wherein exp is an exponential function with a natural number e as a base, and d (ai) is the distribution distance of each element in the time set Bset (ai);

further, the distribution frequency of each element in the time set is calculated, the distribution frequency of each element in the time set bset (ai) is denoted as p (ai), and the formula for calculating the distribution frequency of each element in bset (ai) is as follows:

according to the distribution distance and the distribution frequency, calculating the respective receiving time interval of each MAC address in the address set, wherein the time set corresponding to Aset (ai) is Bset (ai), the receiving time interval of Aset (ai) is marked as G (ai), and the calculation formula of G (ai) is as follows:

G(ai)= sqrt(p(ai)* d(ai))/Tg，

wherein sqrt is a function of an open square root, a symbol | | is an absolute value symbol, and a calculation formula of g (ai) is a method for calculating a receiving time interval of each MAC address in an address set;

therefore, the respective receiving time intervals of the MAC addresses in the address set are calculated, each MAC address in the address set has a respective corresponding receiving time interval, a set formed by the respective receiving time intervals of the MAC addresses in the address set is a receiving time interval set, and the receiving time interval set is referred to as a set Cset.

Further, in S500, the method for calculating the threshold of the receiving time interval according to the receiving time interval of each MAC address in the address set includes: and taking a set formed by the receiving time intervals of the MAC addresses in the address set as a receiving time interval set, recording the receiving time interval set as a set Cset, and calculating the arithmetic mean of each element in the set Cset as a threshold value of the receiving time interval.

Further, in S600, the specific method of recording the MAC address included in the data frame newly received by the switch group as a new address, determining whether a reception time interval of the new address exceeds a threshold, and if so, using the new address as a network attack includes:

and recording the MAC address contained in the data frame newly received by the switch unit as a new address, calculating the receiving time interval of the new address if the new address does not have a corresponding outlet interface in the MAC address table, judging whether the receiving time interval of the new address exceeds a threshold value, and taking the new address as a network attack if the receiving time interval of the new address exceeds the threshold value.

Further, in S700, for a new address which is regarded as a network attack, the distance between the new address and each MAC address in the MAC address table is calculated, a MAC address having the smallest distance from the new address in the MAC address table is selected, an outgoing interface corresponding to the MAC address having the smallest distance from the new address is used as a transfer outgoing interface, and a method for transmitting a data frame including the new address to the transfer outgoing interface includes:

the MAC address is represented as 48-bit binary number, a new address which is taken as a network attack is marked as Mact, the set of each MAC address in the MAC address table is marked as Mlist, the serial number of elements in the Mlist is q, the number of the elements in the Mlist is k, q belongs to [1, k ], the element with the serial number of q in the Mlist is marked as Mlist (q), and the corresponding output interface of the Mlist (q) in the MAC address table is marked as port (q);

mlist (q) is 48-bit binary number, b is the bit serial number in the 48-bit binary number of Mlist (q), b belongs to [1,48], Mact is also 48-bit binary number, and b represents the bit serial number in the 48-bit binary number of Mact, the value of the bit with serial number b in Mlist (q) is Mlist (q, b), and the value of the bit with serial number b in Mact is Mact (b);

note that function Til () is a function for calculating the distance between a new address to be considered as a network attack and any MAC address in the MAC address table, Til (Mact, mlist (q)) is a function for calculating the distance between Mact and mlist (q), and Til (Mact, mlist (q)) is a calculation formula:

wherein, the function exp is an exponential function taking a natural number e as a base, and a calculation formula of Til (Mact, Mlist (q)) is a method for calculating the distance between a new address used as a network attack and any MAC address in the MAC address table;

using function Til (), respectively calculating the distance between the new address used as the network attack and each MAC address in the MAC address table, selecting the MAC address with the minimum distance to the new address in the MAC address table, using the outgoing interface corresponding to the MAC address with the minimum distance to the new address as the outgoing transfer interface, sending the data frame containing the new address to the next layer switch through the outgoing transfer interface, and then storing the data frame containing the new address in the separate storage space by the next layer switch.

The invention also provides a network attack remote real-time monitoring system of the switch unit, which comprises the following components: the processor executes the computer program to realize the steps in the network attack remote real-time monitoring method of the switch group, the network attack remote real-time monitoring system of the switch group can be operated in computing equipment such as desktop computers, notebooks, palm computers and cloud data centers, and the operable system can include, but is not limited to, a processor, a memory and a server cluster, and the processor executes the computer program to operate in the following units of the system:

the switch unit is used for forming the switch unit by a plurality of switches and acquiring an MAC address table of the switch unit;

the data receiving time recording unit is used for receiving a plurality of data frames containing MAC addresses by the switch unit and recording the MAC address table of the switch unit; the time when the MAC address table receives each data frame containing the MAC address is used as the data receiving time;

the MAC address extraction unit is used for respectively extracting the MAC addresses contained in the data frames received by the switch unit and containing the MAC addresses, and taking an inter-diversity set formed by the extracted MAC addresses as an address set;

a receiving time interval calculating unit, configured to calculate a receiving time interval of each MAC address in the address set according to the address set, the data receiving time, and the MAC address table;

a threshold calculation unit, configured to calculate a threshold of a receiving time interval according to a receiving time interval of each MAC address in the address set;

a threshold judgment unit, configured to mark an MAC address included in a data frame newly received by the switch unit as a new address, judge whether a reception time interval of the new address exceeds a threshold, and if so, take the new address as a network attack and refuse the network attack;

and the data switching unit is used for calculating the distance between the new address and each MAC address in the MAC address table for the new address which is used as the network attack, selecting the MAC address with the minimum distance from the new address in the MAC address table, taking the output interface corresponding to the MAC address with the minimum distance from the new address as a transfer output interface, and sending the data frame containing the new address to the transfer output interface.

The invention has the beneficial effects that: the invention provides a remote real-time monitoring method and a system for network attack of a switch unit, which are characterized in that the time of receiving each data frame containing an MAC address by an MAC address table of the switch unit is recorded as data receiving time, the MAC addresses contained in the data frames are respectively extracted, an anisotropic set formed by the extracted MAC addresses is used as an address set, the respective receiving time intervals of the MAC addresses in the address set are respectively calculated, the threshold value of the receiving time interval is further calculated, if the new address does not have a corresponding outlet interface in the MAC address table, whether the receiving time interval of the new address exceeds the threshold value is judged, if yes, the new address is used as the network attack and refused, and therefore, the beneficial effect of identifying the network attack according to the respective receiving time intervals of the MAC addresses in the address set is realized.

Drawings

The above and other features of the present invention will become more apparent by describing in detail embodiments thereof with reference to the attached drawings in which like reference numerals designate the same or similar elements, it being apparent that the drawings in the following description are merely exemplary of the present invention and other drawings can be obtained by those skilled in the art without inventive effort, wherein:

fig. 1 is a flow chart of a network attack remote real-time monitoring method for a switch group;

fig. 2 is a system structural diagram of a network attack remote real-time monitoring system of a switch group.

Detailed Description

The conception, the specific structure and the technical effects of the present invention will be clearly and completely described in conjunction with the embodiments and the accompanying drawings to fully understand the objects, the schemes and the effects of the present invention. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.

In the description of the present invention, the meaning of a plurality of means is one or more, the meaning of a plurality of means is two or more, and larger, smaller, larger, etc. are understood as excluding the number, and larger, smaller, inner, etc. are understood as including the number. If the first and second are described for the purpose of distinguishing technical features, they are not to be understood as indicating or implying relative importance or implicitly indicating the number of technical features indicated or implicitly indicating the precedence of the technical features indicated.

Fig. 1 is a flowchart illustrating a network attack remote real-time monitoring method for a switch group according to the present invention, and the following describes a network attack remote real-time monitoring method and system for a switch group according to an embodiment of the present invention with reference to fig. 1.

The invention provides a network attack remote real-time monitoring method for a switch unit, which specifically comprises the following steps:

s700, for a new address which is used as a network attack, calculating the distance between the new address and each MAC address in an MAC address table, selecting the MAC address with the minimum distance from the new address in the MAC address table, taking an outgoing interface corresponding to the MAC address with the minimum distance from the new address as a transfer outgoing interface, and sending a data frame containing the new address to the transfer outgoing interface;

the MAC address table may include: destination MAC address, VLAN which the device belongs to, output interface, MAC table entry type and aging time.

for the time of each MAC address received by the MAC address table, creating a set for each MAC address, recording the set as a time set, storing one to a plurality of times received by the MAC address table in the time set (in a plurality of data frames containing the MAC address received by the MAC address table of the switch group, the MAC addresses contained in partial data frames are the same, namely the MAC address table receives more than one data frames containing the same MAC address, so that the MAC address table receives the same MAC address at a plurality of time points, one MAC address has one or more times received by the MAC address table), and the elements in the time set are arranged according to the time sequence;

the set Aset is an address set.

recording the aging time of the MAC address table as Tg;

wherein, the symbol if represents the condition judgment, exp is an exponential function with a natural number e as a base, and d (ai) is the distribution distance of each element in the time set Bset (ai);

G(ai)= sqrt(p(ai)* d(ai))/exp(Tg)，

Further, in S500, the method for calculating the threshold of the receiving time interval according to the receiving time interval of each MAC address in the address set includes: and taking a set consisting of the receiving time intervals of the MAC addresses in the address set as a receiving time interval set, taking the receiving time interval set as a set Cset, calculating an arithmetic mean value of the rest elements except the element with the largest numerical value and the element with the smallest numerical value in the set Cset as a threshold value of the receiving time interval, or calculating the arithmetic mean value of the elements in the set Cset as the threshold value of the receiving time interval if the number of the rest elements except the element with the largest numerical value and the element with the smallest numerical value in the set Cset is zero.

and recording the MAC address contained in the data frame newly received by the switch unit as a new address, calculating the receiving time interval of the new address if the new address does not have a corresponding outlet interface in the MAC address table, judging whether the receiving time interval of the new address exceeds a threshold value, and if so, taking the new address as a network attack and rejecting the network attack.

using function Til (), respectively calculating the distance between the new address used as network attack and each MAC address in the MAC address table, selecting the MAC address with the minimum distance to the new address in the MAC address table, using the outgoing interface corresponding to the MAC address with the minimum distance to the new address as the outgoing transfer interface, sending the data frame containing the new address to the next layer switch through the outgoing transfer interface, and then storing the data frame containing the new address in a separate storage space by the next layer switch, thereby using the data frame for the attack processing of the IP three-layer network.

In the present embodiment, the numerical calculation involved is subjected to dimensionless processing.

The network attack remote real-time monitoring system of the switch unit comprises: the processor executes the computer program to implement the steps in the embodiment of the network attack remote real-time monitoring method for the switch unit so as to control the switch unit, the network attack remote real-time monitoring system for the switch unit can be operated in computing devices such as desktop computers, notebooks, palm computers, cloud data centers and the like, and the operable system can include, but is not limited to, a processor, a memory and a server cluster.

As shown in fig. 2, the network attack remote real-time monitoring system of the switch group according to the embodiment of the present invention includes: a processor, a memory and a computer program stored in the memory and operable on the processor, the processor implementing the steps in the embodiment of the network attack remote real-time monitoring method for the switch group described above when executing the computer program, the processor executing the computer program to run in the units of the following system:

a threshold value judging unit, configured to mark an MAC address included in a data frame newly received by the switch group as a new address, and if the new address does not have a corresponding egress interface in the MAC address table, judge whether a receiving time interval of the new address exceeds a threshold value, and if so, take the new address as a network attack and refuse the network attack;

The network attack remote real-time monitoring system of the switch unit can be operated in computing equipment such as a desktop computer, a notebook computer, a palm computer, a cloud data center and the like. The network attack remote real-time monitoring system for the switch group comprises, but is not limited to, a processor and a memory. It will be understood by those skilled in the art that the example is only an example of the network attack remote real-time monitoring method and system for a switch group, and does not constitute a limitation to the network attack remote real-time monitoring method and system for a switch group, and may include more or less components than the switch group, or combine some components, or different components, for example, the network attack remote real-time monitoring system for a switch group may further include an input-output device, a network access device, a bus, and the like.

The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete component Gate or transistor logic, discrete hardware components, etc. The general processor can be a microprocessor or the processor can be any conventional processor, and the processor is a control center of the network attack remote real-time monitoring system of the switch group, and various interfaces and lines are used for connecting various subareas of the network attack remote real-time monitoring system of the whole switch group.

The memory can be used for storing the computer program and/or the module, and the processor realizes various functions of the network attack remote real-time monitoring method and system of the switch group by running or executing the computer program and/or the module stored in the memory and calling the data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.

Although the present invention has been described in considerable detail and with reference to certain illustrated embodiments, it is not intended to be limited to any such details or embodiments or any particular embodiment, so as to effectively encompass the intended scope of the invention. Furthermore, the foregoing describes the invention in terms of embodiments foreseen by the inventor for which an enabling description was available, notwithstanding that insubstantial modifications of the invention, not presently foreseen, may nonetheless represent equivalent modifications thereto.

Claims

1. A network attack remote real-time monitoring method for a switch unit is characterized by comprising the following steps:

in S200, a switch unit receives a plurality of data frames including MAC addresses, and records the MAC address table of the switch unit; the method for taking the time of receiving each data frame containing the MAC address by the MAC address table as the data receiving time comprises the following steps: receiving a plurality of data frames containing MAC addresses by using a switch unit, wherein each data frame contains one MAC address, and recording the time of each data frame containing the MAC address, which is respectively received by an MAC address table of the switch unit and stored as data receiving time;

in S300, a method for extracting MAC addresses included in each data frame from a plurality of data frames including MAC addresses received by a switch group, and using an inter-diversity set formed by the extracted MAC addresses as an address set, includes:

the set Aset is an address set;

in S400, the method for respectively calculating the receiving time interval of each MAC address in the address set according to the address set, the data receiving time, and the MAC address table includes:

recording the aging time of the MAC address table as Tg;

G(ai)= sqrt(p(ai)* d(ai))/Tg，

therefore, the respective receiving time intervals of all the MAC addresses in the address set are respectively calculated, each MAC address in the address set has the respective corresponding receiving time interval, a set formed by the respective receiving time intervals of all the MAC addresses in the address set is a receiving time interval set, and the receiving time interval set is a set Cset;

wherein, the MAC address table comprises: destination MAC address, VLAN which the device belongs to, output interface, MAC table entry type and aging time.

2. The method according to claim 1, wherein in S100, the switch group is composed of a plurality of switches, and the method for obtaining the MAC address table of the switch group comprises: a plurality of different switches are used to form a switch unit and form a local area network, the local area network is connected with an external network, and an MAC address table of the switch unit is obtained.

3. The method according to claim 1, wherein in S500, the method for calculating the threshold of the receiving time interval according to the receiving time interval of each MAC address in the address set comprises: and taking a set formed by the receiving time intervals of the MAC addresses in the address set as a receiving time interval set, recording the receiving time interval set as a set Cset, and calculating the arithmetic mean of each element in the set Cset as a threshold value of the receiving time interval.

4. The method according to claim 1, wherein in S600, the MAC address included in the data frame newly received by the switch group is recorded as a new address, whether the time interval for receiving the new address exceeds a threshold is determined, and if yes, the specific method for using the new address as a network attack is as follows:

5. The method according to claim 1, wherein in S700, for a new address that is considered as a network attack, the distance between the new address and each MAC address in the MAC address table is calculated, the MAC address in the MAC address table that has the smallest distance from the new address is selected, the outgoing interface corresponding to the MAC address having the smallest distance from the new address is used as a forwarding outgoing interface, and the method for sending a data frame including the new address to the forwarding outgoing interface comprises:

6. A network attack remote real-time monitoring system of a switch unit is characterized by comprising the following components: the network attack remote real-time monitoring system of the switch unit is operated in a desktop computer, a notebook computer, a palm computer or cloud data center computing device.