[go: up one dir, main page]

CN116318800A - BGP route data monitoring method and device and electronic equipment - Google Patents

BGP route data monitoring method and device and electronic equipment Download PDF

Info

Publication number
CN116318800A
CN116318800A CN202211667889.XA CN202211667889A CN116318800A CN 116318800 A CN116318800 A CN 116318800A CN 202211667889 A CN202211667889 A CN 202211667889A CN 116318800 A CN116318800 A CN 116318800A
Authority
CN
China
Prior art keywords
bgp
data
bgp route
routing data
bgp routing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211667889.XA
Other languages
Chinese (zh)
Inventor
陈林
白雨泽
邢颖慧
吴爽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Safety Technology Co Ltd
Original Assignee
Tianyi Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Safety Technology Co Ltd filed Critical Tianyi Safety Technology Co Ltd
Priority to CN202211667889.XA priority Critical patent/CN116318800A/en
Publication of CN116318800A publication Critical patent/CN116318800A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure relates to the field of network information security technologies, and in particular, to a method and an apparatus for monitoring BGP routing data, and an electronic device. In the method, BGP route data is acquired. And analyzing the BGP routing data to obtain the first characteristic of the BGP routing data. And acquiring the first characteristic of the historical BGP routing data according to the routing prefix of the BGP routing data. Clustering the first characteristics of the BGP routing data and the first characteristics of the historical BGP routing data to obtain a clustering result. And determining the credibility of BGP route data according to the clustering result. And under the condition that the reliability meets the preset rule, determining that the BGP routing data is abnormal BGP routing data. According to the scheme, the first characteristics of the BGP routing data and the first characteristics of the historical BGP routing data are fully combined, the BGP routing data are monitored, and the monitoring efficiency of the BGP routing data is improved.

Description

BGP route data monitoring method and device and electronic equipment
Technical Field
The present disclosure relates to the field of network information security technologies, and in particular, to a method and an apparatus for monitoring BGP routing data, and an electronic device.
Background
In a real network, the change of the routing information of the border gateway (Border Gateway Protocol, BGP) protocol is very complex, normal routing adjustment and abnormal routing hijacking situations exist, and the change of the routing information is also complicated.
At present, the judging index for the abnormality of the route information is single, and whether the route information is abnormal or not is judged by a simple rule mode or a flow ratio, so that some misjudgment conditions are easily brought, and the monitoring requirement for BGP route data can not be met.
Disclosure of Invention
The embodiment of the application provides a method, a device and electronic equipment for monitoring BGP (Border gateway protocol) route data, which are used for monitoring the BGP route data and improving the monitoring efficiency of the BGP route data.
In a first aspect, an embodiment of the present application provides a method for monitoring BGP route data. The method comprises the following steps: and obtaining BGP routing data. And analyzing the BGP routing data to obtain the first characteristic of the BGP routing data. Wherein the first characteristic of BGP routing data comprises an element in BGP routing data. And acquiring the first characteristic of the historical BGP routing data according to the routing prefix of the BGP routing data. Wherein the first characteristic of the historical BGP route data comprises an element in the historical BGP route data. Clustering the first characteristics of the BGP routing data and the first characteristics of the historical BGP routing data to obtain a clustering result. The clustering result is used for representing the dispersion degree of BGP routing data on the elements. And determining the credibility of the BGP routing data according to the clustering result. And under the condition that the reliability meets the preset rule, determining that the BGP routing data is abnormal BGP routing data.
In the method, compared with the traditional scheme that BGP route data is monitored in a model classification mode, the method and the device fully combine the first characteristics of the BGP route data and the first characteristics of historical BGP route data to monitor the BGP route data, and improve the accuracy of BGP route data monitoring. Meanwhile, the method and the device fully combine the streaming characteristic of BGP route data, and improve the real-time performance of BGP route data monitoring. The method is convenient for the user to perform subsequent rapid intervention and processing according to the abnormal BGP route data, and improves the network security.
Optionally, the method further comprises: and determining BGP route data comprising a preset invalid value in the BGP route data. And deleting BGP routing data comprising the preset invalid value. BGP route data for which the acknowledged attribute is not in compliance is determined. Among them, the acknowledged compliance attributes include autonomous system Path as_path attribute, route Origin attribute, next Hop attribute. Deleting BGP route data that lacks acknowledged compliance.
In the method, by deleting the BGP route data comprising the preset invalid value and deleting the BGP route data which is acknowledged to be in compliance with the attribute, unavailable data in the BGP route data can be cleaned, normal available data is left, and identifiable errors in the BGP route data are corrected.
Optionally, the method further comprises: normalizing BGP routing data.
In the method, the influence of scale, characteristics, distribution difference and the like of the BGP routing data on the clustering result can be reduced by normalizing the BGP routing data, so that the clustering result is more accurate.
Optionally, the method further comprises: and acquiring historical BGP routing data according to the routing prefix. And comparing the BGP route data with the historical BGP route data, deleting the repeated BGP route data to obtain BGP route change data, wherein the BGP route data comprises the BGP route change data.
In the method, repeated BGP route data is deleted by comparing the BGP route data with historical BGP route data, and BGP route change data is obtained. The data volume required to be processed by the system can be reduced, the processing speed for determining the reliability of BGP route change data is improved conveniently, and the efficiency of BGP route data monitoring is improved.
Optionally, the method further comprises: and carrying out hash bucket division on BGP route change data according to the route prefix to obtain a plurality of hash buckets. Wherein, the routing prefix of BGP route change data included in any one of the hash buckets is the same. And storing the reliability of the BGP route change data and the BGP route change data in a route increment database according to the packets of the hash buckets.
In the method, the hash bucket is carried out on the BGP route change data, so that the subsequent searching and comparing are convenient while the load is balanced, the processing efficiency of the data is improved and the parallelism is increased when the user subsequently analyzes the BGP route data. The hash bucket mode is adopted to store BGP route change data, so that the consumption of storage space can be reduced, and less memory resources are occupied.
Optionally, the method further comprises: and grouping the BGP routing data according to different preset standards to obtain a plurality of groups of BGP routing data.
In the method, by carrying out grouping processing on the BGP routing data, when the subsequent server monitors the BGP routing data, the system loss can be reduced, the reliability of the BGP routing data can be determined more quickly, and the monitoring efficiency is improved.
Optionally, the method further comprises: and carrying out confluence data statistics on the rule flow and the packet flow by adopting a connection operator to obtain an abnormal BGP routing data set. Wherein the rule flow and the packet flow are obtained by grouping BGP route data. The abnormal BGP route data set is stored in an abnormal route database.
In the method, merging data statistics is carried out on the rule flow and the packet flow through a Connect operator, an abnormal BGP route data set is obtained, and the abnormal BGP route data set is stored in an abnormal route database. The method can facilitate the user to analyze the abnormal BGP route data set subsequently and collect and monitor the abnormal BGP route information in real time.
Optionally, the method further comprises: BGP route data is replicated. And storing the copied BGP routing data in a routing total database.
In the method, by storing the BGP routing data in the routing full database, the BGP routing data in the routing full database is convenient to carry out other analysis based on other requirements of users.
Optionally, determining the reliability of BGP route data according to the clustering result specifically includes: mapping the clustering result to a reliability interval preset by a user to obtain the reliability of BGP route data.
In the method, the reliability of BGP route data is obtained by mapping the clustering result to a reliability interval preset by a user. The reliability of the BGP routing data can be timely obtained, and the BGP routing data can be conveniently monitored through the reliability.
Optionally, the method further comprises: a first characteristic of BGP routing data is stored in a database.
In the above method, the first feature of BGP route data is stored in a database. The method can be convenient for obtaining the first characteristic of the historical BGP route data in time when the BGP route data is monitored later, and improves the efficiency of monitoring the BGP route data.
In a second aspect, an embodiment of the present application further provides a device for monitoring BGP route data, where the device includes:
The acquisition module is used for acquiring BGP route data;
the analysis module is used for analyzing the BGP routing data to obtain a first characteristic of the BGP routing data, wherein the first characteristic of the BGP routing data comprises elements in the BGP routing data;
the processing module is used for acquiring first characteristics of historical BGP routing data according to the routing prefix of the BGP routing data, wherein the first characteristics of the historical BGP routing data comprise elements in the historical BGP routing data;
the processing module is also used for clustering the first characteristics of the BGP routing data and the first characteristics of the historical BGP routing data to obtain a clustering result, and the clustering result is used for representing the dispersion degree of the BGP routing data on the elements;
the processing module is also used for determining the credibility of the BGP routing data according to the clustering result;
and the processing module is also used for determining that the BGP routing data is abnormal BGP routing data under the condition that the reliability meets the preset rule.
In a third aspect, an embodiment of the present application further proposes an electronic device, including a processor and a memory, where the memory stores program code that, when executed by the processor, causes the processor to perform the steps of the BGP route data monitoring method of the first aspect.
In a fourth aspect, embodiments of the present application also propose a computer-readable storage medium, which includes program code for causing an electronic device to execute the steps of the BGP route data monitoring method of the first aspect, when the program code is run on the electronic device.
In a fifth aspect, embodiments of the present application also provide a computer program product, which when invoked by a computer, causes the computer to perform the steps of the BGP route data monitoring method as in the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art. In the drawings:
fig. 1 schematically illustrates an application scenario of a BGP route data monitoring method applicable to an embodiment of the present application;
fig. 2 schematically illustrates an implementation flow chart of a BGP route data monitoring method according to an embodiment of the present application;
Fig. 3 is a schematic diagram schematically illustrating a first feature of BGP routing data according to an embodiment of the present application;
fig. 4 is a schematic flow chart illustrating an implementation of a BGP route data monitoring method according to an embodiment of the present application;
fig. 5 schematically illustrates a structural diagram of a BGP route data monitoring device according to an embodiment of the present application;
fig. 6 schematically illustrates a structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the technical solutions of the present application, but not all embodiments. All other embodiments, which can be made by a person of ordinary skill in the art without any inventive effort, based on the embodiments described in the present application are intended to be within the scope of the technical solutions of the present application.
It should be noted that "a plurality of" is understood as "at least two" in the description of the present application. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. A is connected with B, and can be represented as follows: both cases of direct connection of A and B and connection of A and B through C. In addition, in the description of the present application, the words "first," "second," and the like are used merely for distinguishing between the descriptions and not be construed as indicating or implying a relative importance or order.
The technical solutions provided in the embodiments of the present application are explained below with reference to the accompanying drawings. It is to be understood that the preferred embodiments described herein are for illustration and explanation only and are not intended to limit the present application and that embodiments and features of the embodiments may be combined with each other without conflict.
BGP protocol is a dynamic routing protocol between decentralised autonomous systems that make up our present-day network. The BGP protocol allows for the automatic exchange of internet protocol addresses (Internet Protocol Address, IP addresses), routing information, and reachability information between different autonomous domain systems (Autonomous System, AS) on a network. The BGP protocol has the main functions of controlling propagation of routes and selecting optimal routes, and has the characteristics of redundancy backup and loop elimination. Although the BGP protocol plays a vital role in the internet, its security is fragile, and there is typically a lack of an efficient authentication mechanism for received IP prefix routes between two ases of BGP interconnection, resulting in unconditional reception or propagation of routes of neighboring ases, and thus in the possibility of receiving incorrect routes issued by an attacker.
BGP route hijacking refers to a process that an attacker maliciously changes the route of internet traffic, and the attacker achieves the effect of maliciously changing the route of internet traffic by declaring ownership of wrong route prefixes. BGP route hijacking can cause traffic of victims to be "black-hole", normal access to be interrupted, network delay to increase, and even traffic of victims to be listened to or attacked by the middleman or redirected to a false website to steal data.
At present, the IP prefix hijacking is monitored, positioned and relieved generally by means of collecting current network data for analysis, network active detection and the like, and although the monitoring and relieving technology has higher practicability at present, the existing scheme still has certain limitations in terms of instantaneity and coverage rate, and cannot avoid missing report and false report, and is difficult to prevent the occurrence of a safety event.
It can be seen that, due to the complex changes of the routing data and huge amount of routing data, the real-time requirement on attack feedback of the routing hijacking is high, which provides a great challenge for the performance of data processing. The accuracy and the instantaneity of the real-time monitoring of BGP route hijacking are to be improved. How to realize the real-time monitoring of BGP route data and improve the accuracy of BGP route data monitoring is a problem to be solved urgently at present.
In view of this, in the embodiment of the present application, in order to monitor BGP route data in real time, a method for monitoring BGP route data is provided, including: and obtaining BGP routing data. And analyzing the BGP routing data to obtain the first characteristic of the BGP routing data. Wherein the first characteristic of BGP routing data comprises an element in BGP routing data. And acquiring the first characteristic of the historical BGP routing data according to the routing prefix of the BGP routing data. Wherein the first characteristic of the historical BGP route data comprises an element in the historical BGP route data. Clustering the first features of the BGP routing data and the first features of the historical BGP routing data to obtain a clustering result, wherein the clustering result is used for representing the dispersion degree of the BGP routing data on the elements. And determining the credibility of the BGP routing data according to the clustering result. And under the condition that the reliability meets the preset rule, determining that the BGP routing data is abnormal BGP routing data.
Fig. 1 shows an application scenario diagram of an alternative BGP route monitoring method in the present application, where the scenario includes a server 100 and a terminal 101, where the server 100 and the terminal 101 may be connected in a communicable manner through a network, so as to implement the BGP route data monitoring method in the present application.
A user may interact with the terminal 101, e.g. receive or send messages, etc., through a network using the server 100. The terminal 101 may have installed thereon various client applications such as a programming class application, a web browser application, a search class application, and the like. The terminal 101 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, desktop computers, and the like. The server 100 may be implemented as a stand-alone server or as a server cluster formed by a plurality of servers.
The server 100 is configured to obtain BGP routing data. And analyzing the BGP routing data to obtain the first characteristic of the BGP routing data. Wherein the first characteristic of BGP routing data comprises an element in BGP routing data. And acquiring the first characteristic of the historical BGP routing data according to the routing prefix of the BGP routing data. Wherein the first characteristic of the historical BGP route data comprises an element in the historical BGP route data. Clustering the first features of the BGP routing data and the first features of the historical BGP routing data to obtain a clustering result, wherein the clustering result is used for representing the dispersion degree of the BGP routing data on the elements. And determining the credibility of the BGP routing data according to the clustering result. And under the condition that the reliability meets the preset rule, determining that the BGP routing data is abnormal BGP routing data.
It can be appreciated that the BGP route data monitoring method provided in the embodiments of the present application may be executed by the server 100.
As shown in fig. 2, a flowchart of a method for monitoring BGP route data provided in an embodiment of the present application may specifically include the following operations. Hereinafter, an example will be described in which a server is used as an execution body.
S201: and the server acquires BGP routing data.
In one possible embodiment, the server may access a backbone website corresponding to the base network operator, and obtain BGP routing data in real time through a Kafka (Kafka). BGP routing data acquired by the server is stored in a binary format of a Multi-threaded routing toolkit (Multi-threaded RoutingToolkit, MRT). The server side can transmit the acquired BGP routing data into a distributed (Flink) large data platform through Kafka, so that subsequent flow computing processing is facilitated, and the BGP routing data is monitored.
The basic network operators may include basic network operators such as China Mobile, china Unicom, and the like. Kafka is a high-throughput distributed publish-subscribe messaging system that can handle all action flow data for consumers in a web site. The Flink big data platform is a distributed processing engine framework and is used for carrying out stateful calculation on unbounded and bounded data streams, and has extremely high fault recovery performance and fault tolerance performance. The streaming computing is a high-frequency, incremental and real-time data processing mode, and has strong real-time performance. The stream computing can process the data generated continuously in real time, so that the data is not backlogged and lost.
Optionally, after BGP route data is acquired, the server may bypass the data flow of BGP route data acquired in real time by a processing (Process) operator once. That is, the server may copy the BGP routing data, and transfer the BGP routing data after the copy into the routing full database by means of a Time window (Time Windows). The routing full database may be a fully column-oriented distributed database (clickHouse), among others.
In the method, by storing the BGP routing data in the routing full database, the BGP routing data in the routing full database is convenient to carry out other analysis based on other requirements of users.
S202, the server side analyzes the BGP routing data to obtain a first characteristic of the BGP routing data.
Wherein the first characteristic of BGP routing data comprises an element in BGP routing data.
Some elements in BGP route data change during route hijacking. Therefore, the server can determine whether the BGP routing data is hijacked or not according to the elements generating the change, and more accurately monitor the BGP routing data. For example: IP prefix hijacking may cause a change in prefix information. 1.0.0.1/24, which is always announced by AS1 in the history data, is suddenly announced by AS2, and can be regarded AS suspected abnormal behavior, and further determination is required to determine whether route hijacking occurs. Among these abnormal behaviors, the changes of Prefix and AS Path are involved.
In one possible embodiment, the server may parse BGP route data through a snap map operator according to a BGP route protocol corresponding to the obtained BGP route data, to obtain a first feature of the BGP route data. For example, the first feature of BGP routing data may include a routing Prefix (Prefix), a Next Hop (Next Hop) IP address, an autonomous domain system Path (AS Path), a Local-priority attribute (Local-Pref), an optimal Path (Multi-Exit Discriminators, MED) attribute, a shared (Community) attribute.
Optionally, in order to determine whether BGP route data changes with historical BGP route data corresponding to a route prefix of the BGP route data. The first characteristic may also include a number of routing entries, an autonomous domain system path length, a number of AS path neighbor tuples, an AS ingress, and an AS egress. The number of routing entries refers to the number of BGP routing data containing the routing prefix.
It will be appreciated that the first feature of BGP routing data may also include other information that may be obtained by BGP routing data that characterizes elements of BGP routing data in addition to the information described above.
S203: and the server acquires the first characteristic of the historical BGP routing data according to the routing prefix of the BGP routing data.
Wherein the first characteristic of the historical BGP route data comprises an element in the historical BGP route data.
In one possible embodiment, the server may obtain the first feature of the historical BGP route data from the routing delta database according to the route prefix of the BGP route data. The first feature of the historical BGP routing data may include a routing Prefix (Prefix), a Next Hop (Next Hop), an IP address, an AS Path, a Local-Pref, an MED attribute, a count attribute, and an autonomous domain system Path length, an AS Path, a number of adjacent tuples, an AS ingress, and an AS egress corresponding to the historical BGP routing data.
As shown in fig. 3, an embodiment of the present application provides a feature diagram of BGP routing data. In fig. 3, the first feature of BGP route data includes Prefix, AS Path, next Hop, number of route entries corresponding to Local-Pref, MED, community, prefix, AS Path length corresponding to Prefix, number of AS Path adjacent tuples corresponding to Prefix, AS ingress corresponding to Prefix, and AS egress corresponding to Prefix.
Optionally, after the server determines the first feature of BGP route data, the server may further store the first feature of BGP route data in a database. For example, the server may store the first characteristic of BGP routing data in a routing delta database. In the above method, the first feature of BGP route data is stored in a database. The method can be convenient for obtaining the first characteristic of the historical BGP route data in time when the BGP route data is monitored later, and improves the efficiency of monitoring the BGP route data.
As shown in fig. 3, an embodiment of the present application provides a schematic diagram of a first feature of BGP routing data. In fig. 3, the first feature of BGP routing data includes Prefix, AS Path, next Hop, local-Pref, MED, community. The first feature of BGP route data includes a number of route entries corresponding to Prefix, an AS path length corresponding to Prefix, a number of adjacent tuples of an AS path corresponding to Prefix, an AS ingress corresponding to Prefix, and an AS egress corresponding to Prefix.
In some embodiments, after determining the first feature of BGP route data and the first feature of historical BGP route data by the server, the server may group BGP route data according to different preset criteria to obtain a plurality of groups of BGP route data before clustering the first feature of BGP route data and the first feature of historical BGP route data to obtain a clustering result. It can be appreciated that different preset criteria may be experience values preset by those skilled in the art according to BGP routing protocols, and may be reasonably set according to specific application scenarios. For example, the server may divide BGP routing data into four groups, respectively: open packet (open), keep alive packet (keep alive), update packet (update), notify packet (notification). For another example, the server may group BGP routing data to obtain a regular stream and a packet stream.
In the method, by carrying out grouping processing on the BGP routing data, when the subsequent server monitors the BGP routing data, the system loss can be reduced, the reliability of the BGP routing data can be determined more quickly, and the monitoring efficiency is improved.
In other embodiments, the server may also purge BGP routing data. And checking the validity of the data. For example, the server may determine BGP route data including a preset invalid value in BGP route data, and delete BGP route data including the preset invalid value. The server may also determine that BGP routing data that is generally acknowledged to be compliant with the attribute is missing from the BGP routing data. The server deletes BGP route data that lacks acknowledged compliance. Among them, the acknowledged compliance attributes include autonomous system Path as_path attribute, route Origin attribute, next Hop attribute.
It can be appreciated that the preset invalid value may be an empirical value preset by a person skilled in the art, and may be reasonably set according to a specific application scenario. Such as a private IP address, an IP address where the next hop is not reachable, and other values. The method for checking the validity of the data by the server is not particularly limited. For example, the key of BGP route data is used to check the validity of BGP route data.
In the method, by deleting the BGP route data comprising the preset invalid value and deleting the BGP route data which is acknowledged to be in compliance with the attribute, unavailable data in the BGP route data can be cleaned, normal available data is left, and identifiable errors in the BGP route data are corrected.
In other embodiments, before the server clusters the first feature of BGP route data and the first feature of historical BGP route data to obtain a clustering result, the server may normalize BGP route data. For example, BGP routing data is normalized to the [0,1] interval. In the method, the influence of scale, characteristics, distribution difference and the like of the BGP routing data on the clustering result can be reduced by normalizing the BGP routing data, so that the clustering result is more accurate.
S204, the server clusters the first characteristics of the BGP routing data and the first characteristics of the historical BGP routing data to obtain a clustering result.
The clustering result is used for representing the dispersion degree of BGP routing data on the elements.
In one possible embodiment, the server may use a K-means (K-means) algorithm to cluster the first feature of BGP route data and the first feature of historical BGP route data, so as to obtain a clustering result.
It should be noted that, the embodiment of the present application does not limit the clustering algorithm, and the server may also use other clustering algorithms, such as a mean shift clustering algorithm, a hierarchical clustering algorithm, etc., to cluster the first feature of BGP route data and the first feature of historical BGP route data.
S205, the server determines the reliability of BGP route data according to the clustering result.
The clustering result may include a plurality of clusters. Each cluster can be seen as being made up of points in a multidimensional space. Points in the multidimensional space may be considered as first features of BGP routing data as well as first features of historical BGP routing data. Each cluster has a centroid. It is to be appreciated that the centroid may be a point corresponding to the first feature of BGP routing data or the first feature of historical BGP routing data. The centroid may also be a virtual point determined from points in the cluster.
In a possible implementation manner, the server may map the clustering result to a preset reliability interval according to a preset mapping relationship, so as to obtain the reliability of the BGP route data. For example, assume that the preset mapping relationship between the clustering result and the reliability includes that the distance between the point of the first feature in the clustering result and the centroid is amplified by 10 times, so as to obtain the reliability. The first feature point in the clustering result of a certain piece of BGP routing data 1.0.0.1/24 is 0.21 from the centroid. The server can amplify the distance from the centroid by 10 times according to the mapping relation between the preset clustering result and the credibility to obtain the credibility of the BGP routing data as 2.1. For another example, assume that the preset mapping relationship between the clustering result and the reliability includes that the distance between the point of the first feature in the clustering result and the centroid is reduced by 5 times, so as to obtain the reliability. The first feature point in the clustering result of a certain piece of BGP routing data 1.0.0.1/26 is 20 from the centroid. The server can reduce the distance from the centroid by 5 times according to the mapping relation between the preset clustering result and the credibility, so as to obtain the credibility of the BGP routing data as 4. By the method, the clustering result is mapped to a credibility interval preset by a user, and the credibility of BGP route data is obtained. The reliability of the BGP routing data can be timely obtained, and the BGP routing data can be conveniently monitored through the reliability.
It can be understood that the mapping relationship between the clustering result and the credibility can be an empirical value preset by a person skilled in the art, and can be reasonably set according to a specific application scenario. The mapping relation between the clustering result and the credibility can also be determined by the service end according to a route prefix credibility model generated by training a large amount of historical BGP route data.
In another possible implementation manner, the server may further determine the number of elements included in the clustering result, and determine the reliability. For example, the number of adjacent triples of the AS path corresponding to the Prefix in the first feature of BGP route data and the first feature of historical BGP route data may be preset in the [ a, b ] interval, and then the reliability is determined to be c, and so on.
S206, the server determines that the BGP route data is abnormal BGP route data under the condition that the reliability meets the preset rule.
In one possible scenario, the preset rule may be that the routing data satisfying the abnormal reliability interval is abnormal BGP routing data. For example, assume that the routing data for which the preset rule satisfies the abnormal reliability section is abnormal BGP routing data. The abnormal credibility interval is a fraction interval [2-4]. The server determines that the reliability of BGP route data is 2. The server may determine that the BGP route data is abnormal BGP route data if the reliability 2 of the BGP route data satisfies the abnormal reliability interval.
In another possible case, the preset rule may also be that the reliability that does not exceed the first threshold is abnormal BGP route data. For example, assume that the confidence level of the preset rule that the first threshold is not exceeded is abnormal BGP route data. The first threshold is 5. The server may determine that the BGP route data is abnormal BGP route data if the reliability 3 of the BGP route data does not exceed the first threshold 5.
It can be appreciated that the foregoing preset rules may be preset by those skilled in the art, and may be reasonably set according to a specific application scenario.
After the server determines the reliability of BGP route data, in a possible case, the server may aggregate the BGP route data with the reliability corresponding to the BGP route data. The server may rank the reliability of the BGP route data according to the order of the reliability values from high to low. And storing the BGP routing data and the credibility corresponding to the BGP routing data according to the ranking order. The method can dynamically update the reliability ranking of the BGP routing data in real time, collect the reliability of the BGP routing data and improve the accuracy of BGP routing data monitoring.
Optionally, the server may also obtain historical BGP route data from the route incremental database according to the route prefix. And the server side compares the BGP route data with the historical BGP route data, deletes repeated BGP route data and obtains BGP route change data. Wherein the BGP route data includes BGP route change data. After BGP route change data is obtained, the manner of monitoring BGP route change data by reliability is the same as the manner of monitoring BGP route data above, and is not described herein. The routing delta database may be a distributed file system (Hadoop Distributed File System, HDFS).
For example, the server may compare the first characteristic of BGP route data with the first characteristic of historical BGP route data. That is, the server may compare BGP routing data with Prefix, AS Path, next Hop, local-Pref, MED, community in historical BGP routing data. Further, the server side can determine repeated BGP route data, and then delete the repeated BGP route data to obtain BGP route change data.
In the method, repeated BGP route data is deleted by comparing the BGP route data with historical BGP route data, and BGP route change data is obtained. The data volume required to be processed by the system can be reduced, the processing speed for determining the reliability of BGP route change data is improved, and the real-time performance of BGP route data monitoring is improved.
In the BGP route data monitoring process, the processing such as quick inquiry and the data partition planning of BGP route data have important influence on the real-time monitoring. Therefore, after the server determines the reliability of the BGP route change data, the server may hash the BGP route change data according to the route prefix to obtain a plurality of hash buckets. Wherein, the routing prefix of BGP route change data included in any one of the hash buckets is the same. The server may store the reliability of BGP route change data and BGP route change data in a route increment database according to packets of a plurality of hash buckets. For example, the server may hash the BGP route change data according to the first 8 bits of the route prefix to obtain a plurality of hash buckets.
In the method, by means of hashing and storing the BGP route change data, the load is balanced, subsequent searching and comparison are facilitated, and when a user subsequently analyzes the BGP route data, the processing efficiency of the data is improved, and the parallelism is increased. The hash bucket mode is adopted to store BGP route change data, so that the consumption of storage space can be reduced, and less memory resources are occupied.
In another possible case, the processing such as quick query of BGP route data and the data partition planning have an important influence on the real-time performance of the monitoring in the BGP route data monitoring process. Therefore, the server side can also adopt a connection (Connect) operator to carry out confluence data statistics on the rule flow and the packet flow, so as to obtain an abnormal BGP routing data set. Wherein the rule flow and the packet flow are obtained by grouping BGP route data. The server may store the abnormal BGP route data set in an abnormal route database. For example, the abnormal routing database may be a relational database management system (MySQL).
In the method, merging data statistics is carried out on the rule flow and the packet flow through a Connect operator, an abnormal BGP route data set is obtained, and the abnormal BGP route data set is stored in an abnormal route database. The method can facilitate the user to analyze the abnormal BGP route data set subsequently and collect and monitor the abnormal BGP route information in real time.
In another possible embodiment, the server may also feed back the determined abnormal BGP route data to the user. For example, the server may send the abnormal BGP route data to the user in a form of a sms alert. For another example, the server may also send the abnormal BGP route data to the terminal, where after the terminal receives the abnormal BGP route data, the terminal displays the abnormal BGP route data in an electronic screen, so that the user checks the abnormal BGP route data. The method for feeding back the abnormal BGP routing data to the user by the server side is not particularly limited.
According to the method, the abnormal BGP route data is fed back to the user in time, so that the user can conveniently analyze the abnormal BGP route data in time, the efficiency of network safety protection is improved, and the user experience is improved.
The embodiment of the application evaluates the reliability of the routing prefix through a machine learning technology. And comprehensively judging the credibility of the BGP route data through the characteristics of the BGP route data. And determining whether the route hijacking occurs or not according to the credibility. Compared with the prior art, the accuracy of the BGP routing data classified monitoring is high. Meanwhile, the BGP route data is hashed and stored, and the route data is stored and updated in a partitioning mode, so that the route data searching and inquiring efficiency is improved, the throughput is improved, the real-time performance of route hijacking monitoring and judging is improved, and quick intervention and processing are facilitated.
The embodiment of fig. 2 is illustrated below.
For example, the server side acquires real-time BGP route data through Kafka by adopting the data acquisition capability of the basic network operator, and transmits the BGP route data in the acquired MRT data format to the flank big data platform through Kafka. After the server side obtains the BGP routing data, the server side copies the BGP routing data, and the copied BGP routing data is stored in a routing full database Clickhouse by adopting a Windows time window.
And the server side acquires historical BGP route data according to the route prefix. Comparing the acquired BGP route data with the historical BGP route data, deleting repeated BGP route data, and obtaining BGP route change data. And the service end groups the BGP route change data into a plurality of service flow groups with different standards through Key By.
The server may analyze BGP route data using a snap map operator to obtain a first feature of BGP route data. The first feature of BGP routing data includes Prefix, AS Path, next Hop, number of routing entries corresponding to Local-Pref, MED, community, prefix, AS Path length corresponding to Prefix, number of adjacent triples of AS Path corresponding to Prefix, AS ingress corresponding to Prefix, and AS egress corresponding to Prefix. And the server acquires the first characteristic of the historical BGP routing data according to the routing prefix of the BGP routing change data. The first feature of the historical BGP routing data includes Prefix, AS Path, next Hop, number of routing entries corresponding to Local-Pref, MED, community, prefix, AS Path length corresponding to Prefix, number of adjacent triples of AS Path corresponding to Prefix, AS ingress corresponding to Prefix, and AS egress corresponding to Prefix.
The server cleans and normalizes the BGP route change data, checks the legality of the data, determines the BGP route change data comprising the preset invalid value in the BGP route change data, and deletes the BGP route change data comprising the preset invalid value. And the server determines the BGP route change data which is not acknowledged to be in compliance with the attribute in the BGP route change data, and deletes the BGP route change data which is not acknowledged to be in compliance with the attribute.
And normalizing the BGP route change data to the [0,1] interval by the server, and clustering the first characteristics of the BGP route change data and the first characteristics of the historical BGP route data by adopting a K-means algorithm to obtain a clustering result. And the server maps the clustering result according to a mapping relation between a preset clustering result and a reliability interval to obtain the reliability of BGP route change data of 3. Assume that the abnormal confidence interval is [2,4]. Because the reliability of the BGP route change data accords with the abnormal reliability interval, the BGP route change data is abnormal BGP route change data.
The server may further hash the BGP route change data according to the prefix 8 bits, and store the BGP in a route increment database HDFS where the corresponding hash bucket is located. And the server performs confluence data statistics on the rule flow and the packet flow which are obtained by grouping by using a Connect operator, and extracts a BGP abnormal route data set. And the server stores the BGP abnormal route data set in an abnormal route database MySQL.
As shown in fig. 4, the present application provides an exemplary flow chart for BGP route data monitoring.
S401, obtaining BGP route data;
s402, analyzing BGP route data to obtain a first characteristic of the BGP route data;
s403, copying BGP route data;
s404, storing the copied BGP routing data in a routing total database;
s405, acquiring historical BGP route data according to the route prefix;
s406, comparing the BGP route data with the historical BGP route data, deleting the repeated BGP route data, and obtaining BGP route change data;
s407, acquiring a first characteristic of historical BGP routing data according to the routing prefix of the BGP routing data;
s408, grouping BGP route change data according to different preset standards to obtain a plurality of groups of BGP route change data;
s409, determining BGP route change data comprising a preset invalid value in the BGP route change data;
s410, deleting BGP route change data comprising a preset invalid value;
s411, determining that BGP route change data which is acknowledged to be in compliance with the attribute is absent in the BGP route change data;
s412, deleting BGP route change data which is acknowledged to be in compliance with the attribute.
S413, normalizing the BGP route change data after deleting the BGP route change data comprising the preset invalid value and deleting the BGP route change data which is acknowledged to be in compliance with the attribute;
S414, obtaining a clustering result by the first feature of the BGP routing data and the first feature of the historical BGP routing data;
s415, mapping the clustering result to a preset credibility interval to obtain the credibility of BGP route data;
s416, hash buckets are carried out on BGP route change data according to route prefixes, and a plurality of hash buckets are obtained;
s417, storing the reliability of BGP route change data and the corresponding reliability of BGP route change data in a route increment database according to the packets of a plurality of hash buckets;
s418, determining BGP route data as abnormal BGP route data under the condition that the reliability meets a preset rule;
s419, carrying out confluence data statistics on the rule flow and the packet flow by adopting a connection operator to obtain an abnormal BGP route data set, wherein the rule flow and the packet flow are obtained by grouping BGP route data;
s420, storing the abnormal BGP routing data set in an abnormal routing database.
Further, based on the same technical concept, the embodiment of the application also provides a BGP route data monitoring device, which is configured to implement the BGP route data monitoring method flow in the embodiment of the application. Referring to fig. 5, the BGP route data monitoring device includes: an acquisition module 501, a parsing module 502 and a processing module 503, wherein:
An obtaining module 501, configured to obtain BGP route data;
the parsing module 502 is configured to parse the BGP route data to obtain a first feature of the BGP route data, where the first feature of the BGP route data includes an element in the BGP route data;
a processing module 503, configured to obtain a first feature of historical BGP route data according to a route prefix of the BGP route data, where the first feature of historical BGP route data includes an element in the historical BGP route data;
the processing module 503 is further configured to cluster the first feature of the BGP route data and the first feature of the historical BGP route data to obtain a clustering result, where the clustering result is used to characterize a degree of dispersion of the BGP route data on the element;
the processing module 503 is further configured to determine reliability of BGP route data according to the clustering result;
the processing module 503 is further configured to determine that the BGP route data is abnormal BGP route data if the reliability meets a preset rule.
Optionally, the processing module 503 is further configured to:
determining BGP route data comprising a preset invalid value in the BGP route data;
deleting BGP route data comprising a preset invalid value;
Determining BGP routing data without acknowledged attribute which is acknowledged to be in compliance in the BGP routing data, wherein acknowledged attribute which is acknowledged to be in compliance comprises an autonomous system Path AS_Path attribute, a route Origin attribute and a Next Hop attribute;
deleting BGP route data that lacks acknowledged compliance.
Optionally, the processing module 503 is further configured to:
normalizing BGP routing data.
Optionally, before parsing the BGP route data to obtain the first feature of the BGP route data, the processing module 503 is further configured to:
acquiring the historical BGP routing data according to the routing prefix;
and comparing the BGP route data with the historical BGP route data, deleting the repeated BGP route data to obtain BGP route change data, wherein the BGP route data comprises the BGP route change data.
Optionally, the processing module 503 is further configured to:
hash classifying the BGP route change data according to the route prefix to obtain a plurality of hash buckets, wherein the route prefix of the BGP route change data included in any one of the hash buckets is the same;
and storing the reliability of the BGP route change data and the BGP route change data in a route increment database according to the packets of the hash buckets.
Optionally, the processing module 503 is further configured to:
And grouping the BGP routing data according to different preset standards to obtain a plurality of groups of BGP routing data.
Optionally, the processing module 503 is further configured to:
carrying out confluence data statistics on the rule flow and the packet flow by adopting a connection operator to obtain an abnormal BGP routing data set, wherein the rule flow and the packet flow are obtained by grouping BGP routing data;
the abnormal BGP route data set is stored in an abnormal route database.
Optionally, the processing module 503 is further configured to:
copying BGP route data;
and storing the copied BGP routing data in a routing total database.
Optionally, according to the clustering result, the reliability of BGP route data is determined, and the processing module 503 is configured to:
mapping the clustering result to a preset credibility interval to obtain the credibility of the BGP routing data.
Optionally, the processing module 503 is further configured to:
the first characteristic of the BGP routing data is stored in a database.
Based on the same technical concept, the embodiment of the application also provides electronic equipment, which can realize the flow of the monitoring method of the BGP routing data provided by the embodiment of the application. In one embodiment, the electronic device may be a server, a terminal device, or other electronic device. As shown in fig. 6, the electronic device may include:
At least one processor 601, and a memory 602 connected to the at least one processor 601, a specific connection medium between the processor 601 and the memory 602 is not limited in the embodiment of the present application, and in fig. 6, the processor 601 and the memory 602 are connected by a bus 600 as an example. Bus 600 is shown in bold lines in fig. 6, and the manner in which the other components are connected is illustrated schematically and not by way of limitation. The bus 600 may be divided into an address bus, a data bus, a control bus, etc., and is represented by only one thick line in fig. 6 for convenience of representation, but does not represent only one bus or one type of bus. Alternatively, the processor 601 may be referred to as a controller, and the names are not limited.
In this embodiment of the present application, the memory 602 stores instructions executable by the at least one processor 601, and the at least one processor 601 may execute a BGP route data monitoring method as described above by executing the instructions stored in the memory 602. The processor 601 may implement the functions of the respective modules in the apparatus shown in fig. 5.
The processor 601 is a control center of the device, and various interfaces and lines can be used to connect various parts of the whole control device, and through running or executing instructions stored in the memory 602 and calling data stored in the memory 602, various functions of the device and processing data can be performed, so that the device can be monitored as a whole.
In one possible design, processor 601 may include one or more processing units, and processor 601 may integrate an application processor and a modem processor, wherein the application processor primarily processes operating systems, user interfaces, application programs, and the like, and the modem processor primarily processes wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 601. In some embodiments, processor 601 and memory 602 may be implemented on the same chip, or they may be implemented separately on separate chips in some embodiments.
The processor 601 may be a general purpose processor such as a CPU, digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, that may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a BGP route data monitoring method disclosed in connection with the embodiments of the present application may be directly embodied in a hardware processor or implemented by a combination of hardware and software modules in the processor.
The memory 602 is a non-volatile computer readable storage medium that can be used to store non-volatile software programs, non-volatile computer executable programs, and modules. The Memory 602 may include at least one type of storage medium, which may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory), magnetic Memory, magnetic disk, optical disk, and the like. Memory 602 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 602 in the present embodiment may also be circuitry or any other device capable of implementing a memory function for storing program instructions and/or data.
By programming the processor 601, codes corresponding to a BGP route data monitoring method described in the foregoing embodiment may be cured into a chip, so that the chip can execute the steps of a BGP route data monitoring method in the embodiment shown in fig. 2 during running. How to design and program the processor 601 is a well-known technique for those skilled in the art, and will not be described in detail herein.
Based on the same inventive concept, the embodiments of the present application further provide a storage medium storing computer instructions that, when executed on a computer, cause the computer to perform a BGP route data monitoring method as described above.
In some possible embodiments, aspects of a BGP route data monitoring method may also be implemented in the form of a program product, which includes program code for causing the control apparatus to perform the steps of a BGP route data monitoring method according to various exemplary embodiments of the present application described above when the program product is run on a device.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (13)

1. A method for monitoring BGP route data, the method comprising:
obtaining BGP route data;
analyzing the BGP routing data to obtain a first feature of the BGP routing data, wherein the first feature of the BGP routing data comprises elements in the BGP routing data;
acquiring first characteristics of historical BGP routing data according to the routing prefix of the BGP routing data, wherein the first characteristics of the historical BGP routing data comprise elements in the historical BGP routing data;
clustering the first characteristics of the BGP routing data and the first characteristics of the historical BGP routing data to obtain a clustering result, wherein the clustering result is used for representing the dispersion degree of the BGP routing data on the elements;
determining the credibility of the BGP routing data according to the clustering result;
and under the condition that the credibility meets a preset rule, determining that the BGP routing data is abnormal BGP routing data.
2. The method according to claim 1, wherein the method further comprises:
determining BGP route data comprising a preset invalid value in the BGP route data;
deleting the BGP routing data comprising the preset invalid value;
determining BGP routing data without acknowledged attribute which is acknowledged to be in compliance, wherein the acknowledged attribute comprises an autonomous system Path AS_Path attribute, a route Origin attribute and a Next Hop attribute;
deleting BGP route data for which the deletion is acknowledged to be attribute-compliant.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
normalizing the BGP route data.
4. The method of claim 1, wherein prior to said parsing the BGP route data to obtain the first feature of the BGP route data, the method further comprises:
acquiring the historical BGP routing data according to the routing prefix;
comparing the BGP route data with the historical BGP route data, deleting repeated BGP route data to obtain BGP route change data, wherein the BGP route data comprises the BGP route change data.
5. The method according to claim 4, wherein the method further comprises:
Carrying out hash division on the BGP route change data according to route prefixes to obtain a plurality of hash buckets, wherein the route prefixes of the BGP route change data included in any one of the hash buckets are the same;
and storing the credibility of the BGP route change data and the BGP route change data in a route increment database according to the packets of the hash buckets.
6. The method according to claim 1, wherein the method further comprises:
and grouping the BGP routing data according to different preset standards to obtain a plurality of groups of BGP routing data.
7. The method of claim 6, wherein the method further comprises:
carrying out confluence data statistics on a rule stream and a packet stream by adopting a connection operator to obtain an abnormal BGP route data set, wherein the rule stream and the packet stream are obtained by grouping the BGP route data;
and storing the abnormal BGP routing data set in an abnormal routing database.
8. The method according to claim 1, wherein the method further comprises:
copying the BGP routing data;
and storing the copied BGP routing data in a routing total database.
9. The method of claim 1, wherein determining the reliability of the BGP route data according to the clustering result is specifically configured to:
mapping the clustering result to a preset credibility interval to obtain the credibility of the BGP routing data.
10. The method according to claim 1, wherein the method further comprises:
the first characteristic of the BGP routing data is stored in a database.
11. A BGP route data monitoring device, comprising:
the acquisition module is used for acquiring BGP route data;
the analysis module is used for analyzing the BGP routing data to obtain first characteristics of the BGP routing data, wherein the first characteristics of the BGP routing data comprise elements in the BGP routing data;
the processing module is used for acquiring first characteristics of historical BGP routing data according to the routing prefix of the BGP routing data, wherein the first characteristics of the historical BGP routing data comprise elements in the historical BGP routing data;
the processing module is further configured to cluster the first feature of the BGP route data and the first feature of the historical BGP route data to obtain a clustering result, where the clustering result is used to characterize a degree of dispersion of the BGP route data on the element;
The processing module is further configured to determine, according to the clustering result, reliability of the BGP route data;
the processing module is further configured to determine that the BGP route data is abnormal BGP route data if the reliability meets a preset rule.
12. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1-10 when executing the computer program.
13. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any of claims 1-10.
CN202211667889.XA 2022-12-23 2022-12-23 BGP route data monitoring method and device and electronic equipment Pending CN116318800A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211667889.XA CN116318800A (en) 2022-12-23 2022-12-23 BGP route data monitoring method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211667889.XA CN116318800A (en) 2022-12-23 2022-12-23 BGP route data monitoring method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN116318800A true CN116318800A (en) 2023-06-23

Family

ID=86817468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211667889.XA Pending CN116318800A (en) 2022-12-23 2022-12-23 BGP route data monitoring method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN116318800A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118381670A (en) * 2024-06-21 2024-07-23 北京天元特通科技有限公司 Method, device, electronic equipment and storage medium for determining border gateway protocol traffic

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118381670A (en) * 2024-06-21 2024-07-23 北京天元特通科技有限公司 Method, device, electronic equipment and storage medium for determining border gateway protocol traffic

Similar Documents

Publication Publication Date Title
US10505819B2 (en) Method and apparatus for computing cell density based rareness for use in anomaly detection
US10154053B2 (en) Method and apparatus for grouping features into bins with selected bin boundaries for use in anomaly detection
US10365915B2 (en) Systems and methods of monitoring a network topology
US10333815B2 (en) Real-time detection of abnormal network connections in streaming data
US11930039B1 (en) Metric space modeling of network communication
US12271287B2 (en) Method and system for recommending runbooks for detected events
US11784974B2 (en) Method and system for intrusion detection and prevention
CN115529595B (en) A method, device, equipment and medium for detecting abnormality in log data
CN109831507B (en) Internet of things system, load balancing method and storage medium
US11089039B2 (en) Network traffic spike detection and management
CN108076019A (en) Anomalous traffic detection method and device based on traffic mirroring
US20160269428A1 (en) Data processing
US10425273B2 (en) Data processing system and data processing method
CN105187279A (en) Traffic statistical and real-time ranking method
CN119697086B (en) Network equipment discovery method
JP6375047B1 (en) Firewall device
CN116318800A (en) BGP route data monitoring method and device and electronic equipment
JP2017199250A (en) Computer system, data analysis method, and computer
US20240143746A1 (en) Context aware behavioral anomaly detection in computing systems
CN114584453B (en) Fault analysis method and device for application system
CN117891641A (en) Fault object positioning method and device, storage medium and electronic device
CN110505238A (en) Processing device and method of message queue based on EDR
CN117544474A (en) Alarm message processing method, device, electronic equipment and storage medium
CN113992364A (en) Network data packet blocking optimization method and system
US11693851B2 (en) Permutation-based clustering of computer-generated data entries

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination