[go: up one dir, main page]

CN111131255A - Network private identification method and device - Google Patents

Network private identification method and device Download PDF

Info

Publication number
CN111131255A
CN111131255A CN201911359457.0A CN201911359457A CN111131255A CN 111131255 A CN111131255 A CN 111131255A CN 201911359457 A CN201911359457 A CN 201911359457A CN 111131255 A CN111131255 A CN 111131255A
Authority
CN
China
Prior art keywords
client
state information
source
port
illegal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911359457.0A
Other languages
Chinese (zh)
Other versions
CN111131255B (en
Inventor
班瑞
马季春
陈泉霖
郝宇飞
王鹏
邹雨佳
王佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, China Information Technology Designing and Consulting Institute Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201911359457.0A priority Critical patent/CN111131255B/en
Publication of CN111131255A publication Critical patent/CN111131255A/en
Application granted granted Critical
Publication of CN111131255B publication Critical patent/CN111131255B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Power Engineering (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Probability & Statistics with Applications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供一种网络私接识别方法和装置,涉及通信领域,用于排查IDC机房的私接行为,提高排查效率。该方法包括:获取服务器的第一端口的第一状态信息;第一端口用于服务器与客户端进行通信,第一状态信息用于指示源IP地址和第一端口的流量,源IP地址为第一端口接收的来自客户端的访问请求的源IP地址;根据第一状态信息和二分类模型,确定客户端为非法客户端;二分类模型用于识别非法客户端和合法客户端,非法客户端为非法访问服务器的客户端。本发明用于排查IDC机房的非法客户端。

Figure 201911359457

Embodiments of the present invention provide a method and device for identifying a private network connection, which relate to the field of communications and are used to check the private connection behavior of an IDC computer room and improve the checking efficiency. The method includes: acquiring first state information of a first port of the server; the first port is used for the server to communicate with the client, the first state information is used to indicate a source IP address and traffic of the first port, and the source IP address is the first port. The source IP address of the access request from the client received by the first port; the client is determined to be an illegal client according to the first state information and the two-class model; the two-class model is used to identify the illegal client and the legal client, and the illegal client is Clients who illegally access the server. The present invention is used for checking illegal clients in the IDC computer room.

Figure 201911359457

Description

Network private connection identification method and device
Technical Field
The invention relates to the field of communication, in particular to a network private connection identification method and device.
Background
An Internet Data Center (IDC) machine room is used for providing network resources and computing resources in the internet, and a client can use the corresponding network resources and computing resources through a service application. However, some illegal users often use the management loopholes of the IDC machine room to connect with the IDC machine room privately through the network technology of the illegal users. Meanwhile, an illegal user provides internet services to the outside through a private connection IDC machine room to earn illegal benefits, the behavior seriously damages the service development of operators and disturbs the normal operation of the internet market.
At present, operators mainly inspect whether private connection lines exist in the IDC machine room or not manually in a private connection IDC machine room, but manual inspection is easy to cause mistakes and omissions, labor cost is high, efficiency is low, and the private connection behavior of the IDC machine room is difficult to radically cure.
Disclosure of Invention
The embodiment of the invention provides a network private connection identification method and device, which are used for checking the private connection behavior of an IDC machine room and improving the checking efficiency.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a method for identifying network private connection is provided, which includes: acquiring first state information of a first port of a server; the first port is used for the server to communicate with the client, the first state information is used for indicating a source IP address and the flow of the first port, and the source IP address is the source IP address of an access request from the client received by the first port; determining the client as an illegal client according to the first state information and the two classification models; the two classification models are used for identifying an illegal client and a legal client, and the illegal client is a client of an illegal access server.
In a second aspect, a network private connection identification apparatus is provided, including: the acquisition module is used for acquiring first state information of a first port of the server; the first port is used for the server to communicate with the client, the first state information is used for indicating a source IP address and the flow of the first port, and the source IP address is the source IP address of an access request from the client received by the first port; the classification module is used for determining the client as an illegal client according to the first state information and the two classification models acquired by the acquisition module; the two classification models are used for identifying an illegal client and a legal client, and the illegal client is a client of an illegal access server.
In a third aspect, an apparatus for identifying network private connection is provided, including: a memory, a processor, a bus, and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through a bus; when the network private connection identification device is operated, the processor executes the computer execution instructions stored by the memory to enable the network private connection identification device to execute the network private connection identification method provided by the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, which includes computer-executable instructions that, when executed on a computer, cause the computer to perform the network private connection identification method as provided in the first aspect.
The embodiment of the invention provides a network private access identification method and a network private access identification device, wherein the method comprises the following steps: acquiring first state information of a first port of a server; the first port is used for the server to communicate with the client, the first state information is used for indicating a source IP address and the flow of the first port, and the source IP address is the source IP address of an access request from the client received by the first port; determining the client as an illegal client according to the first state information and the two classification models; the two classification models are used for identifying an illegal client and a legal client, and the illegal client is a client of an illegal access server. According to the embodiment of the invention, the first state information of the server port is obtained, and whether the client is illegal or not is determined by utilizing the classification model according to the difference of the first state information of the illegal client and the first state information of the legal client during network communication, so that the workload of manual investigation is reduced, and the investigation efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of an architecture for accessing an illegal client to an IDC room according to an embodiment of the present invention;
fig. 2 is a first schematic flow chart of a network private connection identification method according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a classification model according to an embodiment of the present invention;
fig. 4 is a schematic processing flow chart of first status information according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating a second method for identifying a network private connection according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a training process of a binary model according to an embodiment of the present invention;
FIG. 7 is a first schematic diagram illustrating a training process of a binary model according to an embodiment of the present invention;
FIG. 8 is a diagram illustrating a second classification model training process according to an embodiment of the present invention;
FIG. 9 is a third schematic diagram of a training process of a binary model according to an embodiment of the present invention;
FIG. 10 is a diagram illustrating a training process of a binary model according to an embodiment of the present invention;
FIG. 11 is a fifth schematic diagram of a training process of a binary model according to an embodiment of the present invention;
fig. 12 is a first schematic structural diagram of a network private connection identification apparatus according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of a network private connection identification apparatus according to an embodiment of the present invention;
fig. 14 is a third schematic structural diagram of a network private connection identification apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
It should be noted that, in the embodiments of the present invention, "of", "corresponding" and "corresponding" may be sometimes used in combination, and it should be noted that, when the difference is not emphasized, the intended meaning is consistent.
For the convenience of clearly describing the technical solutions of the embodiments of the present invention, in the embodiments of the present invention, the words "first", "second", and the like are used for distinguishing the same items or similar items with basically the same functions and actions, and those skilled in the art can understand that the words "first", "second", and the like are not limited in number or execution order.
Network operators provide network services for signed customers through the IDC machine room, but when the IDC machine room provides the network services for the signed customers, some merchants without signing and authorization use vulnerabilities managed by the IDC machine room to privately access the network through some network technologies and provide the network services to the outside, and the normal benefits of the network operators are seriously damaged.
Referring to fig. 1, an embodiment of the present invention provides a schematic diagram of an IDC room private connection behavior, where an unauthorized merchant implements the private connection behavior with a router in the IDC room through a router outside the IDC room, and provides network services to the outside through the router outside the IDC room, so that others can perform network connection. For the private connection behavior of the IDC machine room, network operators mostly determine the private connection line by a manual screening method. However, the manual screening method is not only low in efficiency and high in labor cost, but also is easy to miss and miss.
At present, a legal client of an IDC room generally provides content services to the outside through a bandwidth of a leasing network operator, for example, media services such as characters, images, audio and video are provided to the outside, while an illegal client which is privately accessed to the IDC room provides various network services to the outside, so that traffic use conditions of the legal client and the illegal client are obviously different from conditions such as a source IP address accessed to the IDC room. If the legal client generally provides content service, the outflow flow of the IDC machine room port accessed by the legal client is far greater than the inflow flow, and whether the client accessed to the IDC machine room port is the legal client or not can be determined through the ratio of the inflow flow to the outflow flow of the IDC machine room port; if the legal client leased bandwidth provides content service to the outside, a fixed independent source IP address is generally used for providing service to the outside, and different ports are set according to different services, so that whether the client accessing the IDC machine room port is a legal client can be determined through whether the source IP address and the port of an access request received by the IDC machine room port are changed; and because the legal client terminal rarely uses the domain name resolution when providing the content service, whether the client terminal accessed to the IDC machine room port is the legal client terminal can be determined according to the flow of the domain name resolution of the IDC machine room port. The valid client is the client used by the signed client, and the invalid client is the client used by the merchant who has not signed the authorized access network.
Referring to fig. 2, an embodiment of the present invention provides a network private connection identification method, which includes:
101. first state information of a first port of a server is acquired.
The first port is used for communication between the server and the client, the first state information is used for indicating a source IP address and flow of the first port, and the source IP address is a source IP address of an access request from the client received by the first port.
Specifically, the server may be a network device shown in fig. 1, and may be configured to communicate with the client to provide the client with a network service, where the server provides the client with the network service through a port of the server. Of course, the server includes a plurality of ports, each of which may communicate with one of the clients, where the first port may be any one of the server ports.
For example, the first status information may be NetFlow information of the first port, and the NetFlow information may be acquired by an information acquisition tool, and the NetFlow information may be acquired by analyzing the NetFlow information, where the inflow flow, the outflow flow, a ratio of the inflow flow to the outflow flow, the number of source IP addresses, and the total domain name resolution flow of the first port in a certain time period may be acquired, that is, the first status information includes the inflow flow, the outflow flow, the ratio of the inflow flow to the outflow flow, the number of source IP addresses, and the total domain name resolution flow.
It should be noted that the information collecting tool may be a NetFlow tool commonly used in the art, such as a NetFlow analysis tool provided by cisco, or an information collecting tool designed by itself, and the embodiment of the present invention is not limited thereto. The source IP address refers to a source IP address in an access request sent by a client to a server, the number of the source IP addresses is the number of the source IP addresses of the access request from the client received by a first port, and the number of the source IP addresses refers to the number of different source IP addresses; certainly, because the port used when the client provides the network service is also fixed, when it is determined whether the client is an illegal client according to the source IP address, the determination may be further performed in combination with the number of ports providing the network service, that is, the determination may be performed according to the sum of the number of the source IP address and the number of the ports, where the port is a port providing the network service by the client, such as a software port, and is different from the first port of the server. The total domain name resolution flow can be obtained by analyzing the flow information of 53 ports in the NetFlow information, where the 53 ports are domain name resolution ports, and the total domain name resolution flow here is the total flow received by the server for domain name resolution.
102. And determining the client as an illegal client according to the first state information and the binary model.
The two classification models are used for identifying an illegal client and a legal client, and the illegal client is a client for illegally accessing the server.
Specifically, referring to fig. 3, the classification model includes a first reference point and a second reference point, where the first reference point is used to indicate that the client corresponding to the first state information is an illegal client, and the second reference point is used to indicate that the client corresponding to the first state information is a legal client. After the first state information is input into the two classification models, the two classification models can determine whether the client corresponding to the first state information is an illegal client according to the distance between the first state information and the first reference point and the distance between the first state information and the second reference point respectively.
It should be noted that the illegal client refers to a client which is not authorized by a network operator but is privately accessed to a server of the IDC room through a technical means to access the network; the legal client is the client authorized by the network operator to access the server of the IDC computer room.
Optionally, as shown in fig. 4, before step 102, the method further includes:
201. and processing the inflow flow according to a first preset algorithm to obtain a first characteristic value.
Specifically, the first preset algorithm specifically includes:
V′a=|Va-P|/Q;
wherein, VaP is any one of inflow flow, outflow flow, ratio of inflow flow to outflow flow, number of source IP addresses and total flow of domain name resolution, and is a plurality of VaQ is a plurality of VaStandard deviation of, V'aIs a VaThe corresponding characteristic value.
Illustratively, if the acquisition cycle of the first state information is set to a preset time period, the NetFlow information is acquired once every preset time period, so as to obtain the first state information. Taking 5 acquisition cycles as an example, if the inflow rates in the first status information are obtained to be 1.8GBytes, 1.9GBytes, 2GBytes, 2.1GBytes and 2.2GBytes in sequence, the average value P of the inflow rates is 2GBytes and the standard deviation is about 0.158, that is, Q is 0.158, through mathematical calculation. If the inflow rate is V in the embodiment of the present inventiona2.1GBytes as input to a first predetermined algorithm, i.e. using an inflow rate of VaJudging whether the client is an illegal client or not according to 2.1GBytes, and processing the inflow flow according to a first preset algorithm to obtain V'aThe first characteristic value is 0.633 when |2.1-2|/0.158 is 0.633.
The NetFlow information may be acquired in a plurality of continuous preset time periods, or may be acquired in a plurality of discontinuous preset time periods.
202. And processing the outflow flow according to a first preset algorithm to obtain a second characteristic value.
For example, taking 5 acquisition cycles as an example, if the outflow rates in the first status information are obtained as 2GBytes, 2.1GBytes, 2.2GBytes, 2.3GBytes and 2.4GBytes in sequence, the average value P of the outflow rates is 2.2GBytes and the standard deviation is about 0.158, that is, Q is 0.158, through mathematical calculation. If the inflow rate is V in the embodiment of the present inventiona2.3GBytes as input to a first predetermined algorithm, i.e. using an outflow of VaJudging whether the client is an illegal client or not according to 2.3GBytes, and processing the outflow flow according to a first preset algorithm to obtain V'aThe second characteristic value is 0.633 when |2.3-2.2|/0.158 is 0.633.
203. And processing the ratio of the inflow flow rate and the outflow flow rate according to a first preset algorithm to obtain a third characteristic value.
For example, taking 5 acquisition cycles as an example, if the ratios of the inflow flow rate and the outflow flow rate in the first state information are obtained as 9/10, 19/21, 10/11, 21/23 and 11/12 in this order, the average value P of the ratio of the inflow flow rate and the outflow flow rate is 0.917, and the standard deviation is about 0.007, that is, Q is 0.007, through mathematical calculation. If the ratio of the inflow rate to the outflow rate is V in the embodiment of the present inventiona21/23 as input to a first predetermined algorithm, i.e. using a ratio of the incoming flow to the outgoing flow of Va21/23, judging whether the client is an illegal client, processing the outflow flow according to a first preset algorithm to obtain V'aThe third characteristic value is 0.571, i.e., 0.571, |21/23-0.917 |/0.007.
204. And processing the number of the source IP addresses according to a first preset algorithm to obtain a fourth characteristic value.
For example, taking 5 acquisition cycles as an example, if the number of the source IP addresses in the first status information is obtained as 7, 10, 15, and 23 in sequence, it can be known through mathematical calculation that the average value P of the number of the source IP addresses is 13, and the standard deviation is about 6.28, that is, Q is 6.28. If the number of source IP addresses is V in the embodiment of the inventiona15 as input to a first predetermined algorithm, i.e. using a number of source IP addresses of VaJudging whether the client is an illegal client or not, processing the number of the source IP addresses according to a first preset algorithm to obtain V'aThe fourth characteristic value is 0.318 when |15-13|/6.28 is 0.318.
205. And processing the domain name resolution total flow according to a first preset algorithm to obtain a fifth characteristic value.
For example, taking 5 acquisition cycles as an example, if the total domain name resolution traffic obtained in the first status information is 0.5GBytes, 0.6GBytes, 0.7GBytes, 0.8GBytes and 0.9GBytes in sequence, the average value P of the total domain name resolution traffic is 0.7GBytes and the standard deviation is about 0.158, that is, Q is 0.158, through mathematical calculation. If the total flow rate of domain name resolution is V in the embodiment of the inventiona0.8GBytes as input to a first predetermined algorithm, i.e. using the domain name to resolve the total flow to VaJudging whether the client is an illegal guest or not according to 0.8GBytesAnd the client side processes the domain name resolution total flow according to a first preset algorithm to obtain V'aThe fifth characteristic value is 0.633 when |0.8-0.7|/0.158 is 0.633.
Optionally, referring to fig. 5, step 102 includes:
1021. and determining a first vector according to the first characteristic value, the second characteristic value, the third characteristic value, the fourth characteristic value and the fifth characteristic value.
Specifically, the first vector may be a five-dimensional vector composed of a first feature value, a second feature value, a third feature value, a fourth feature value, and a fifth feature value.
Illustratively, if the first eigenvalue, the second eigenvalue, the third eigenvalue, the fourth eigenvalue, and the fifth eigenvalue are 0.571, 0.318, and 0.633 respectively, as obtained in the above steps 201-204, the first vector composed of the first eigenvalue, the second eigenvalue, the third eigenvalue, the fourth eigenvalue, and the fifth eigenvalue is (0.633, 0.633, 0.571, 0.318, 0.633).
It should be noted that the two-dimensional classification model is a five-dimensional space, so a five-dimensional vector can be determined according to the first feature value, the second feature value, the third feature value, the fourth feature value and the fifth feature value, and the five-dimensional vector is input into the two-dimensional classification model for classification.
1022. The first vector is input into a classification model, and a first distance of the first vector from a first reference point and a second distance from a second reference point are determined.
Specifically, the first reference point and the second reference point may be pre-trained cluster centers in a binary model, and a first distance between the first vector and the first reference point and a second distance between the first vector and the second reference point may be calculated according to an euclidean distance formula.
For example, if the first vector is (a1, a2, a3, a4, a5), the first reference point is (b1, b2, b3, b4, b5), and the second reference point is (c1, c2, c3, c4, c5), the first distance is:
Figure BDA0002336790620000081
the second distance is:
Figure BDA0002336790620000082
wherein a1, a2, a3, a4 and a5 are respectively a first eigenvalue, a second eigenvalue, a third eigenvalue, a fourth eigenvalue and a fifth eigenvalue in the first vector; b1, b2, b3, b4 and b5 are respectively a first characteristic value, a second characteristic value, a third characteristic value, a fourth characteristic value and a fifth characteristic value in the first reference point; c1, c2, c3, c4 and c5 are the first, second, third, fourth and fifth eigenvalues, respectively, in the second reference point.
1023. And if the first distance is greater than the second distance, determining that the client corresponding to the first state information is a legal client.
Specifically, the first vector may be classified into a cluster where the first reference point is located or a cluster where the second reference point is located according to a distance between the first vector and the first reference point and the second reference point. Because the cluster where the second reference point is located is the set of valid clients in the embodiment of the present invention, when the first distance is greater than the second distance, the first vector may be classified into the cluster where the second reference point is located, that is, the client corresponding to the first vector is a valid client, that is, the client corresponding to the first state information obtained in step 101 is a valid client.
1024. And if the first distance is smaller than the second distance, determining the client corresponding to the first state information as an illegal client.
Specifically, in the embodiment of the present invention, the cluster where the first reference point is located is a set of illegal clients, so when the first distance is smaller than the second distance, the first vector may be classified into the cluster where the first reference point is located, that is, the client corresponding to the first vector is an illegal client, that is, the client corresponding to the first state information obtained in step 101 is an illegal client.
Optionally, referring to fig. 6, the method for identifying a network private access provided in the embodiment of the present invention further includes:
301. second state information of the plurality of ports of the server is obtained.
The second state information includes an incoming flow, an outgoing flow, a ratio of the incoming flow to the outgoing flow, the number of source IP addresses, and a total domain name resolution flow.
Specifically, the IDC room may have a plurality of ports, each of which may communicate with a client. The obtained plurality of second state information are used for training the classification model, and the second state information comprises the state information of the illegal client and also comprises the state information of the legal client.
Illustratively, the server may include a plurality of ports, such as a second port, a third port, a fourth port, etc., and each port of the server may communicate with a legitimate client or an illegitimate client. The second status information may include status information of the second port of the server, and may also include status information of ports such as the third port, the fourth port, and the fifth port.
302. And respectively processing the inflow flow, the outflow flow, the ratio of the inflow flow to the outflow flow, the number of source IP addresses and the total domain name resolution flow in the second state information according to a first preset algorithm.
Specifically, the processing of the second status information is the same as the processing method of the incoming flow, the outgoing flow, the ratio of the incoming flow to the outgoing flow, the number of source IP addresses and the total traffic of domain name resolution in the first status information in step 201 and 205, and is not described herein again. Similarly, five characteristic values are obtained after the second state information is processed according to the first preset algorithm.
It should be noted that the second state information obtained in step 301 may include tens of thousands, even hundreds of thousands, and the amount of data to be processed in step 302 is very large, so that the calculation engine SPARK is used to process the second state information in the embodiment of the present invention. And constructing a computing frame according to the SPARK technology and a first preset algorithm, wherein the computing frame comprises the first preset algorithm, inputting second state information acquired by each port in a preset number of periods into the computing frame, and processing the second state information by the first preset algorithm in the computing frame, so that the data processing efficiency is improved. Of course, since the first preset algorithm also involves calculation of the mean and the standard deviation, the calculation framework constructed according to the SPARK technique also includes an algorithm of the mean and an algorithm of the standard deviation.
303. And training according to the characteristic value obtained by processing the second state information and a second preset algorithm to obtain a two-classification model.
Wherein the second preset algorithm is a K-means clustering algorithm (K-means clustering, K-means).
Optionally, step 303 specifically includes:
(1) and inputting the characteristic value obtained by processing the second state information into a k-means clustering algorithm to be used as a first sample set.
Specifically, as in step 1021-. Since the second state information obtained in step 301 includes a plurality of vectors, and accordingly, the second vector input to the k-means clustering algorithm also includes a plurality of vectors, the result of inputting the plurality of second vectors to the k-means clustering algorithm can be referred to fig. 7, and a set of the plurality of second vectors is the first sample set.
(2) And randomly drawing K sample points in the first sample set as initial clustering centers.
Specifically, the embodiment of the present invention is configured to identify a valid client and an invalid client, so that the K-means clustering algorithm is configured to divide a first sample set into two types, where one type is a second vector obtained according to state information of the valid client, and the other type is a second vector obtained according to state information of the invalid client, so that K is 2, and randomly extract 2 sample points in the first sample set as an initial clustering center.
Illustratively, referring to fig. 8, the randomly drawn sample points may be a1 and a 2.
It should be noted that the initial clustering center is randomly set, and in practice, after the first sample set is divided into two types, the average value of all sample points in the two types may be set as the initial clustering center.
(3) And classifying each second vector in the first sample set into the first cluster where the initial cluster center closest to the first vector is located.
And the number of the first clusters is K.
Specifically, the first sample may be divided into a plurality of clusters according to the number of the initial clustering centers, and as the number of the initial clustering centers in the embodiment of the present invention is 2, the first sample may be divided into 2 first clusters. Referring to initial cluster centers a1 and a2 shown in fig. 8, the distance between each second vector in the first sample set and a1 and a2 is calculated according to the euclidean distance formula, and the second vectors are classified into the first cluster in which the closer initial cluster center is located, and the partition result of the first cluster can be shown in fig. 9.
(4) A first cluster center for a second set of samples in each first cluster is determined.
Wherein the second set of samples is a second vector included in the first cluster.
Specifically, referring to the first cluster division result shown in fig. 9, the average value of each second vector in the first cluster a and the first cluster B is calculated, and the average value of each second vector in the first cluster a and the first cluster B is used as a first cluster center, which may be a3 and a4 shown in fig. 10.
(5) And (4) iterating the steps (3) and (4) until the clustering center of the second sample set does not change any more, and obtaining a binary classification model.
Specifically, referring to fig. 11, the sample points in the first sample set may divide the first sample set into a first cluster C and a first cluster D according to the first cluster centers a3 and a4, after the first cluster C and the first cluster D are determined, determine the average value of each second vector in the first cluster C and the first cluster D according to the determined average value, and use the average value of each second vector in the first cluster C and the first cluster D as the first cluster centers a5 and a 6.
The sample points in the first sample set are divided again according to the above-mentioned (3), and are respectively divided into the first cluster where the closer first cluster center a5 or a6 is located. And (4) sequentially iterating the steps (4) and (3) until the finally determined clustering center of the first cluster is not changed any more, so as to obtain a first cluster N and a first cluster M.
Because the number of valid clients accessed to the IDC room is far less than that of invalid clients in practice, the first cluster with a smaller number of sample points in the two first clusters obtained finally can indicate a valid client, and the first cluster with a larger number of sample points can indicate an invalid client. If the first cluster N indicates an illegal client, the first cluster M indicates a legal client, wherein the cluster center of the first cluster N may be a first reference point, and the cluster center of the first cluster M may be a second reference point.
It should be noted that the classification space constructed according to the k-means clustering algorithm is a five-dimensional space, and the plane views shown in fig. 7 to 11 are only exemplary and only show a cross-sectional view of the five-dimensional space. In practice, the process of determining the two-class model according to the second state information and the k-means clustering algorithm in step 303 may be implemented by a code, and step (2) may be implemented by the following code:
val kmeans=new KMeans().setK(2).setSeed(1L);
wherein setK (2) is used to indicate that the first sample set is divided into two classes, and setSeed (1L) is used to indicate that the initial clustering center is randomly set.
And the process of the above steps (3), (4) and (5) to finally obtain the two-classification model through iteration can be realized by the following codes:
val model=kmeans.fit(dataset);
here, the dataset may be a feature value obtained by processing the second state information as described above.
After obtaining the binary model, the process of implementing step 102 can be implemented by the following code:
val predictions=model.transform(dataset);
here, the dataset may be a feature value obtained by processing the first state information as described above.
The embodiment of the invention provides a network private access identification method, which comprises the following steps: acquiring first state information of a first port of a server; the first port is used for the server to communicate with the client, the first state information is used for indicating a source IP address and the flow of the first port, and the source IP address is the source IP address of an access request from the client received by the first port; determining the client as an illegal client according to the first state information and the two classification models; the two classification models are used for identifying an illegal client and a legal client, and the illegal client is a client of an illegal access server. According to the embodiment of the invention, the first state information of the server port is obtained, and whether the client is illegal or not is determined by utilizing the classification model according to the difference of the first state information of the illegal client and the first state information of the legal client during network communication, so that the workload of manual investigation is reduced, and the investigation efficiency is improved.
Referring to fig. 12, an embodiment of the present invention further provides a network private connection identifying apparatus 40, including:
an obtaining module 401, configured to obtain first state information of a first port of a server; the first port is used for the server to communicate with the client, the first state information is used for indicating a source IP address and the flow of the first port, and the source IP address is the source IP address of an access request from the client received by the first port.
A classification module 402, configured to determine, according to the first state information and the two classification models obtained by the obtaining module 401, that the client is an illegal client; the two classification models are used for identifying an illegal client and a legal client, and the illegal client is a client of an illegal access server.
Optionally, the first state information includes an incoming flow, an outgoing flow, a ratio of the incoming flow to the outgoing flow, a number of source IP addresses, and a total domain name resolution flow; the number of the source IP addresses is the number of the source IP addresses of the access request from the client received by the first port, and the total domain name resolution flow is the total flow received by the server and used for resolving the domain name.
Optionally, referring to fig. 13, the network private connection identifying apparatus 40 further includes a processing module 403.
The processing module 403 is configured to: processing the inflow flow according to a first preset algorithm to obtain a first characteristic value; processing the outflow flow according to a first preset algorithm to obtain a second characteristic value; processing the ratio of the inflow flow rate and the outflow flow rate according to a first preset algorithm to obtain a third characteristic value; processing the number of the source IP addresses according to a first preset algorithm to obtain a fourth characteristic value; and processing the domain name resolution total flow according to a first preset algorithm to obtain a fifth characteristic value.
The first preset algorithm specifically comprises:
V′a=|Va-P|/Q;
wherein, VaP is any one of inflow flow, outflow flow, ratio of inflow flow to outflow flow, number of source IP addresses and total flow of domain name resolution, and is a plurality of VaQ is a plurality of VaStandard deviation of, V'aIs the characteristic value corresponding to V _ a.
Optionally, the classification model includes a first reference point and a second reference point, where the first reference point is used to indicate that the client corresponding to the first state information is an illegal client, and the second reference point is used to indicate that the client corresponding to the first state information is a legal client.
The classification module 402 is specifically configured to: determining a first vector according to the first characteristic value, the second characteristic value, the third characteristic value, the fourth characteristic value and the fifth characteristic value obtained by the processing module 403; inputting the first vector into a classification model, and determining a first distance between the first vector and a first reference point and a second distance between the first vector and a second reference point; if the first distance is greater than the second distance, determining that the client corresponding to the first state information is a legal client; and if the first distance is smaller than the second distance, determining the client corresponding to the first state information as an illegal client.
The embodiment of the invention provides a network private connection identification device, which comprises: the acquisition module is used for acquiring first state information of a first port of the server; the first port is used for the server to communicate with the client, the first state information is used for indicating a source IP address and the flow of the first port, and the source IP address is the source IP address of an access request from the client received by the first port; the classification module is used for determining the client as an illegal client according to the first state information and the two classification models acquired by the acquisition module; the two classification models are used for identifying an illegal client and a legal client, and the illegal client is a client of an illegal access server. According to the embodiment of the invention, the first state information of the server port is obtained, and whether the client is illegal or not is determined by utilizing the classification model according to the difference of the first state information of the illegal client and the first state information of the legal client during network communication, so that the workload of manual investigation is reduced, and the investigation efficiency is improved.
Referring to fig. 14, an embodiment of the present invention further provides another network private connection identification apparatus, including a memory 51, a processor 52, a bus 53, and a communication interface 54; the memory 51 is used for storing computer execution instructions, and the processor 52 is connected with the memory 51 through a bus 53; when the network private connection identifying device operates, the processor 52 executes computer-executable instructions stored in the memory 51 to cause the network private connection identifying device to perform the network private connection identifying method provided in the above-described embodiment.
In particular implementations, processor 52(52-1 and 52-2) may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 14, for example, as one embodiment. And as an example, the network private connection identifying means may include a plurality of processors 52, such as the processor 52-1 and the processor 52-2 shown in fig. 14. Each of the processors 52 may be a single-Core Processor (CPU) or a multi-Core Processor (CPU). Processor 52 may refer herein to one or more devices, circuits, and/or processing cores that process data (e.g., computer program instructions).
The memory 51 may be, but is not limited to, a read-only memory 51 (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 51 may be self-contained and coupled to the processor 52 via a bus 53. The memory 51 may also be integrated with the processor 52.
In a specific implementation, the memory 51 is used for storing data in the present application and computer-executable instructions corresponding to software programs for executing the present application. The processor 52 may recognize various functions of the device by running or executing software programs stored in the memory 51 and calling data stored in the memory 51.
The communication interface 54 is any device, such as a transceiver, for communicating with other devices or communication networks, such as a control system, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), and the like. The communication interface 54 may include a receiving unit implementing a receiving function and a transmitting unit implementing a transmitting function.
The bus 53 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus 53 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 14, but this is not intended to represent only one bus or type of bus.
The embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes computer-executable instructions, and when the computer-executable instructions are run on a computer, the computer is enabled to execute the network private connection identification method provided in the foregoing embodiment.
The embodiment of the invention also provides a computer program which can be directly loaded into the memory and contains software codes, and the computer program can realize the network private access identification method provided by the embodiment after being loaded and executed by the computer.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical function division, and there may be other division ways in actual implementation. For example, various elements or components may be combined or may be integrated into another device, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. Units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed to a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partially contributed to by the prior art, or all or part of the technical solutions may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1.一种网络私接识别方法,其特征在于,包括:1. A method for identifying a private network connection, comprising: 获取服务器的第一端口的第一状态信息;所述第一端口用于所述服务器与客户端进行通信,所述第一状态信息用于指示源IP地址和所述第一端口的流量,所述源IP地址为所述第一端口接收的来自所述客户端的访问请求的源IP地址;Obtain the first state information of the first port of the server; the first port is used for the server to communicate with the client, and the first state information is used to indicate the source IP address and the traffic of the first port, so The source IP address is the source IP address of the access request from the client received by the first port; 根据所述第一状态信息和二分类模型,确定所述客户端为非法客户端;所述二分类模型用于识别所述非法客户端和合法客户端,所述非法客户端为非法访问所述服务器的客户端。According to the first state information and a two-class model, determine that the client is an illegal client; the two-class model is used to identify the illegal client and a legal client, and the illegal client is illegally accessing the The client of the server. 2.根据权利要求1所述的网络私接识别方法,其特征在于,所述第一状态信息包括的流入流量、流出流量、流入流量与流出流量之比、源IP地址个数和域名解析总流量;所述源IP地址个数为所述第一端口接收的来自所述客户端的访问请求的源IP地址个数,所述域名解析总流量为所述服务器接收的用于解析域名的总流量。2. The method for identifying a private network connection according to claim 1, wherein the incoming traffic, outgoing traffic, the ratio of incoming traffic to outgoing traffic, the number of source IP addresses and the total number of domain name resolutions that the first state information includes. Traffic; the number of source IP addresses is the number of source IP addresses of the access request from the client received by the first port, and the total flow of domain name resolution is the total flow of domain name resolution received by the server . 3.根据权利要求2所述的网络私接识别方法,其特征在于,所述根据所述第一状态信息和二分类模型,确定所述客户端为非法客户端之前,还包括:3 . The method for identifying a private network connection according to claim 2 , wherein, before determining that the client is an illegal client according to the first state information and the second classification model, the method further comprises: 4 . 根据第一预设算法处理所述流入流量,获得第一特征值;Process the inflow flow according to a first preset algorithm to obtain a first characteristic value; 根据所述第一预设算法处理所述流出流量,获得第二特征值;Process the outflow flow according to the first preset algorithm to obtain a second characteristic value; 根据所述第一预设算法处理所述流入流量与流出流量之比,获得第三特征值;Process the ratio of the inflow flow to the outflow flow according to the first preset algorithm to obtain a third characteristic value; 根据所述第一预设算法处理所述源IP地址个数,获得第四特征值;Process the number of source IP addresses according to the first preset algorithm to obtain a fourth characteristic value; 根据所述第一预设算法处理所述域名解析总流量,获得第五特征值;Process the total traffic of domain name resolution according to the first preset algorithm to obtain a fifth characteristic value; 所述第一预设算法具体为:The first preset algorithm is specifically: V′a=|Va-P|/Q;V' a =|V a -P|/Q; 其中,Va为所述流入流量、所述流出流量、所述流入流量与流出流量之比、所述源IP地址个数和所述域名解析总流量中的任一个,P为多个所述Va的平均值,Q为多个所述Va的标准差,V′a为所述Va对应的特征值。Wherein, Va is any one of the incoming traffic, the outgoing traffic, the ratio of the incoming traffic to the outgoing traffic, the number of source IP addresses and the total traffic of the domain name resolution, and P is a plurality of the The average value of Va, Q is the standard deviation of a plurality of the Va , and V' a is the characteristic value corresponding to the Va . 4.根据权利要求3所述的网络私接识别方法,其特征在于,所述二分类模型包括第一参考点和第二参考点,所述第一参考点用于指示所述第一状态信息对应的客户端为非法客户端,所述第二参考点用于指示所述第一状态信息对应的客户端为合法客户端;所述根据所述第一状态信息和二分类模型,确定所述客户端为非法客户端包括:4 . The method for identifying a private network connection according to claim 3 , wherein the binary classification model comprises a first reference point and a second reference point, and the first reference point is used to indicate the first state information. 5 . The corresponding client is an illegal client, and the second reference point is used to indicate that the client corresponding to the first state information is a legitimate client; the first state information and the binary classification model are used to determine the Clients that are illegal clients include: 根据所述第一特征值、所述第二特征值、所述第三特征值、所述第四特征值和所述第五特征值确定第一向量;determining a first vector according to the first eigenvalue, the second eigenvalue, the third eigenvalue, the fourth eigenvalue, and the fifth eigenvalue; 将所述第一向量输入所述二分类模型,确定所述第一向量与所述第一参考点的第一距离,以及与所述第二参考点的第二距离;inputting the first vector into the binary classification model, and determining a first distance between the first vector and the first reference point, and a second distance between the first vector and the second reference point; 若所述第一距离大于所述第二距离,则确定所述第一状态信息对应的客户端为合法客户端;If the first distance is greater than the second distance, determining that the client corresponding to the first state information is a legitimate client; 若所述第一距离小于所述第二距离,则确定所述第一状态信息对应的客户端为非法客户端。If the first distance is smaller than the second distance, it is determined that the client corresponding to the first state information is an illegal client. 5.一种网络私接识别装置,其特征在于,包括:5. A network private access identification device, characterized in that, comprising: 获取模块,用于获取服务器的第一端口的第一状态信息;所述第一端口用于所述服务器与客户端进行通信,所述第一状态信息用于指示源IP地址和所述第一端口的流量,所述源IP地址为所述第一端口接收的来自所述客户端的访问请求的源IP地址;an obtaining module, configured to obtain the first state information of the first port of the server; the first port is used for the communication between the server and the client, and the first state information is used to indicate the source IP address and the first state The traffic of the port, the source IP address is the source IP address of the access request from the client received by the first port; 分类模块,用于根据所述获取模块获取的所述第一状态信息和二分类模型,确定所述客户端为非法客户端;所述二分类模型用于识别所述非法客户端和合法客户端,所述非法客户端为非法访问所述服务器的客户端。a classification module, configured to determine that the client is an illegal client according to the first state information and the second classification model obtained by the obtaining module; the second classification model is used to identify the illegal client and the legitimate client , the illegal client is a client that illegally accesses the server. 6.根据权利要求5所述的网络私接识别装置,其特征在于,所述第一状态信息包括的流入流量、流出流量、流入流量与流出流量之比、源IP地址个数和域名解析总流量;所述源IP地址个数为所述第一端口接收的来自所述客户端的访问请求的源IP地址个数,所述域名解析总流量为所述服务器接收的用于解析域名的总流量。6. The network private identification device according to claim 5, characterized in that, the incoming traffic, outgoing traffic, the ratio of incoming traffic to outgoing traffic, the number of source IP addresses and the total number of domain name resolutions included in the first state information. Traffic; the number of source IP addresses is the number of source IP addresses of the access request from the client received by the first port, and the total flow of domain name resolution is the total flow of domain name resolution received by the server . 7.根据权利要求6所述的网络私接识别装置,其特征在于,还包括处理模块,所述处理模块用于:7. The network private identification device according to claim 6, further comprising a processing module, wherein the processing module is used for: 根据第一预设算法处理所述流入流量,获得第一特征值;Process the inflow flow according to a first preset algorithm to obtain a first characteristic value; 根据所述第一预设算法处理所述流出流量,获得第二特征值;Process the outflow flow according to the first preset algorithm to obtain a second characteristic value; 根据所述第一预设算法处理所述流入流量与流出流量之比,获得第三特征值;Process the ratio of the inflow flow to the outflow flow according to the first preset algorithm to obtain a third characteristic value; 根据所述第一预设算法处理所述源IP地址个数,获得第四特征值;Process the number of source IP addresses according to the first preset algorithm to obtain a fourth characteristic value; 根据所述第一预设算法处理所述域名解析总流量,获得第五特征值;Process the total traffic of domain name resolution according to the first preset algorithm to obtain a fifth characteristic value; 所述第一预设算法具体为:The first preset algorithm is specifically: V′a=|Va-P|/Q;V' a =|V a -P|/Q; 其中,Va为所述流入流量、所述流出流量、所述流入流量与流出流量之比、所述源IP地址个数和所述域名解析总流量中的任一个,P为多个所述Va的平均值,Q为多个所述Va的标准差,V′a为所述Va对应的特征值。Wherein, Va is any one of the incoming traffic, the outgoing traffic, the ratio of the incoming traffic to the outgoing traffic, the number of source IP addresses and the total traffic of the domain name resolution, and P is a plurality of the The average value of Va, Q is the standard deviation of a plurality of the Va , and V' a is the characteristic value corresponding to the Va . 8.根据权利要求7所述的网络私接识别装置,其特征在于,所述二分类模型包括第一参考点和第二参考点,所述第一参考点用于指示所述第一状态信息对应的客户端为非法客户端,所述第二参考点用于指示所述第一状态信息对应的客户端为合法客户端;所述分类模块具体用于:8 . The device for identifying a private network connection according to claim 7 , wherein the binary classification model comprises a first reference point and a second reference point, and the first reference point is used to indicate the first state information. 9 . The corresponding client is an illegal client, and the second reference point is used to indicate that the client corresponding to the first status information is a legitimate client; the classification module is specifically used for: 根据所述处理模块获得的所述第一特征值、所述第二特征值、所述第三特征值、所述第四特征值和所述第五特征值确定第一向量;determining a first vector according to the first eigenvalue, the second eigenvalue, the third eigenvalue, the fourth eigenvalue and the fifth eigenvalue obtained by the processing module; 将所述第一向量输入所述二分类模型,确定所述第一向量与所述第一参考点的第一距离,以及与所述第二参考点的第二距离;inputting the first vector into the binary classification model, and determining a first distance between the first vector and the first reference point, and a second distance between the first vector and the second reference point; 若所述第一距离大于所述第二距离,则确定所述第一状态信息对应的客户端为合法客户端;If the first distance is greater than the second distance, determining that the client corresponding to the first state information is a legitimate client; 若所述第一距离小于所述第二距离,则确定所述第一状态信息对应的客户端为非法客户端。If the first distance is smaller than the second distance, it is determined that the client corresponding to the first state information is an illegal client. 9.一种网络私接识别装置,其特征在于,包括存储器、处理器、总线和通信接口;所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接;当所述网络私接识别装置运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述网络私接识别装置执行如权利要求1-4任一项所述的网络私接识别方法。9. A network private identification device, comprising a memory, a processor, a bus and a communication interface; the memory is used to store computer execution instructions, and the processor and the memory are connected through the bus; when When the device for identifying network private access is running, the processor executes the computer-executable instructions stored in the memory, so that the device for identifying private network access executes the network privacy method according to any one of claims 1-4. method of identification. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质包括计算机执行指令,当所述计算机执行指令在计算机上运行时,使得所述计算机执行如权利要求1-4任一项所述的网络私接识别方法。10. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises computer-executable instructions, which, when the computer-executable instructions are executed on a computer, cause the computer to perform any one of claims 1-4. The described method for identifying a private network connection.
CN201911359457.0A 2019-12-25 2019-12-25 Network private identification method and device Active CN111131255B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911359457.0A CN111131255B (en) 2019-12-25 2019-12-25 Network private identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911359457.0A CN111131255B (en) 2019-12-25 2019-12-25 Network private identification method and device

Publications (2)

Publication Number Publication Date
CN111131255A true CN111131255A (en) 2020-05-08
CN111131255B CN111131255B (en) 2022-03-15

Family

ID=70502449

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911359457.0A Active CN111131255B (en) 2019-12-25 2019-12-25 Network private identification method and device

Country Status (1)

Country Link
CN (1) CN111131255B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124900A (en) * 2021-11-03 2022-03-01 中盈优创资讯科技有限公司 Method and device for positioning private access small routing equipment
CN115883422A (en) * 2022-12-06 2023-03-31 中盈优创资讯科技有限公司 NetFlow-based black special line user identification method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159636A (en) * 2007-11-23 2008-04-09 中国电信股份有限公司 System and method for detecting illegal access
CN106656651A (en) * 2016-10-14 2017-05-10 恒安嘉新(北京)科技有限公司 Data transparent transmission detecting method and device
US9781601B1 (en) * 2015-06-08 2017-10-03 Symantec Corporation Systems and methods for detecting potentially illegitimate wireless access points
CN108011873A (en) * 2017-11-28 2018-05-08 江苏方天电力技术有限公司 A kind of illegal connection determination methods based on set covering
CN109639628A (en) * 2018-10-26 2019-04-16 锐捷网络股份有限公司 Private connects behavioral value method, the network equipment, system and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159636A (en) * 2007-11-23 2008-04-09 中国电信股份有限公司 System and method for detecting illegal access
US9781601B1 (en) * 2015-06-08 2017-10-03 Symantec Corporation Systems and methods for detecting potentially illegitimate wireless access points
CN106656651A (en) * 2016-10-14 2017-05-10 恒安嘉新(北京)科技有限公司 Data transparent transmission detecting method and device
CN108011873A (en) * 2017-11-28 2018-05-08 江苏方天电力技术有限公司 A kind of illegal connection determination methods based on set covering
CN109639628A (en) * 2018-10-26 2019-04-16 锐捷网络股份有限公司 Private connects behavioral value method, the network equipment, system and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124900A (en) * 2021-11-03 2022-03-01 中盈优创资讯科技有限公司 Method and device for positioning private access small routing equipment
CN114124900B (en) * 2021-11-03 2023-08-01 中盈优创资讯科技有限公司 Method and device for positioning private small-route equipment
CN115883422A (en) * 2022-12-06 2023-03-31 中盈优创资讯科技有限公司 NetFlow-based black special line user identification method and device

Also Published As

Publication number Publication date
CN111131255B (en) 2022-03-15

Similar Documents

Publication Publication Date Title
US11403413B2 (en) Avoiding user session misclassification using configuration and activity fingerprints
CN106911697B (en) Access authority setting method, device, server and storage medium
CN109347787B (en) Identity information identification method and device
US10673851B2 (en) Method and device for verifying a trusted terminal
CN109802953B (en) Industrial control asset identification method and device
US9477544B2 (en) Recommending a suspicious component in problem diagnosis for a cloud application
US20200177634A1 (en) Hybrid Network Infrastructure Management
US20120079569A1 (en) Federated mobile authentication using a network operator infrastructure
CN109088875A (en) A kind of access authority method of calibration and device
CN111768258B (en) Method, device, electronic equipment and medium for identifying abnormal order
US11563654B2 (en) Detection device and detection method
CN107133516B (en) Authority control method and system
WO2015047258A1 (en) Method, apparatus and system for providing transaction indemnification
CN111131255B (en) Network private identification method and device
CN113343220B (en) Application login authentication method, device, equipment and medium
US20230370426A1 (en) Sensitive Data Identification In Real-Time for Data Streaming
WO2022237175A1 (en) Graph data processing method and apparatus, device, storage medium, and program product
CN111581661A (en) Terminal management method and device based on biological feature recognition and computer equipment
CN110753029A (en) A kind of identity verification method and biometric identification platform
CN113765850B (en) Internet of things abnormality detection method and device, computing equipment and computer storage medium
US10778672B2 (en) Secure biometrics matching with split phase client-server matching protocol
CN111652284A (en) Scanner identification method and device, electronic device, storage medium
CN113824644A (en) HTTPS service content identification method, device and device
CN112688899A (en) In-cloud security threat detection method and device, computing equipment and storage medium
US20230015089A1 (en) System and method for blurring connection information in virtual private networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant