数据和多个历史流量数据均值的差值占多个历史流量数据均值的百分比等。Another specific example for the traffic data management module 510 to determine whether a sudden increase in traffic occurs at a node is that the traffic data management module 510 judges whether the traffic data acquired by the traffic data acquisition module 500 has an increase of more than the first average value of a plurality of historical traffic data. Predetermined increase threshold, if the increase of the flow data obtained by the flow data acquisition module 500 relative to the average value of multiple historical flow data exceeds the first predetermined increase threshold, the detection result is that the node has a sudden increase in flow; otherwise, the detection result is that the node does not A sudden increase in traffic occurs. In this example, the increase rate of the traffic data acquired by the traffic data acquisition module 500 relative to the average value of multiple historical traffic data can be the difference between the acquired traffic data and the average value of multiple historical traffic data, or can be the difference between the acquired traffic data and multiple historical traffic data. The percentage of the difference between the average values of historical traffic data to the average values of multiple historical traffic data, etc.
流量数据管理模块510也可以将流量数据获取模块500获取到的流量数据与前述历史流量数据进行其他方式的对比运算,以判断节点是否出现流量突增现象,本实施例不限制流量数据管理模块510判断节点是否出现流量突增现象的具体实现方式。The traffic data management module 510 may also perform other comparison operations on the traffic data acquired by the traffic data acquisition module 500 and the aforementioned historical traffic data to determine whether a sudden increase in traffic occurs at a node. This embodiment does not limit the traffic data management module 510 A specific implementation method for judging whether a node has a sudden increase in traffic.
流量数据管理模块510可以仅根据网络攻击事件的攻击特征来判断是否存在网络攻击事件,也可以仅根据节点中的设备(即内网中的设备)的网络攻击告警信息判断是否存在网络攻击事件,还可以将网络攻击事件的攻击特征和节点中的设备的网络攻击告警信息结合起来判断是否存在网络攻击事件。The traffic data management module 510 can judge whether there is a network attack event only according to the attack characteristics of the network attack event, or can only judge whether there is a network attack event according to the network attack alarm information of the equipment in the node (ie, the equipment in the intranet), It is also possible to combine the attack characteristics of the network attack event and the network attack alarm information of the equipment in the node to determine whether there is a network attack event.
流量数据管理模块510在进行网络攻击事件判断之前,可以利用与外网连接的节点出口的用于节点带宽计量的历史流量数据对其前述确定出的流量突增现象进行进一步的筛查,以避免自身执行不必要的网络攻击事件的判断操作。这里的用于节点带宽计量的历史流量数据即可信的历史流量数据,例如,用于节点带宽计量的历史流量数据可以为之前本装置已经剔除了不可信的流量数据之后的历史流量数据。该用于节点带宽计量的历史流量数据可以为前一个月或者前几个月同期的历史流量数据。另外,该历史流量数据也可以为去年同期的历史流量数据。这里的同期的历史流量数据可以是同日同时或者同月同日同时的历史流量数据,也可以是同日或者同月同日的最高历史流量数据。Before the traffic data management module 510 judges the network attack event, it can use the historical traffic data used for node bandwidth measurement of the node connected to the external network to further screen the previously determined traffic surge phenomenon, so as to avoid Perform unnecessary judgment operations on network attack incidents by itself. The historical traffic data used for node bandwidth measurement here is credible historical traffic data. For example, the historical traffic data used for node bandwidth measurement may be historical traffic data after the device has eliminated untrustworthy traffic data. The historical traffic data used for node bandwidth measurement may be the historical traffic data of the previous month or the same period of the previous months. In addition, the historical traffic data may also be historical traffic data of the same period last year. The historical traffic data of the same period here may be the historical traffic data of the same day or the same month and the same day, or the highest historical traffic data of the same day or the same month and the same day.
流量数据管理模块510利用与外网连接的节点出口的用于节点带宽计量的历史流量数据对前述确定出的流量突增现象进行进一步的筛查的一个具体例子为:流量数据管理模块510判断流量数据获取模块500获取的流量数据相对于与外网连接的节点出口的用于节点带宽计量的前三个月的同日最高历史流量数据的增幅是否超过第二预定增幅阈值,如果流量数据获取模块500获取到的流量数据相对于最高历史流量数据的增幅超过第二预定增幅阈值,则确定出需要进行后续的网络攻击事件的判断操作,否则,确定出不需要进行后续的网络攻击事件的判断,且本次流量数据管理模块510对采集的节点出口的流量数据的处理过程结束。流量数据获取模块500获取到的流量数据相对于用于节点带宽计量的前三个月的同日最高历史流量数据的增幅可以为流量数据获取模块500获取到的流量数据与用于节点带宽计量的前三个月中同日最高历史流量数据的差值,也可以为流量数据获取模块500获取到的流量数据和用于节点带宽计量的前三个月的同日最高历史流量数据的差值占该最高历史流量数据的百分比。A specific example of the flow data management module 510 using the historical flow data used for node bandwidth measurement at the node outlet connected to the external network to further screen the aforementioned sudden increase in traffic is: the flow data management module 510 judges the flow Whether the increase of the traffic data acquired by the data acquisition module 500 relative to the highest historical traffic data of the same day in the first three months used for node bandwidth measurement at the node outlet connected to the external network exceeds the second predetermined increase threshold, if the traffic data acquisition module 500 If the increase of the obtained flow data relative to the highest historical flow data exceeds the second predetermined increase threshold, it is determined that a subsequent network attack event needs to be judged; otherwise, it is determined that a subsequent network attack event does not need to be judged, and The current flow data management module 510 finishes processing the collected flow data of the node outlet. The increase of the traffic data acquired by the traffic data acquisition module 500 relative to the highest historical traffic data on the same day in the previous three months used for node bandwidth measurement can be the difference between the traffic data acquired by the traffic data acquisition module 500 and the previous three months used for node bandwidth measurement. The difference between the highest historical traffic data on the same day in three months can also be the difference between the traffic data obtained by the traffic data acquisition module 500 and the highest historical traffic data on the same day in the previous three months used for node bandwidth measurement. Percentage of traffic data.
流量数据管理模块510根据网络攻击事件的攻击特征判断是否存在网络攻击事件的一个具体过程包括:流量数据管理模块510根据获取到的流量数据确定节点出口的流入流量和节点出口的流出流量,判断节点出口的流入流量和节点出口的流出流量是否符合一定的条件,如节点出口的流入流量是否远远大于节点出口的流出流量等,如果符合一定的条件,则流量数据管理模块510确定存在网络攻击事件,如果不符合一定的条件,则流量数据管理模块510确定不存在网络攻击事件。A specific process for the traffic data management module 510 to determine whether there is a network attack event according to the attack characteristics of the network attack event includes: the traffic data management module 510 determines the inflow traffic of the node exit and the outflow traffic of the node exit according to the obtained traffic data, and determines the node Whether the inflow flow of the exit and the outflow flow of the node exit meet certain conditions, such as whether the inflow flow of the node exit is far greater than the outflow flow of the node exit, etc. If certain conditions are met, the flow data management module 510 determines that there is a network attack event , if certain conditions are not met, the traffic data management module 510 determines that there is no network attack event.
流量数据管理模块510根据节点中的设备的网络攻击告警信息判断是否存在网络攻击事件的一个具体过程包括:流量数据管理模块510获取节点中的其他设备的网络攻击告警信息,判断获取到的网络攻击告警信息所对应的告警时间与获取的流量数据的采集时间是否满足一定的条件,例如,告警时间和采集时间的差值是否在预定时间差值范围内,如果满足一定的条件,则流量数据管理模块510确定出存在网络攻击事件,如果不满足一定的条件,则流量数据管理模块510确定出不存在网络攻击事件。A specific process for the traffic data management module 510 to determine whether there is a network attack event according to the network attack warning information of the equipment in the node includes: the traffic data management module 510 obtains the network attack warning information of other equipment in the node, and determines the acquired network attack information. Whether the alarm time corresponding to the alarm information and the collection time of the acquired traffic data meet certain conditions, for example, whether the difference between the alarm time and the collection time is within the predetermined time difference range, if certain conditions are met, the traffic data management The module 510 determines that there is a network attack event, and if certain conditions are not met, the traffic data management module 510 determines that there is no network attack event.
流量数据管理模块510根据网络攻击事件的攻击特征和节点中的设备的网络攻击告警信息判断是否存在网络攻击事件的一个具体过程包括:流量数据管理模块510根据流量数据获取模块500获取到的流量数据确定节点出口的流入流量和节点出口的流出流量,流量数据管理模块510判断节点出口的流入流量和节点出口的流出流量是否符合一定的条件,如节点出口的流入流量是否远远大于节点出口的流出流量等,如果判断结果为不符合一定的条件,则本次对采集的与外网连接的节点出口的流量数据的处理过程结束;如果判断结果为符合一定的条件,则获取节点中的其他设备的网络攻击告警信息,判断获取到的网络攻击告警信息所对应的告警时间与获取的流量数据的采集时间是否满足一定的条件,例如,告警时间和采集时间的差值是否在预定时间差值范围内,如果满足一定的条件,则流量数据管理模块510确定出存在网络攻击事件,如果不满足一定的条件,则流量数据管理模块510确定出不存在网络攻击事件。A specific process for the traffic data management module 510 to determine whether there is a network attack event according to the attack characteristics of the network attack event and the network attack alarm information of the equipment in the node includes: the traffic data management module 510 according to the traffic data acquired by the traffic data acquisition module 500 Determine the inflow flow at the node exit and the outflow flow at the node exit, and the flow data management module 510 judges whether the inflow flow at the node exit and the outflow flow at the node exit meet certain conditions, such as whether the inflow flow at the node exit is much greater than the outflow flow at the node exit Traffic, etc., if the judgment result does not meet certain conditions, the processing process of the collected traffic data of the node outlet connected to the external network ends this time; if the judgment result meets certain conditions, other devices in the node will be obtained network attack alarm information, and determine whether the alarm time corresponding to the obtained network attack alarm information and the collection time of the traffic data obtained meet certain conditions, for example, whether the difference between the alarm time and the collection time is within the predetermined time difference range If a certain condition is met, the traffic data management module 510 determines that there is a network attack event, and if the certain condition is not satisfied, the traffic data management module 510 determines that there is no network attack event.
流量数据管理模块510在确定存在网络攻击事件时,可以在流量数据集合中保留该流量数据,也可以将该流量数据存储于新的流量数据集合中,例如,存储于可信流量数据集合中;该新的流量数据集合可以采用表或者数据库的形式,如可信流量数据可以以RRD的文件形式存储。在本装置需要对流量数据集合中的所有流量数据进行上述处理的情况下,流量数据管理模块510还可以判断流量数据获取模块500当前获取的流量数据是否是流量数据集合中的最后一个流量数据,如果是流量数据集合中的最后一个流量数据,则本实施例的装置不再继续执行流量数据的剔除处理操作,如果不是流量数据集合中的最后一个流量数据,则通知流量数据获取模块500继续获取相应的流量数据。When the traffic data management module 510 determines that there is a network attack event, the traffic data may be retained in the traffic data set, or the traffic data may be stored in a new traffic data set, for example, stored in a trusted traffic data set; The new flow data set may be in the form of a table or a database, for example, the trusted flow data may be stored in the form of an RRD file. In the case where the device needs to perform the above-mentioned processing on all the flow data in the flow data set, the flow data management module 510 may also determine whether the flow data currently acquired by the flow data acquisition module 500 is the last flow data in the flow data set, If it is the last flow data in the flow data set, the device of this embodiment will not continue to execute the removal processing operation of the flow data, if it is not the last flow data in the flow data set, then notify the flow data acquisition module 500 to continue to acquire corresponding flow data.
流量数据管理模块510在确定不存在网络攻击事件时,可以直接从流量数据集合中删除该流量数据,也可以不将该流量数据存储于新的流量数据集合中,例如,不将该流量数据存储于可信流量数据集合中。在本装置需要对流量数据集合中的所有流量数据进行处理的情况下,流量数据管理模块510还可以判断流量数据获取模块500当前获取的流量数据是否是流量数据集合中的最后一个流量数据,如果是流量数据集合中的最后一个流量数据,则本实施例的装置不再继续执行流量数据的剔除处理操作,如果不是流量数据集合中的最后一个流量数据,则通知流量数据获取模块500继续获取相应的流量数据。When the flow data management module 510 determines that there is no network attack event, it may directly delete the flow data from the flow data set, or may not store the flow data in a new flow data set, for example, do not store the flow data in the trusted traffic data set. When the device needs to process all the flow data in the flow data set, the flow data management module 510 can also determine whether the flow data currently acquired by the flow data acquisition module 500 is the last flow data in the flow data set, if is the last flow data in the flow data set, then the device of this embodiment will not continue to execute the flow data removal processing operation, if it is not the last flow data in the flow data set, then notify the flow data acquisition module 500 to continue to acquire the corresponding traffic data.
流量数据采集模块520主要适于接收采集命令,并根据采集命令中携带的对象标识符采集节点中相应的设备端口的流量数据。The traffic data collection module 520 is mainly adapted to receive a collection command, and collect traffic data of a corresponding device port in a node according to an object identifier carried in the collection command.
具体的,流量数据采集模块520采集节点出口的流量数据的过程可以为:在接收到采集命令后,流量数据采集模块520从采集命令携带的信息中获取OID,该OID可以明确表示出某个设备端口的某种类型的采集参数,在根据OID确定出对应的设备端口以及流量参数后,流量数据采集模块520采集对应的设备端口的流量数据。Specifically, the flow data collection module 520 collects the flow data at the node outlet. After receiving the collection command, the flow data collection module 520 obtains the OID from the information carried in the collection command. The OID can clearly indicate a certain device For a certain type of collection parameter of a port, after determining the corresponding device port and flow parameters according to the OID, the flow data collection module 520 collects flow data of the corresponding device port.
流量数据采集模块520可以是利用现有的采集工具采集节点出口的流量数据,如流量数据采集模块520可以利用现有的SNMP-Probe工具来实现节点出口的流量数据的采集,流量数据的具体采集过程在此不再详细描述。The traffic data collection module 520 can utilize the existing collection tool to collect the traffic data of the node exit, such as the traffic data collection module 520 can use the existing SNMP-Probe tool to realize the collection of the traffic data of the node exit, and the specific collection of the traffic data The process will not be described in detail here.
流量数据采集模块520采集到的节点出口的流量数据形成流量数据集合,该流量数据集合可以为表或者数据库的形式,如流量数据采集模块520采集到的流量数据可以以RRD的文件形式存储。The flow data collected by the flow data collection module 520 at the node outlet forms a flow data set, which can be in the form of a table or a database. For example, the flow data collected by the flow data collection module 520 can be stored in the form of an RRD file.
流量数据采集模块520采集获得的节点出口的流量数据不仅应体现出节点出口的总流量,还应该体现出节点出口的流入流量和流出流量;另外,在节点出口包含有多个设备端口的情况下,节点出口的流量数据还可以既体现出每个设备端口的流量,又体现出所有设备端口的总流量。The flow data of the node outlet collected by the flow data collection module 520 should not only reflect the total flow of the node outlet, but also reflect the inflow and outflow of the node outlet; in addition, when the node outlet includes multiple device ports , the traffic data at the node outlet can also reflect not only the traffic of each device port, but also the total traffic of all device ports.
带宽计费管理模块530主要适于根据用于节点带宽计量的流量数据利用多种计费方式分别进行带宽计费,并根据各带宽计费结果选择满足预定计费需求的计费方式。The bandwidth charging management module 530 is mainly adapted to use multiple charging methods to perform bandwidth charging according to the traffic data used for node bandwidth metering, and select a charging method that meets predetermined charging requirements according to each bandwidth charging result.
具体的,流量数据获取模块500和流量数据管理模块510在执行各自的操作后,可以获得所有的可信流量数据,带宽计费管理模块530在利用获得的可信流量数据进行带宽计量可以获得准确的带宽计量值;带宽计费管理模块530在利用获得的可信流量数据进行带宽的其他计量应用时,也会产生良好的计量效果,例如,在带宽计费管理模块530利用获得的可信流量数据进行带宽的费用计量时,可以获得合理的带宽费用计量结果。Specifically, after the traffic data acquisition module 500 and the traffic data management module 510 perform their respective operations, they can obtain all credible traffic data, and the bandwidth accounting management module 530 can obtain accurate bandwidth metering value; when the bandwidth billing management module 530 utilizes the obtained credible flow data to carry out other metering applications of bandwidth, it will also produce a good metering effect, for example, when the bandwidth billing management module 530 utilizes the obtained credible flow data When bandwidth cost measurement is performed on data, reasonable bandwidth cost measurement results can be obtained.
带宽计费管理模块530可实现最优带宽计费方式选择的技术方案,具体的,针对当前的多种带宽计费方式(即多种计费规则)而言,带宽计费管理模块530可以利用获得的可信流量数据针对每一种带宽计费方式分别进行带宽计费处理,从而获得多个带宽计费结果,之后,带宽计费管理模块530根据实际计费需求(即预定计费需求)对多个带宽计费结果进行衡量,以便于选择出符合实际计费需求的计费方式,从而使带宽费用计量能够有利于带宽使用者,如降低了带宽使用成本等。带宽计费管理模块530所涉及的带宽计费方式可以包括:95计费方式、峰值计费方式以及第三峰值计费方式中的一种或者多种。本实施例不限制带宽计费管理模块530所使用的带宽计费方式的具体实现过程以及带宽计费管理模块530所使用的带宽计费方式的数量。The bandwidth charging management module 530 can realize the technical solution for selecting the optimal bandwidth charging method. Specifically, for the current multiple bandwidth charging methods (ie, multiple charging rules), the bandwidth charging management module 530 can use The obtained credible traffic data is separately processed for bandwidth charging for each bandwidth charging method, so as to obtain multiple bandwidth charging results. After that, the bandwidth charging management module 530 according to the actual charging demand (ie, the predetermined charging demand) Multiple bandwidth billing results are measured to select a billing method that meets actual billing requirements, so that bandwidth cost metering can benefit bandwidth users, such as reducing bandwidth usage costs. The bandwidth charging methods involved in the bandwidth charging management module 530 may include: one or more of the 95 charging method, the peak charging method, and the third peak charging method. This embodiment does not limit the specific implementation process of the bandwidth accounting method used by the bandwidth accounting management module 530 and the number of bandwidth accounting methods used by the bandwidth accounting management module 530 .
实施例四、计算机设备。Embodiment 4, computer equipment.
该计算机设备可以为单台计算机、多台计算机组成的计算机组、单个网络服务器、多个网络服务器组成的服务器组或者基于云计算的由大量计算机/网络服务器构成的云。本实施例的计算机设备包括上述实施例三中描述的带宽计量装置,在此不再详细说明。The computer equipment can be a single computer, a computer group composed of multiple computers, a single network server, a server group composed of multiple network servers, or a cloud composed of a large number of computers/network servers based on cloud computing. The computer equipment in this embodiment includes the bandwidth metering apparatus described in Embodiment 3 above, which will not be described in detail here.
所属技术领域的技术人员知道,本发明可以实现为设备、装置、方法或计算机程序产品。因此,本公开可以具体实现为以下形式,即:可以是完全的硬件,也可以是完全的软件,还可以是硬件和软件结合的形式。Those skilled in the art know that the present invention can be realized as a device, an apparatus, a method or a computer program product. Therefore, the present disclosure can be specifically implemented in the following forms, namely: it can be completely hardware, it can be completely software, and it can also be a combination of hardware and software.
附图中的流程图和框图显示了根据本发明的多个实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or part of code that includes one or more Executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified functions or operations , or may be implemented by a combination of dedicated hardware and computer instructions.
需要注意的是,本发明可在软件和/或软件与硬件的组合体中被实施,例如,可采用专用集成电路(ASIC)、通用目的计算机或任何其他类似硬件设备来实现。在一个实施例中,本发明的软件程序可以通过处理器执行以实现上文所述步骤或功能。同样地,本发明的软件程序(包括相关的数据结构)可以被存储到计算机可读记录介质中,例如,RAM存储器,磁或光驱动器或软磁盘及类似设备。另外,本发明的一些步骤或功能可采用硬件来实现,例如,作为与处理器配合从而执行各个步骤或功能的电路。It should be noted that the present invention can be implemented in software and/or a combination of software and hardware, for example, it can be implemented by an application specific integrated circuit (ASIC), a general purpose computer or any other similar hardware devices. In one embodiment, the software program of the present invention can be executed by a processor to realize the steps or functions described above. Likewise, the software program (including associated data structures) of the present invention can be stored in a computer-readable recording medium such as RAM memory, magnetic or optical drive or floppy disk and the like. In addition, some steps or functions of the present invention may be implemented by hardware, for example, as a circuit that cooperates with a processor to execute each step or function.
另外,本发明的一部分可被应用为计算机程序产品,例如计算机程序指令,当其被计算机执行时,通过该计算机的操作,可以调用或提供根据本发明的方法和/或技术方案。而调用本发明的方法的程序指令,可能被存储在固定的或可移动的记录介质中,和/或通过广播或其他信号承载媒体中的数据流而被传输,和/或被存储在根据所述程序指令运行的计算机设备的工作存储器中。在此,根据本发明的一个实施例包括一个装置,该装置包括用于存储计算机程序指令的存储器和用于执行程序指令的处理器,其中,当该计算机程序指令被该处理器执行时,触发该装置运行基于前述根据本发明的多个实施例的方法和/或技术方案。In addition, a part of the present invention can be applied as a computer program product, such as a computer program instruction. When it is executed by a computer, the method and/or technical solution according to the present invention can be invoked or provided through the operation of the computer. The program instructions for invoking the method of the present invention may be stored in a fixed or removable recording medium, and/or transmitted through broadcasting or data streams in other signal-carrying media, and/or stored in the in the working memory of the computer device on which the program instructions described above are executed. Here, an embodiment according to the present invention comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein when the computer program instructions are executed by the processor, a trigger The operation of the device is based on the foregoing methods and/or technical solutions according to multiple embodiments of the present invention.
对于本领域技术人员而言,显然本发明不限于上述示范性实施例的细节,而且在不背离本发明的精神或基本特征的情况下,能够以其他的具体形式实现本发明。因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本发明的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本发明内。不应将权利要求中的任何附图标记视为限制所涉及的权利要求。此外,显然“包括”一词不排除其他单元或步骤,单数不排除复数。系统权利要求中陈述的多个单元或装置也可以由一个单元或装置通过软件或者硬件来实现。第一,第二等词语用来表示名称,而并不表示任何特定的顺序。It will be apparent to those skilled in the art that the invention is not limited to the details of the above-described exemplary embodiments, but that the invention can be embodied in other specific forms without departing from the spirit or essential characteristics of the invention. Accordingly, the embodiments should be regarded in all points of view as exemplary and not restrictive, the scope of the invention being defined by the appended claims rather than the foregoing description, and it is therefore intended that the scope of the invention be defined by the appended claims rather than by the foregoing description. All changes within the meaning and range of equivalents of the elements are embraced in the present invention. Any reference sign in a claim should not be construed as limiting the claim concerned. In addition, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or devices stated in the system claims may also be realized by one unit or device through software or hardware. The words first, second, etc. are used to denote names and do not imply any particular order.
Claims (19)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410720574.6A CN104539471B (en) | 2014-12-01 | 2014-12-01 | Bandwidth measures method, apparatus and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410720574.6A CN104539471B (en) | 2014-12-01 | 2014-12-01 | Bandwidth measures method, apparatus and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104539471A true CN104539471A (en) | 2015-04-22 |
| CN104539471B CN104539471B (en) | 2018-02-23 |
Family
ID=52854940
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410720574.6A Active CN104539471B (en) | 2014-12-01 | 2014-12-01 | Bandwidth measures method, apparatus and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104539471B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105763387A (en) * | 2016-05-16 | 2016-07-13 | 北京百度网讯科技有限公司 | Network traffic monitoring method and device |
| CN105939234A (en) * | 2016-06-15 | 2016-09-14 | 乐视控股(北京)有限公司 | Data monitoring method and device |
| CN108337218A (en) * | 2017-07-20 | 2018-07-27 | 北京安天网络安全技术有限公司 | A kind of method and system identifying webshell based on page access measure feature |
| CN109873832A (en) * | 2019-03-15 | 2019-06-11 | 北京三快在线科技有限公司 | Method for recognizing flux, device, electronic equipment and storage medium |
| CN110460498A (en) * | 2019-08-22 | 2019-11-15 | 北京世纪互联宽带数据中心有限公司 | A kind of flux monitoring method and system |
| CN113347055A (en) * | 2021-04-29 | 2021-09-03 | 海南视联通信技术有限公司 | Method and device for monitoring flow rate and computer readable storage medium |
| CN113748660A (en) * | 2019-04-18 | 2021-12-03 | 奥兰治 | Method and apparatus for processing an alert message indicating detection of an anomaly in traffic transmitted via a network |
| CN115396244A (en) * | 2021-05-08 | 2022-11-25 | 北京金山云网络技术有限公司 | Bandwidth scheduling management method and device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1437351A (en) * | 2002-02-05 | 2003-08-20 | 华为技术有限公司 | Charge method based on data flow quantity |
| CN1697404A (en) * | 2005-06-10 | 2005-11-16 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
| TW201001972A (en) * | 2008-06-16 | 2010-01-01 | Chunghwa Telecom Co Ltd | Method applied in the packet-transmission-quantity charging network to prevent the excess-charging attack |
| CN103117903A (en) * | 2013-02-07 | 2013-05-22 | 中国联合网络通信集团有限公司 | Internet surfing unusual flow detection method and device |
| CN103684910A (en) * | 2013-12-02 | 2014-03-26 | 北京工业大学 | Abnormality detecting method based on industrial control system network traffic |
| CN103906110A (en) * | 2012-12-25 | 2014-07-02 | 中国移动通信集团福建有限公司 | Method of processing abnormal downlink flow service by GGSN (Gateway GPRS Support Node) and device |
| US20140258296A1 (en) * | 2013-03-11 | 2014-09-11 | Dell Products L.P. | System and method for management of network monitoring information |
-
2014
- 2014-12-01 CN CN201410720574.6A patent/CN104539471B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1437351A (en) * | 2002-02-05 | 2003-08-20 | 华为技术有限公司 | Charge method based on data flow quantity |
| CN1697404A (en) * | 2005-06-10 | 2005-11-16 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
| TW201001972A (en) * | 2008-06-16 | 2010-01-01 | Chunghwa Telecom Co Ltd | Method applied in the packet-transmission-quantity charging network to prevent the excess-charging attack |
| CN103906110A (en) * | 2012-12-25 | 2014-07-02 | 中国移动通信集团福建有限公司 | Method of processing abnormal downlink flow service by GGSN (Gateway GPRS Support Node) and device |
| CN103117903A (en) * | 2013-02-07 | 2013-05-22 | 中国联合网络通信集团有限公司 | Internet surfing unusual flow detection method and device |
| US20140258296A1 (en) * | 2013-03-11 | 2014-09-11 | Dell Products L.P. | System and method for management of network monitoring information |
| CN103684910A (en) * | 2013-12-02 | 2014-03-26 | 北京工业大学 | Abnormality detecting method based on industrial control system network traffic |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105763387A (en) * | 2016-05-16 | 2016-07-13 | 北京百度网讯科技有限公司 | Network traffic monitoring method and device |
| CN105763387B (en) * | 2016-05-16 | 2019-12-10 | 北京百度网讯科技有限公司 | network traffic monitoring method and device |
| CN105939234A (en) * | 2016-06-15 | 2016-09-14 | 乐视控股(北京)有限公司 | Data monitoring method and device |
| CN108337218A (en) * | 2017-07-20 | 2018-07-27 | 北京安天网络安全技术有限公司 | A kind of method and system identifying webshell based on page access measure feature |
| CN109873832A (en) * | 2019-03-15 | 2019-06-11 | 北京三快在线科技有限公司 | Method for recognizing flux, device, electronic equipment and storage medium |
| CN109873832B (en) * | 2019-03-15 | 2020-07-31 | 北京三快在线科技有限公司 | Flow identification method and device, electronic equipment and storage medium |
| CN113748660A (en) * | 2019-04-18 | 2021-12-03 | 奥兰治 | Method and apparatus for processing an alert message indicating detection of an anomaly in traffic transmitted via a network |
| CN113748660B (en) * | 2019-04-18 | 2024-04-05 | 奥兰治 | Method and apparatus for processing an alert message indicating that an anomaly is detected in traffic transmitted via a network |
| CN110460498A (en) * | 2019-08-22 | 2019-11-15 | 北京世纪互联宽带数据中心有限公司 | A kind of flux monitoring method and system |
| CN113347055A (en) * | 2021-04-29 | 2021-09-03 | 海南视联通信技术有限公司 | Method and device for monitoring flow rate and computer readable storage medium |
| CN115396244A (en) * | 2021-05-08 | 2022-11-25 | 北京金山云网络技术有限公司 | Bandwidth scheduling management method and device, electronic equipment and storage medium |
| CN115396244B (en) * | 2021-05-08 | 2024-02-20 | 北京金山云网络技术有限公司 | Bandwidth scheduling management method, device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104539471B (en) | 2018-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104539471B (en) | Bandwidth measures method, apparatus and computer equipment | |
| CN108989136B (en) | Service end-to-end performance monitoring method and device | |
| CN105791213B (en) | Policy optimization device and method | |
| CN103580905B (en) | A kind of method for predicting, system and flow monitoring method, system | |
| US10469326B1 (en) | Discovering a computer network topology for an executing application | |
| CN105608517B (en) | Business transaction performance management and visualization method and device based on flow | |
| CN107147535A (en) | A Distributed Statistical Analysis Method of Network Measurement Data | |
| Song et al. | Real-time anomaly traffic monitoring based on dynamic k-NN cumulative-distance abnormal detection algorithm | |
| CN109327356B (en) | User portrait generation method and device | |
| CN117149733A (en) | Multi-platform log audit analysis system and method based on big data | |
| CN115086140A (en) | Quality evaluation method and device of broadband service, electronic equipment and storage medium | |
| CN104502692B (en) | The detection method and central processor equipment of electricity unusual fluctuation | |
| CN110191024A (en) | Network traffic monitoring method and device | |
| CN104883705A (en) | Problem positioning method for data service complaints and device thereof | |
| KR101469283B1 (en) | Enterprise network analysis system and its method | |
| CN103034733A (en) | Data monitoring statistical method for call center | |
| JP5684748B2 (en) | Network quality monitoring apparatus and network quality monitoring method | |
| CN115061013A (en) | Method and system for judging common low-voltage faults based on big data analysis of power outage events | |
| CN115225355A (en) | Network detection data verification method, device, equipment, storage medium and product | |
| CN105024875A (en) | Method and system for measuring network flow rate of broadband classified users | |
| CN112436958B (en) | Method, system, device and medium for predicting failure of data center network device | |
| CN118550792A (en) | Abnormal server positioning method and device in service system and storage medium | |
| CN111385162B (en) | Network detection method and device, computer equipment and storage medium | |
| CN111835577B (en) | Method and device for determining quality difference problem of Internet of things private network and electronic equipment | |
| CN113852565A (en) | Hot application identification method, network system, network device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |