Unlock instant, AI-driven research and patent intelligence for your innovation.

A method, device and system for identifying abnormal ip data flow

A data flow and anomaly technology, applied in the field of communication, can solve the problems of wrong small traffic objects being identified as large traffic objects, low identification accuracy, frequent occurrence of network anomalies, etc.

Active Publication Date: 2018-11-20
HUAWEI TECH CO LTD
View PDF5 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0002] The combination of the Internet (Internet) and MBB (Mobile Broadband, mobile broadband), and the large-scale promotion and application of smart devices such as smart terminals and tablet PCs have led to a substantial increase in MBB data network traffic; at the same time, it has brought new Problem: Various network exceptions occur frequently
Therefore, using the above-mentioned method for identification, these small-traffic objects will be mistakenly identified as large-traffic objects, that is to say, the recognition accuracy of the above-mentioned method is low

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method, device and system for identifying abnormal ip data flow
  • A method, device and system for identifying abnormal ip data flow
  • A method, device and system for identifying abnormal ip data flow

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0122] Such as figure 1 As shown, a method for identifying an abnormal IP data flow provided by an embodiment of the present invention is applied to a working node, and the method includes:

[0123] 101: In the current time interval, receive Y elements sent by the data collection node; wherein, Y≥1, and Y is an integer.

[0124] Wherein, both the "working node" and the "data collection node" may be: a server or a PC (Personal Computer, personal computer) and other devices. In addition, different working nodes and / or data collection nodes may also be distributed on different CPUs (Central Processing Unit, central processing unit) of the same device. It should be noted that, for the convenience of description, different working nodes and / or data collection nodes are distributed on different devices as an example for description below.

[0125] Each server or PC can be used as a working node or a data collection node. However, in the same application scenario, the same node gen...

Embodiment 1

[0165] This embodiment is used to determine a target high-traffic object, that is, the preset abnormal object type is a high-traffic object. Specifically, including:

[0166] (1) Element distribution and mapping process

[0167] In the current time interval, the data collection node has obtained Y elements in total, and the elements (x, v x ) as an example to illustrate the element distribution and mapping process; where, x represents the object x, v x Indicates the flow value of object x.

[0168] Such as figure 2 As shown, the element distribution and mapping process includes:

[0169] 201: The data collection node obtains the element (x, v x ).

[0170] 202: Send the element to one of the d working nodes distributed by the preset object x; wherein, d≥1.

[0171] Exemplarily, the data collection node can pre-store the working nodes distributed by each object, wherein the number of working nodes distributed by different objects can be the same or different, and the wo...

Embodiment 2

[0243] This embodiment is used to determine the target large-change object, that is, the preset abnormal object type is a large-change object. Specifically, including:

[0244] (1) Element distribution and mapping process

[0245] This process is the same as the "element distribution process" in Embodiment 1.

[0246] (2) Record information update process

[0247]The difference between this process and the "record information update process" in Embodiment 1 is that the dynamic expansion parameter T in the above step 308 in this embodiment satisfies T=εφ; where ε is a constant, 0<ε≤1. Other steps are the same as the "record information updating process" in Embodiment 1.

[0248] (3) Work node identification process

[0249] Such as Figure 6 As shown, the working node identification process includes:

[0250] 601-606: the same as the above steps 401-406.

[0251] 607: Get the flow lower bound S of the first object mapped to the i-th bucket in the previous time interval o...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The present invention relates to the field of communications. Disclosed are a method, device, and system for identifying an abnormal IP data stream, so as to improve the accuracy of identification. The method provided by an embodiment of the present invention comprises: receiving Y elements sent by a data collecting node in a current time interval; mapping the Y elements into N buckets by using a mapping algorithm; acquiring, from the N buckets, a bucket that has a total traffic of all the mapped elements larger than or equal to a first threshold as a target bucket; acquiring r traffic upper bounds of a first object in mapped r buckets in the current time interval, wherein the first object is any object mapped into the target bucket, and each of the r buckets comprises one traffic upper bound of the first object; and identifying whether the first object is an abnormal object according to a preset type of the abnormal object and the r traffic upper bounds in the current time interval, wherein the preset type of the abnormal object is a heavy hitter or a heavy changer.

Description

technical field [0001] The invention relates to the communication field, in particular to a method, device and system for identifying abnormal IP data flow. Background technique [0002] The combination of the Internet (Internet) and MBB (Mobile Broadband, mobile broadband), and the large-scale promotion and application of smart devices such as smart terminals and tablets have led to a substantial increase in MBB data network traffic; at the same time, it has brought new Problem: Various network exceptions occur frequently. The network anomalies include: abnormal traffic, network attacks, viruses, etc., and the abnormal traffic includes heavy hitters and heavy changers. This has a great negative impact on network utilization, network performance, and user experience. It also brings risks such as key information leakage, system and terminal damage, etc. [0003] Among various network anomalies, large traffic objects and large change objects are the two most important types ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L12/24
CPCH04L43/00
Inventor 何诚黄群李柏晴
Owner HUAWEI TECH CO LTD