CN105162663B - A kind of online method for recognizing flux based on adfluxion - Google Patents

A kind of online method for recognizing flux based on adfluxion Download PDF

Info

Publication number
CN105162663B
CN105162663B CN201510619088.XA CN201510619088A CN105162663B CN 105162663 B CN105162663 B CN 105162663B CN 201510619088 A CN201510619088 A CN 201510619088A CN 105162663 B CN105162663 B CN 105162663B
Authority
CN
China
Prior art keywords
adfluxion
information table
flow
error rate
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510619088.XA
Other languages
Chinese (zh)
Other versions
CN105162663A (en
Inventor
金鑫
徐杰
候颖
朱宇航
葛东东
于岩
苏哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
PLA Information Engineering University
Original Assignee
National Computer Network and Information Security Management Center
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center, PLA Information Engineering University filed Critical National Computer Network and Information Security Management Center
Priority to CN201510619088.XA priority Critical patent/CN105162663B/en
Publication of CN105162663A publication Critical patent/CN105162663A/en
Application granted granted Critical
Publication of CN105162663B publication Critical patent/CN105162663B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to network monitoring fields, it is specifically related to a kind of online method for recognizing flux based on adfluxion, wherein hardware components include the AM access module of 10G backhaul, flow screening module and data processing module, the step of online method for recognizing flux includes: step 1: capture network data flow extracts its message;Step 2: the generation and maintenance of adfluxion information table;Step 3: adfluxion is detected;Step 4: classify to adfluxion.The present invention has well solved high-speed link and has flowed the problems such as recognition accuracy is low, inefficient online, greatly improves the accuracy, reliability and validity for flowing identification online to high-speed link.The embodiment of the present application is verified in the data on flows of a variety of different types, should have different degrees of promotion than the classification performance of reference algorithm in linear flow rate identification technology.

Description

A kind of online method for recognizing flux based on adfluxion
Technical field
The invention belongs to network monitoring fields, are specifically related to a kind of online method for recognizing flux based on adfluxion.
Background technique
Network data flow identification is the important means of network monitoring.With becoming increasingly popular for internet, network is served by Constantly develop, it is more next in application fields, the demands to being identified in linear flow rate such as the network optimization, QoS guarantee, network control It is more, it is desirable that sorting algorithm can on-line operation, generated according to classification results and report immediately or carry out control processing, such as to VoIP Monitoring of the networking telephone etc..Currently, the high speed online processing in order to realize network flow, is mainly ground in terms of three Study carefully, feature reducing, flow identification and it is hardware-accelerated.Linear flow rate identification require in link flow real-time perfoming identification and Label, and as network link bandwidth is higher and higher, it is also increasing in the challenge of linear flow rate identification.Under high speed flow, calculate Method should be completed to guarantee classification accuracy again to the line-speed processing of flow, it usually needs algorithm is at accuracy, cost performance and place It is traded off in reason efficiency.
The present invention about subtracts this new angle from flow, and proposition uniformly identifies the stream with identical triple Method, i.e., based on adfluxion (adfluxion: with identical triple stream set) online method for recognizing flux.Triple refers to The combination of the combination of source IP address, source port number and protocol type either purpose IP address, destination slogan and protocol type. This method analyzes the classification results of multiple streams inside adfluxion first.Then, in order to guarantee the accuracy rate of traffic classification, according to classification Confidence level determines the applicating category flowed in adfluxion by voting mechanism.Flowing the degree of polymerization indicates the ratio of stream quantity and adfluxion quantity. By existing net truthful data to the presence of adfluxion and scale carried out verifying analysis, analysis the result shows that, adfluxion phenomenon is generally deposited , but it is different to flow the degree of polymerization.To the classification error rate and processing speed of algorithm carry out theoretical analysis shows that: polymerization is flowed in route Degree is bigger, shows that the aggregation extent of same endpoints stream in route is higher, and the calculating strength retrogression of FSC algorithm is bigger, and algorithm adds Effect is more significant;In addition, if when extensive adfluxion quantity is more in route, based on adfluxion in linear flow rate recognizer Calculating strength retrogression is bigger, and acceleration effect is more preferable.
Summary of the invention
The present invention deposits high-speed link for the prior art and flows the problems such as recognition accuracy is low, inefficient online, proposes one Online method for recognizing flux of the kind based on adfluxion.
The technical scheme is that a kind of online method for recognizing flux based on adfluxion, wherein hardware components include 10G The step of backhaul AM access module, flow screening module and data processing module, the online method for recognizing flux includes:
Step 1: capture network data flow extracts its message;
Step 2: the generation and maintenance of adfluxion information table;
Step 3: adfluxion is detected;
Step 4: classify to adfluxion.
The online method for recognizing flux based on adfluxion, the specific method of the capture network data flow is: 10G Backhaul AM access module is completed input 10G POS optical transport and is arrived by the 10G POS internet traffic in connection backbone network The protocol conversion of 10G ETH Ethernet input;To line trace is flowed into matching range, input original packet is filtered Screening, and then distinguish required data traffic.
The online method for recognizing flux based on adfluxion, the specific method of the generation and maintenance of the adfluxion information table Are as follows: adfluxion information table is used to store the information of adfluxion in route, and the information of adfluxion includes fluxion, applicating category, adfluxion time window Estimate with adfluxion classification error rate;Since adfluxion information table space is limited, it is unable to store the adfluxion information occurred in route, Therefore lru algorithm is used, the minimum adfluxion of occurrence frequency is placed in chained list tail portion, when adfluxion quantity is held more than adfluxion information table After amount, the endpoint of chained list tail portion is eliminated.
The online method for recognizing flux based on adfluxion, the flow screening module carry out detection to adfluxion and include: The detection of adfluxion matching rule, the detection of adfluxion time window matching rule and the detection of adfluxion error rate matching rule.
The online method for recognizing flux based on adfluxion, adfluxion matching rule detection is: docking receiving text into Row processing, according to the source mesh triple of message, the affiliated adfluxion of query message whether in adfluxion information table there are corresponding list item, Then processing is marked to message in the application message extracted in list item.
The online method for recognizing flux based on adfluxion, the adfluxion time window matching rule detection is: detection stream Whether the adfluxion triplet information collected in information table is expired, expired, needs to carry out delete processing.
The online method for recognizing flux based on adfluxion, the adfluxion error rate matching rule detection is: detection stream Whether the classification error rate of collection is greater than the error rate threshold of setting, if it is greater than threshold value, then needs to re-start adfluxion classification Processing.
The online method for recognizing flux based on adfluxion, it is described to classify to adfluxion method particularly includes: data Processing module extracts stream feature and carries out stream type differentiation, and according to stream classification confidence convection current to message, positioning flow table is flowed into The classification error rate of collection is estimated that final vote obtains the corresponding applicating category of adfluxion, updates the correlation in adfluxion information table Information.
The beneficial effects of the present invention are: the present invention about subtracts this new angle from flow, propose to identical three The stream of tuple uniformly carries out knowledge method for distinguishing, the i.e. online method for recognizing flux based on adfluxion.This method is analyzed in adfluxion first The classification results of the multiple streams in portion.Then, it in order to guarantee the accuracy rate of traffic classification, is determined according to classification confidence by voting mechanism The applicating category of stream is concentrated in constant current.The present invention has well solved high-speed link, and to flow recognition accuracy online low, inefficient etc. Problem greatly improves the accuracy, reliability and validity for flowing identification online to high-speed link.
Detailed description of the invention
Fig. 1 is the flow diagram of the online method for recognizing flux based on adfluxion;
Fig. 2 is the external interface schematic diagram of the online method for recognizing flux based on adfluxion;
Fig. 3 is the adfluxion classification process schematic diagram of the online method for recognizing flux based on adfluxion.
Specific embodiment
Embodiment 1: a kind of online method for recognizing flux based on adfluxion, wherein hardware components include that 10G backhaul connects Enter module, flow screening module and data processing module, the step of online method for recognizing flux includes:
Step 1: capture network data flow extracts its message;The specific method of capture network data flow is: 10G bone Main line AM access module is completed input 10G POS optical transport and is arrived by the 10G POS internet traffic in connection backbone network The protocol conversion of 10G ETH Ethernet input;To line trace is flowed into matching range, input original packet is filtered Screening, and then distinguish required data traffic.
Step 2: the generation and maintenance of adfluxion information table;The generation of adfluxion information table and maintenance method particularly includes: adfluxion Information table is used to store the information of adfluxion in route, and the information of adfluxion includes fluxion, applicating category, adfluxion time window and adfluxion point The estimation of class error rate;Since adfluxion information table space is limited, it is unable to store the adfluxion information occurred in route, therefore use The minimum adfluxion of occurrence frequency is placed in chained list tail portion by lru algorithm, will after adfluxion quantity is more than adfluxion information table capacity The endpoint of chained list tail portion is eliminated.
Step 3: adfluxion is detected;It includes: the inspection of adfluxion matching rule that flow screening module, which carries out detection to adfluxion, It surveys, the detection of adfluxion time window matching rule and adfluxion error rate matching rule detect.
The detection of adfluxion matching rule is: docking receiving text is handled, according to the source mesh triple of message, query message institute Belong to adfluxion whether in adfluxion information table there are corresponding list item, the application message then extracted in list item carries out message Label processing;Specifically, docking receiving text is handled after receiving message, source endpoint src_fs={ src_ of message is extracted Ip, src_port, src_proto } and purpose endpoint dst_fs={ dst_ip, dst_port, dst_proto }, difference needle FSIT, the FSIT are inquired to src_fs and dst_fs are as follows: FSIT:Flow Set Information Table, adfluxion information Table.If matching list item is not present in FSIT in source mesh triple, stream type differentiation is carried out to adfluxion, and update into FIST FSIT then is written into the triplet information, and FSIT is updated;If there is matching list item in FSIT in source mesh triple, Then need to carry out flow further time window matching rule detection.
The detection of adfluxion time window matching rule is: whether the adfluxion triplet information in detection adfluxion information table is expired, mistake Phase then needs to carry out delete processing;Specifically, check whether adfluxion time window expires, if it has, adfluxion record is deleted, And FSIT is updated;Otherwise it needs to carry out error rate estimation to adfluxion.
The detection of adfluxion error rate matching rule is: whether the classification error rate for detecting adfluxion is greater than the error rate threshold of setting Value, if it is greater than threshold value, then needs to re-start classification processing to adfluxion;Specifically, if src_fs and dst_fs are hit, The endpoint record for selecting error rate estimated value small carries out stream class to adfluxion if the estimation of adfluxion classification error rate is greater than threshold value Type differentiates, and updates FSIT according to differentiation result;If the estimation of adfluxion classification error rate is not more than threshold value, according to adfluxion application Class label marks message, and updates FSIT.
Step 4: classify to adfluxion;Classify to adfluxion method particularly includes: data processing module reports inflow Text, positioning flow table extract stream feature and simultaneously carry out stream type differentiation, and according to stream classification confidence to the classification error rate of adfluxion into Row estimation, final vote obtain the corresponding applicating category of adfluxion, update the relevant information in adfluxion information table.
Embodiment 2: in conjunction with Fig. 1-Fig. 3, a kind of online method for recognizing flux based on adfluxion, wherein hardware components include The AM access module of 10G backhaul, flow screening module and data processing module, it is first before the embodiment of the present application is described in detail First the symbol that may relate in the embodiment of the present application is carried out as described below:
FSC: Traffic Identification based on Flow Set, identifying in linear flow rate based on adfluxion Method;
FSIT:Flow Set Information Table, adfluxion information table;
Fig. 1, for the flow chart of the online method for recognizing flux based on adfluxion, the specific steps are as follows:
Step 101: capture network flow completes the protocol conversion that optical port is transferred to Ethernet input, and original to inputting Packet is filtered screening.
Step 102: adfluxion matching detection, docking receiving text is handled, according to the source mesh triple of message, query message Affiliated adfluxion whether in adfluxion information table there are corresponding list item, then extract application message in list item to message into Line flag processing.
Step 103: adfluxion categorization module positions flow table, extracts stream feature and carries out stream type differentiation, and according to flow point class Confidence level estimates that the classification error rate of adfluxion, final vote obtains the corresponding applicating category of adfluxion, updates adfluxion information Relevant information in table.Online method for recognizing flux based on adfluxion does not limit specific traffic classification algorithm.
Fig. 3, for the external interface schematic diagram of the online method for recognizing flux based on adfluxion, this example show the present invention Front and back interface it is as follows:
Module 201:10G input interface.
Specifically, completing input 10G POS optical transport by the 10G POS internet traffic in connection backbone network and arriving The protocol conversion of 10G ETH Ethernet input;
Module 202: flow screening module.
Specifically, to line trace is flowed into matching range, and then distinguish required flow.According to required data packet Protocol characteristic, analyze data flow to be monitored, doubtful required data packet screened, to required packet sequence execute after Continuous operation, otherwise, packet discard.
Module 203: data flow processing module.
The application is detected based on the adfluxion matching rule in linear flow rate identification technology of adfluxion:
Specifically, docking receiving text is handled after receiving message, source endpoint src_fs={ src_ of message is extracted Ip, src_port, src_proto } and purpose endpoint dst_fs={ dst_ip, dst_port, dst_proto }, difference needle FSIT is inquired to src_fs and dst_fs.If matching list item is not present in FSIT in source mesh triple, adfluxion is flowed Type identification, and update and FSIT then is written into the triplet information into FIST, and FSIT is updated;If source mesh ternary There is matching list item in group, then need to carry out flow further time window matching rule detection, see 4 parts in detail in FSIT It introduces.
The application is detected based on the adfluxion time window matching rule in linear flow rate identification technology of adfluxion:
Specifically, checking whether adfluxion time window expires, if it has, deleting adfluxion record, and FSIT is carried out It updates;Otherwise it needs to carry out error rate estimation to adfluxion, sees 5 introductions in detail.
The application is detected based on the adfluxion error rate matching rule in linear flow rate identification technology of adfluxion;
Specifically, the endpoint record that error rate estimated value is small is selected, if adfluxion if src_fs and dst_fs are hit The estimation of classification error rate is greater than threshold value, then carries out stream type differentiation to adfluxion, and update FSIT according to differentiation result;If adfluxion The estimation of classification error rate is not more than threshold value, then marks message according to adfluxion applicating category label, and update FSIT.

Claims (1)

1. a kind of online method for recognizing flux based on adfluxion, hardware components include the AM access module of 10G backhaul, flow screening Module and data processing module, wherein data enter flow screening module by the AM access module of 10G backhaul, then flow into Data processing module, it is characterised in that: the step of online method for recognizing flux includes:
Step 1: capture network data flow extracts its message, and the specific method of the capture network data flow is: 10G bone Main line AM access module is completed input 10G POS optical transport and is arrived by the 10G POS internet traffic in connection backbone network The protocol conversion of 10G ETH Ethernet input;To line trace is flowed into matching range, input original packet is filtered Screening, and then distinguish required data traffic;
Step 2: the generation and maintenance of adfluxion information table, generation and the maintenance of the adfluxion information table method particularly includes: adfluxion Information table is used to store the information of adfluxion in route, and the information of adfluxion includes fluxion, applicating category, adfluxion time window and adfluxion point The estimation of class error rate;Since adfluxion information table space is limited, it is unable to store the adfluxion information occurred in route, therefore use The minimum adfluxion of occurrence frequency is placed in chained list tail portion by lru algorithm, will after adfluxion quantity is more than adfluxion information table capacity The endpoint of chained list tail portion is eliminated;
Step 3: detecting adfluxion, and it includes: the inspection of adfluxion matching rule that the flow screening module, which carries out detection to adfluxion, It surveys, the detection of adfluxion time window matching rule and adfluxion error rate matching rule detect;The adfluxion matching rule detection is: docking Receiving text is handled, and according to the source mesh triple of message, whether the affiliated adfluxion of query message exists pair in adfluxion information table Processing is marked to message in the list item answered, the application message then extracted in list item;The adfluxion time window matching rule Then detection is: whether the adfluxion triplet information in detection adfluxion information table is expired, expired, needs to carry out delete processing;It is described The detection of adfluxion error rate matching rule is: whether the classification error rate for detecting adfluxion is greater than the error rate threshold of setting, if greatly In threshold value, then need to re-start classification processing to adfluxion;
Step 4: classifying to adfluxion, described to classify to adfluxion method particularly includes: data processing module is reported to flowing into Text, positioning flow table extract stream feature and simultaneously carry out stream type differentiation, and according to stream classification confidence to the classification error rate of adfluxion into Row estimation, final vote obtain the corresponding applicating category of adfluxion, update the relevant information in adfluxion information table.
CN201510619088.XA 2015-09-25 2015-09-25 A kind of online method for recognizing flux based on adfluxion Active CN105162663B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510619088.XA CN105162663B (en) 2015-09-25 2015-09-25 A kind of online method for recognizing flux based on adfluxion

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510619088.XA CN105162663B (en) 2015-09-25 2015-09-25 A kind of online method for recognizing flux based on adfluxion

Publications (2)

Publication Number Publication Date
CN105162663A CN105162663A (en) 2015-12-16
CN105162663B true CN105162663B (en) 2019-02-19

Family

ID=54803423

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510619088.XA Active CN105162663B (en) 2015-09-25 2015-09-25 A kind of online method for recognizing flux based on adfluxion

Country Status (1)

Country Link
CN (1) CN105162663B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101714952A (en) * 2009-12-22 2010-05-26 北京邮电大学 Method and device for identifying traffic of access network
CN102523241A (en) * 2012-01-09 2012-06-27 北京邮电大学 Method and device for classifying network traffic on line based on decision tree high-speed parallel processing
CN102739457A (en) * 2012-07-23 2012-10-17 武汉大学 Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology
CN103888321A (en) * 2014-04-14 2014-06-25 中国人民解放军信息工程大学 Dataflow detecting method and multi-core processing device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101814977B (en) * 2010-04-22 2012-11-21 北京邮电大学 TCP flow on-line identification method and device utilizing head feature of data stream

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101714952A (en) * 2009-12-22 2010-05-26 北京邮电大学 Method and device for identifying traffic of access network
CN102523241A (en) * 2012-01-09 2012-06-27 北京邮电大学 Method and device for classifying network traffic on line based on decision tree high-speed parallel processing
CN102739457A (en) * 2012-07-23 2012-10-17 武汉大学 Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology
CN103888321A (en) * 2014-04-14 2014-06-25 中国人民解放军信息工程大学 Dataflow detecting method and multi-core processing device

Also Published As

Publication number Publication date
CN105162663A (en) 2015-12-16

Similar Documents

Publication Publication Date Title
WO2020119662A1 (en) Network traffic classification method
CN102315974B (en) Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
CN101645806B (en) Network flow classifying system and network flow classifying method combining DPI and DFI
CN109309630A (en) A kind of net flow assorted method, system and electronic equipment
CN101414939B (en) Internet application recognition method based on dynamical depth package detection
CN110677324B (en) Elephant flow two-stage detection method based on sFlow sampling and controller active update list
WO2011050545A1 (en) Automatic analysis method for unknown application layer protocols
CN101714952A (en) Method and device for identifying traffic of access network
CN106330584A (en) Identification method and identification device of business flow
CN110034966B (en) Data flow classification method and system based on machine learning
CN107566192B (en) A kind of abnormal flow processing method and Network Management Equipment
CA2942529A1 (en) Log analysis system
CN104917628B (en) A kind of ethernet router/interchanger packet loss automatic fault diagnosis method
WO2015154484A1 (en) Traffic data classification method and device
CN109088903A (en) A kind of exception flow of network detection method based on streaming
CN112381119B (en) Multi-scene classification method and system based on decentralized application encryption flow characteristics
CN112367274A (en) Industrial control unknown protocol flow identification method
CN107317758A (en) A kind of fine granularity SDN traffic monitoring frameworks of high reliability
CN104092588A (en) Network anomaly traffic flow detection method based on combination of SNMP and NetFlow
CN109660656A (en) A kind of intelligent terminal method for identifying application program
CN105162663B (en) A kind of online method for recognizing flux based on adfluxion
EP3790260B1 (en) Device and method for identifying network devices in a nat based communication network
CN116915519A (en) Method, device, equipment and storage medium for tracing data stream
CN104125106A (en) Network purity detection device and method based on classified decision tree
KR20130126830A (en) System and method for creating real-time application signiture

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant