CN101006702A

CN101006702A - Efficient classification of network packets

Info

Publication number: CN101006702A
Application number: CN 200580028082
Authority: CN
Inventors: 迈克尔·帕登; 格雷戈里·G·罗斯; 菲利普·M·霍克斯
Original assignee: Qualcomm Inc
Current assignee: Qualcomm Inc
Priority date: 2004-06-23
Filing date: 2005-06-21
Publication date: 2007-07-25

Abstract

The present inventive embodiments describe a system and/or method for efficient classification of network packets. According to an aspect a method includes describing a packet as a feature vector and mapping the feature vector to a feature space. The method can further include defining a feature prism, classifying the packet relative to the feature prism, and determining if the feature vector matches the feature prism. If the feature vector matches the feature prism the packet is passed to a data recipient, if not, the packet is blocked. Another embodiment is an apparatus that includes an identification component that defines at least one feature of a packet and a classification component that classifies the packet based at least in part upon the at least one defined feature.

Description

The efficient classification of network packet

The application requires to enjoy the priority of following application:

Submitted on June 23rd, 2004, application number is 60/582,442, exercise question is the U.S. Provisional Application of " EFFICENT CLASSIFICATION OF NETWORK PACKETS ";

Submitted on July 15th, 2004, application number is 60/588,549, exercise question is the U.S. Provisional Application of " SCALABLE REMOTE FIREWALLS ";

Submitted on July 15th, 2004, application number is 60/588,674, exercise question is the U.S. Provisional Application of " SYSTEMAND METHOD FOR EFFICIENT CLASSIFICATION OF NETWORKPACKETS ";

These three parts applications are incorporated the application into way of reference in full.

Invention field

Below describe and relate generally to data communication, relate in particular to the efficient classification and the extendible fire compartment wall of network packet.

Technical background

Fire compartment wall is a kind of system, be used to prevent to or from the unauthorized access of dedicated network, it can be achieved with the mode of hardware, software or the two combination.The trend of current firewall protection is towards " personal fire wall ".The advantage of this trend aspect fail safe obtained certainly, and configuration, function and the portability (under the situation of mobile device) of fire compartment wall are all improved.This is known as " each node all is a fire compartment wall " model, and it has used the most basic economic postulate, and the expense that promptly transmits unexpected grouping is negligible.This economic postulate is always incorrect, especially in wireless communication field.

In order to become effectively in the environment of can not ignore in grouping transmission expense, fire compartment wall should alleviate the unexpected traffic; The reduction that this unexpected traffic is very little can obtain pure income.Firewall policy accurately meets the practical communication demand of legal node cluster, and this strategy is just many more with regard to alleviating of effective more and the unexpected traffic.Therefore, the fire compartment wall in this environment should allow the mandate source that strategy is carried out long-range interim (ad hoc) renewal.

Packet filter is a kind of fire compartment wall commonly used, and packet filter can allow grouping pass through or interception packet, but on the other hand, it does not touch communication stream.The core of each packet filter is the mechanism of grouping being classified according to the strategy of being given.Status packet filter (as the pf of OpenBSD) has extendible mechanism, is used to handle the grouping of the communication stream that belongs to establishment.The grouping that does not belong to the communication stream of establishment then will be according to being classified by one group of represented strategy of rule.Generally in order these rules are handled, to evaluate each grouping.

Some packet classifiers have adopted Techniques of Optimum to their rule set, to accelerate the processing to grouping.The device of premature termination rule process is in daily use under specific environment.The leapfrog (skipsteps) that a more complicated example is pf, it can be skipped it to predictability when contiguous regular piece definitely can't mate with certain grouping.If rule set be high-sequential and on rule criterion, demonstrate very strong general character, then this technology is exactly very effective.But, under the environment of height mobilism, can constantly carry out incremental to rule set and upgrade, just can't satisfy these conditions usually.

In the past, the classifier rules collection is static often on characteristic, often is to upgrade by manual procedure.Because existing grader shows sequence corelation behaviour usually, generally be difficult under the prerequisite of the side effect that unnecessary or non-expectation do not take place, from strategy, insert or remove any regular.

May wish expansion service (generally being) at any time by the node of concentrating packet filter to protect by monitoring the grouping of initialization stream.Similarly, they may wish to cancel the service that provides in the past.This end-to-end model with the Internet is consistent.If the unexpected grouping that also will tackle maximum quantity when allowing interim (ad hoc) service extension and interim oos service then must dynamically be upgraded this filter strategy along with the generation that changes by node.This filter also should have a kind of mechanism (as keeping state of activation) when to find certain node network that breaks away, and can in time old rule be shifted out from this strategy like this.

Summary of the invention

Introduce the simplification summary of one or more embodiment below, so that the basic comprehension to some aspects of these embodiment to be provided.This summary is not the wide in range summary to one or more embodiment, neither be for key or the important element of determining these embodiment or the scope of describing these embodiment.The unique purpose of this summary is to introduce some notions of described embodiment with the form of simplifying, with a foreword as the detailed description of back.

This paper embodiment has described and has been used for a kind of method and/or system that network packet is efficiently classified.According to a feature, provide a kind of method that grouping is classified.This method comprises: certain grouping is described as a characteristic vector; And this characteristic vector is mapped to feature space.This characteristic vector can be the characteristic vector of n dimension, and this feature space also can be the feature space of n dimension.This characteristic vector can comprise by a feature that numeral is represented in predefined ranges of value, and this numeral can be at least one feature generation according to this grouping.According to another aspect, this method can comprise: define a feature prism; According to this feature prism grouping is classified; And judge whether this characteristic vector is matched with this feature prism.Result according to matching treatment classifies to grouping.For example, if this characteristic vector is matched with this feature prism, then give the recipient with this packet delivery; Otherwise will tackle this grouping.

According to another embodiment is a kind of equipment that grouping is classified of being used for.This equipment comprises: identification component defines at least one feature of this grouping; And classification element, at least one defined feature according to this is classified to grouping at least in part.This identification component can also be a numeral that is in the predefined ranges of value with at least one characterizing definition of this grouping.Also can comprise the prediction parts, generating according to the information from previous grouping at least in part has status flag.Can also comprise comparing unit, provide matching process so that the data access of described grouping is classified.This grouping feature can be in the feature that shows in grouping, promptly according to value in the grouping and/or the synthetic generating feature that obtains of status flag.

According to another embodiment be a kind of computer-readable medium, it has computer executable instructions, and is prismatic to insert in spatial index.By using the grouping feature vector that index is carried out an inquiry, this grouping is matched on these prisms.

According to another embodiment be a kind of processor, its execution command is mated with application packet.These instructions comprise the structure spatial index and prism are inserted into this spatial index.By this spatial index is carried out an inquiry, thereby this grouping is matched on the prism.

In order to realize aforementioned with relevant purpose, in one or more embodiments, complete in the claims description below having comprised and the feature that particularly points out.In the following description and the drawings, listed the aspect of the particular exemplary of described one or more embodiment in detail.These aspects have indicated (but only having indicated some) to adopt the variety of way of various embodiment principles, and the embodiment that describes expects to comprise all these aspects and their equivalent.

Description of drawings

Fig. 1 shows the block diagram of the communication system that adopts firewall technology.

Fig. 2 shows the block diagram that is used for system that grouping is classified.

Fig. 3 shows the grouping categorizing system that grouping is defined according to the feature relevant with grouping.

Fig. 4 shows and uses matching process so that the system of refusal and/or permission data access.

Fig. 5 shows the flow chart of the method for carrying out branch group categories and coupling.

Fig. 6 shows the flow chart of the method for application packet coupling.

Fig. 7 shows the flow chart of the method for applies packet classification and filter technology.

Fig. 8 shows the communication system that comprises based on the parts of artificial intelligence, and these parts can make the automation of packet filter function associated.

The conceptual schema of Fig. 9 shows the structure of terminal.

Term

Affine space-reference axis vector space not necessarily mutually orthogonal, that also do not have same units to measure.

The mathematics standard of measurement of complexity-certain algorithm intensity of variation.

Cube-each face all is the prism (male) of rectangle.

The cube of feature prism-n dimension axle alignment in the n dimensional feature space.

Feature space-one a limited n dimension affine space, wherein n bar reference axis is represented the codomain of n feature.

The vector that characteristic vector-particular characteristic value constitutes.

Fire compartment wall-the communication of passing network the is applied equipment of security strategy.

ICMP-the Internet Internet Control Message Protocol.Be used between network pipeline, sending the control message.Its variant comprises ICMPv6 (being used for IPv6).

IP-Internet protocol.Comprise IPv4 (edition 4) and IPv6 (version 6).

Transmission unit in the grouping-network.

The device that packet filter-be used to selects specific cluster to transmit or abandon.

The algorithm of the information of state-previous iteration of storage in order to potential use in iteration thereafter arranged.

Stateless-each iteration all is independent of the algorithm of other iteration.

The agreement of upper-layer protocol-packet payload.

R tree-a kind of spatial data structure commonly used.Its variant comprises R+-tree and R ^*-tree.

TCP-transmission control protocol.Be generally used in the Internet based on the transfer of data that flows.

UDP-User Datagram Protoco (UDP).Be generally used in the Internet transfer of data based on datagram.

Embodiment

Referring now to accompanying drawing a plurality of embodiment are described.In the following description, for illustrative purposes, a lot of concrete details have been listed, to realize that one or more aspects are reached understanding completely.But clearly, these embodiment also can realize without these details.In other example, these embodiment have for convenience of description provided known structure and equipment with the form of block diagram.

Used in this application " parts ", " system " and similar term mean the entity relevant with computer, and it can be hardware, firmware, software and hardware combining, software or executory software.For example, parts can be but be not limited in: the thread of the process of moving on the processor, processor, object, executable program, execution, program and/or computer.For convenience of explanation, application program of moving on the computing equipment and computing equipment itself can be parts.An executory process and/or thread can have one or more parts, and parts can be on the computer and/or be distributed between two or more the computers.In addition, can carry out these parts from the multiple computer-readable medium of having stored plurality of data structures.These parts can be by this locality and/or remote process (for example, according to signal with one or more packets) communicate (as, from the data of parts in local system, in the distributed system and/or by being undertaken alternately by signal such as the network of the Internet etc. and the parts of other system).

In wireless network, should be deployed in the network periphery to firewall functionality, to reduce unexpected and/or unnecessary wireless data transmission.The bandwidth of air interface is very rare resource, and therefore, transmission can be never transmitted and/or be minimized in hope, and those can be received the grouping that machine abandons.

The fire compartment wall of serving wireless network may need to protect simultaneously a lot of mobile radio stations.These mobile radio stations are " (the always on) that work " often always, and can at any time provide IP service for client.Each mobile radio station can provide by different a lot of services that agreement and port numbers identified.In addition, mobile radio station may wish to limit the service access to a group network source of appointment.

Typical packet filtering technology possibly can't be expanded when being applied to said circumstances.Can change this situation by at least two kinds of fundamental method.A kind of method is by adopting power of enforcement.This method disposes a lot of fire compartment wall main frames, and all these main frames are all served mobile radio station group's a part.Another method is the extensibility that strengthens the packet filtering technology that is adopted.This packet filtering technology should show better complexity than current mechanism.

Referring now to accompanying drawing, the block diagram of Fig. 1 shows the communication system 100 that adopts firewall technology, and it can be implemented in portable set or terminal, portable (moving) phone, personal digital assistant, personal computer (desktop computer or notebook) or other electronics and/or communication equipment.System 100 comprises packet filter 102, and the data of input and/or the data that will export are filtered, and these data are known as data or network packet 104.Grouping 104 can be the communication information (comprising one group of data) that sends and/or be sent to any kind of another equipment from an equipment.Each grouping of packet filter check-up (input data), each grouping is classified, and carry out one or more operations according to these inspections and/or sorting result.Typical operation have with ad hoc fashion to grouping transmit, interception and/or route.There is the packet filter of state also can carry out the grouping that the consideration of branch time-like had before been seen.

For explanation rather than restriction purpose, packet filter 102 can make the packet 104 of sending from the transmit leg 106 that is positioned at these packet filter 102 1 sides can be transferred to the recipient 108 who is positioned at packet filter 102 opposite sides.Continued to transmit or allow by the expectation of transmit leg 106 transmission and/or authorized arrival recipient's 108 grouping 104 by packet filter 102.The grouping 104 that non-expectation and/or unauthorized arrive recipient 108 can be grouped filter 102 interceptions, and can not continue to be forwarded to recipient 108.Like this, recipient 108 just can not discover the grouping that can not receive unexpected grouping yet and/or not expect to send to recipient 108.

Generally by specifying a group categories rule to come configuration packet filter 102.The general standard seldom of using is filtered, and can construct very simple packet filter, and it presents O (logN) complexity with respect to the rule set size.But, more complicated and more flexibly packet filter generally adopt the rule set of essential linear mode, to obtain the performance of O (N).Some packet filtering technology have comprised Techniques of Optimum, and realizing being better than the performance of linear properties under specific environment, but O (N) remains the performance of worst case.

Relatively more after a little while, if when especially each rule is all supported the multiple expression of criteria for classification, performance is that the packet filter of O (N) is an acceptable in regular quantity.Yet when regular quantity was very big, this filter was infeasible.Protect a large amount of systems and make each system can both specify the packet filter of abundant security strategy, for present packet filtering technology, can realize the more application example of dominance energy exactly.

Embodiment disclosed herein has described the grouping classification mechanism that presents asymptotic O (logN) complexity when handling each grouping.But this mechanism can be used for the needs expansion module comes application that inhomogeneous grouping is distinguished, as packet filtering, tactful route etc.

Fig. 2 shows the block diagram that is used for system 200 that grouping is classified.According to an aspect, this grouping categorizing system 200 is shown a point in the n-dimensional space with each grouping sheet, and each rule list is shown a prism (prism) in this space.By adopting the data structure of spatial index, can realize fast grouping being matched prism.System 200 comprises identification component 202, and it links to each other with classification element 204.Identification component 202 and classification element 204 can separately be used, and shown in example, perhaps can be used as independent parts, are comprised as the independent parts of packet filter, perhaps combine with communication equipment.

Identification component 202 receive transmit legs 208 transmit and come be shown as the grouping 206 and the correlated characteristic thereof that will send to recipient 210.Transmit leg 208 and/or recipient 210 can be user and/or entity (for example, the Internet, another system, computer ...).Grouping 206 has one group of predetermined n feature that merits attention, and identification component 202 can utilize these features to define each feature, and each feature can be represented by a numeral that drops in the predefined ranges of value.Feature can be represented with floating number, but usually most feature is actually usefulness integer representation.Different features needs not be quadrature.

Identification component 202 links to each other with classification element 204 and the feature that defines is transferred to this classification element 204.Classification element is classified to these defined features according to predefined classifying rules.The classification of these features is comprised that judging whether grouping 206 will send to and/or authorize sends to recipient 210, if for not, then before grouping 206 arrives recipients 210 with its interception.For example, classification element 204 can adopt grouping matching technique and/or space access method (SAM), for example R-tree, R+-tree and/or R ^*-tree etc.To many-sidedly discuss in conjunction with disclosed herein to these technology.It will be appreciated that when R-tree and distortion thereof were discussed, system disclosed herein and/or method were not limited to this, but can be equally applicable to any space index method.

Referring now to Fig. 3, shown in it is to be used for system 300 that grouping is classified.System 300 comprises identification component 302, and it is connected to classification element 304 and prediction parts 306.Identification component 302 receives and will continue to be forwarded to recipient 310 packet 308, and the correlated characteristic of data-driven grouping 308 defines it.System 300 utilizes defined correlated characteristic, judge grouping 308 whether to send to recipient's 310 and/or divide into groups 308 whether recipient 310 do not want to receive.308 are not to send to recipient 310 and/or are not that recipient 310 wants to receive if divide into groups, and then system 300 can interception or stops grouping 308 to arrive recipients 310.

Grouping 308 can have a group of n feature formation that merits attention, and these features can be expressed as: comprise feature (included feature) 312, generating feature (generated feature) 314 and/or status flag (stateful feature) 316 is arranged.For example, the source address of IP grouping 308 and destination address can be directly as comprising feature 312 because they under the situation of IPv4 or IPv6 respectively by predefined ranges of value 0 to 2 ³²-1, or 0 to 2 ¹²⁸Certain integer in-1 is represented.The upper-layer protocol numeral is another representative instance that comprises feature 312, and this upper-layer protocol numeral is an integer in 0 to 255 codomain.Generally speaking, the information in the grouping 308 can directly be used as feature 312, perhaps as algorithm construction feature 312 and 314.In the above two kinds of cases, these

information generating feature

312 and 314 all.Those may reside in the information that also can not be present in the grouping 308 also can be used for generating feature 312 and 314.The exemplary of this category information is exactly optional data (as the Header option of IPv4 and/or the optional header of IPv6).

Information in the grouping 308 also can be used for generating feature 314, the self-styled territory of loading onto the layer protocol head of Tathagata.The exemplary of this category information is port numbers, ICMP type and the code of TCP or UDP.When this class optional information did not exist, 314 of generating features had distinguished " undefined " value (it is an element in the feature codomain).In other words, when this category information did not exist, feature 314 was still defined.

Can use prediction parts 306 acquired information from previous grouping, utilizing this information to generate has status flag 316.In other words, feature generates can state.Prediction parts 306 can be stored, write down, carry out and consult or the like grouping information and correlated characteristic 312-316 thereof.According to these data, prediction parts 306 can have status flag 316 for current group 308 one of deduction based on the status flag 316 that has of prediction.Like this, if specific feature neither the feature 312 of definition neither generating feature 314, and it still can be defined and classify, and is allowed to or is rejected by packet filter and arrive recipient 310.

Each grouping 308 can be expressed as the characteristic vector v of the regular length of being made up of n characteristic value μ.Each vector v is described n and is tieed up a point among the affine feature space F.Therefore, the n dimensional feature vector is mapped on the point in the n dimensional feature space.

Can come the axle alignment n among the F of defined feature space to tie up cube ψ by specify a continuous subvalue territory for each feature.

ψ = ([μ_{{low}_{1}}, μ_{{high}_{1}}], \cdot \cdot \cdot [μ_{{low}_{n}}, μ_{{high}_{n}}])

These cubes are known as " feature prism ".Each feature prism is represented one group of criteria for classification that links up geometrically.Prismatic P comprises vector v, if:

&ForAll; μ_{i} &Element; vand [μ_{{low}_{1}}, μ_{{high}_{1}}] &Element; ψ

μ_{{low}_{1}} \leq μ_{i} \leq μ_{{high}_{1}}

Fig. 4 shows and uses matching technique so that the system 400 of refusal and/or permission data access.System 400 comprises comparing unit 402, and it receives the grouping 404 from Data Generator 406.Comparing unit 402 links to each other with packet filter 408.Though matching block 402 is shown different parts in the drawings with packet filter 408, should be appreciated that they can comprise identical parts.

P is any stack features prism when definition, and when defining prismatic p and being the arbitrary element of P, can adopt the grouping sorting technique.Comparing unit 402 judges whether a vector v of grouping 404 and the prismatic P of any stack features mate.If exist a prismatic p to comprise vector v, then the prismatic P of characteristic vector v and feature mates.If comparing unit 402 has found a coupling, then Xiang Guan grouping 404 can and arrive destination 410 by packet filter 408.Under these circumstances, the prismatic P of feature represents positive rule set 412.If comparing unit 402 thinks that the prismatic P of feature is informal then collects 414, does not then match.Not matching to cause packet filter 408 interception packet 404, makes it can't arrive destination 410.

More complicated classification can be by vector v being matched the prismatic P of different characteristic constitutes sequence or even a decision tree realize.Therefore, the grouping criteria for classification is described as cube in the n dimensional feature space, and characteristic vector is complementary with standard by how much sealings.

Judge that efficiently whether certain n dimension point drops in one or more zone is the problem of a further investigation, has the works of a lot of this respects.This class technology is exactly a general known space access method (SAM).For example, a successful especially class SAM is exactly R-tree and a lot of variant thereof, as R+-tree and R ^*-tree.It will be appreciated that when R-tree and its variant were discussed, system disclosed herein and/or method were not limited in this, but can be equally applicable to any space index method.

R-tree is an expansion of famous B+-data tree structure, and key assignments wherein is exactly the multidimensional rectangle.Inner node is held the minimum boundary rectangle (MBR) at each child.The R-tree and the R of standard ^*-tree allows MBR overlapping, is the size that cost reduces to set with the inquiry (because may need a lot of branches of traverse tree) of potential bigger expense.From another aspect, the R+-tree guarantees that MBR is non-intersect, and this may increase the size (because key assignments may need to be stored in the more than leafy node) of tree.It has been generally acknowledged that R ^*-tree is that performance is best in the R-tree family.The R-tree is dynamic data structure, allows to insert at any time and/or deleted data.

Classifier rules collection ψ can be set by a R-of the element isomorphism of leaf MBR and ψ and represent.Can realize grouping coupling efficiently by the some inquiry on this tree then, the MBR that promptly recursively searches which node includes the point of expectation, till any coupling prism that finds on the leaf.For the purpose of classifying, comprise prism in case detect first, just can stop inquiry and travel through.

Fig. 5 shows the flow chart of the method for carrying out branch group categories and coupling.In order to simplify explanation, following method illustrates and describes with the form of sequence of operations, but be appreciated that and note be, this method is not limited in this operating sequence, because according to these methods, certain operations can by different occur in sequence and/or with shown in this paper and other operation of describing take place simultaneously.For example, those skilled in the art should be understood that and recognize that a kind of method also can optionally be expressed as a series of relevant states or incident, as shown in the state diagram.In addition, and do not require that the operation shown in all will realize following method.

This method is since 502, and receive the grouping that will send to certain recipient that by this fire compartment wall protected at fire compartment wall this moment.The firewall technology that can adopt is a packet filter, and it allows grouping pass through or interception packet, but does not but touch communication stream.In 504, analyze the grouping that is received, also analyze the feature that is associated with this grouping with the recipient who judges expectation.For example, can there be a lot of features (n feature) to be associated with this grouping.These features can be to comprise feature, generating feature and/or status flag is arranged.For example, this comprises that feature can be the source address and the destination address of this grouping.Generating feature is those according to existing or not being present in the information in the grouping and feature that algorithm construction goes out, for example optional data (as, the optional header of the Header option of IPv4, IPv6).Generating feature be state arranged and can be used to generate from the historical information of the grouping of before having received.

In 506, utilize the feature of having analyzed to come grouping is classified.These features by drop on a numeral in the predetermined number codomain (as, floating number, integer ...) represent.It should be noted that these features do not need quadrature.According to the predetermined classification rule feature is classified.Classifying rules can adopt grouping matching technique and/or space access method (SAM), as R-tree, R+-tree and/or R ^*-tree.It will be appreciated that when R-tree and variant thereof were discussed, system and method disclosed herein was not limited in this, but can similarly be applicable to any space index method.

In 508, classified grouping or can't be sent to the target recipient because of being blocked, or can be sent to the recipient.If the recipient of appointment is not expection recipient that will arrive and/or grouping is not that this recipient wants the grouping that receives, and then this grouping is blocked.For example, certain recipient may not want to receive the communication from particular source, theme or other defined standard.The interior classified packets of standard that meets definition can not be sent to the recipient, and this recipient also can not perceive the existence of these groupings.Do not meet the definition standard classified packets can by and be sent to this recipient.

Referring now to Fig. 6, shown in it is the coupling of dividing into groups, so that the flow graph of the method for refusal and/or permission data access.This method is since 602, at this structure spatial index.For example, this grouping can be described as the characteristic vector v of regular length.This characteristic vector can be that characteristic vector and this feature space of n dimension also can be the feature space of n dimension.This characteristic vector can comprise by a feature that numeral is represented in the predefined ranges of value, and can generate according at least one feature of this grouping.

This method proceeds to 604, at this prismatic P is inserted in the spatial index.This prism is the n dimension cube of the axle alignment in the feature space, and by specifying a continuous subvalue territory to define for each reference axis.One group of how much upward coherent criteria for classification of the prismatic expression of each feature.In 606, should divide into groups to be complementary then with prism.For example, if exist a prismatic p to comprise vector v, then the prismatic P of characteristic vector v that should divide into groups and feature mates.

 μ _i∈ v and

{[μ}_{{low}_{1}}, μ_{{high}_{1}}] &Element; ψ

μ_{{low}_{1}} \leq μ_{i} \leq μ_{{high}_{1}}

If coupling is arranged, then the prismatic P of feature represents a positive rule set.Under the match condition, data access allows, and arrives the destination of expectation.If do not mate, the prismatic P of feature is informal then collection, and the data interception visit.Can alternatively or additionally carry out coupling, promptly carry out by adopting from each prismatic inner random point by adopting point to inquire about σ.This σ point inquiry can also be carried out by adopting " typical case " vector that generates at random.After this σ point inquiry is finished, judge whether this some inquiry has successfully mated a prism.

Fig. 7 shows the flow chart of the method that grouping is classified.This method is since 702, and this moment, packet filter received grouping, and for example, the recipient that this grouping will send is protected and avoids receiving unexpected and/or undelegated grouping.Can from user and/or entity (as, the Internet, another system, computer ...) receive grouping.In 704, in case receive grouping, just this grouping is described as characteristic vector, i.e. the vector of particular characteristic value formation.Can represent each grouping by the characteristic vector v of the regular length that comprises n characteristic value μ.Each characteristic vector v describes n and ties up a point among the affine feature space F.

This method proceeds to 706, on this is mapped to characteristic vector v point in the n dimensional feature space.In 710, come the prismatic P of defined feature by specify a continuous subvalue territory for each reference axis, this prism P is the n dimension cube of an axle alignment among the feature space F.In 712, a stack features prism that forms the rule set of packet classifiers was carried out two fens according to the prismatic P of feature.In 714, whether the prismatic P of judging characteristic vector v and feature mates.If there is a prismatic p to comprise vector v, then the prismatic P of Fen Zu characteristic vector v and feature mates.If judged result is a "Yes", then there is coupling, 716 grouping sheet is shown positive rule set and allows it to pass through packet filter.If judged result is a "No", then there is not coupling, 718 grouping sheet is shown informal then collection and tackles this grouping by filter.

Fig. 8 shows the communication system 800 that adopts artificial intelligence (AI), and it is convenient to make one or more correlated characteristic automations of this packet filter 802.This packet filter 802 receives the grouping 804 that will send to destination 808 from Data Generator 806, and this receives the destination and is protected by packet filter 802.Packet filter 802 can with 810 collaborative works of artificial intelligence parts so that unauthorized and/or unexpected grouping 804 arrive shielded destination 808 as few as possible.

Communication system (as, with regard to classification and filter packets) can adopt various schemes to realize different aspects therein based on AI.For example, can be by adopting automatic classification system and process, whether authorize and/or will send to specific recipient so that process is judged certain packet.In addition, when adopting a plurality of communication system with same or similar resource, can adopt grader to judge and under specific situation, use which packet filter.

Grader is a functional block, its with the input attributes vector x=(x1, x2, x3, x4 xn), is mapped on the confidence level (confidence) that this input belongs to a class (class), i.e. f (x)=confidence (class).This classification can adopt based on probability and/or statistics on analytical method (as, carry out factorization to resolving function and cost) with prediction or infer that certain user wants the action that automatically performs.For example, in the example of communication system, attribute can be feature, words, phrase or other specific data of from feature, deriving attribute (as, that comprised, that generate, state is arranged), and these classes are the type of being correlated with or zone (as, the grade of classification and/or coupling).

Support Vector Machine (SVM) is a kind of example of the grader that can adopt.SVM moves by seek hypersurface in the possible input space, and hypersurface is attempted trigger criteria is separated with non-trigger event.Directly perceived going up say, this feasible can near training data but the test data that is different from training data correctly classify.If adopt different stand-alone modes, other directly and non-direct category of model method comprise, as, naive Bayesian (

Bayes), Bayesian network, decision tree, neural net, fuzzy logic model and probabilistic classification model.Here used classification comprises that also the statistics that is used to develop the model with priority returns.

From this specification, be very easy to find, the employed grader of this system can be (as by using general training data) of training clearly also can be impliedly trained (as, by observing user behavior, receiving extrinsic information).For example, the study or the training stage of passing through in grader constructor and the feature selection module of SVM are set.Therefore, this grader can be used for learning automatically and carrying out some functions, including but not limited to: judge according to predetermined standard when when interception packet makes grouping by filter or the like.

Referring now to Fig. 9, it shows the conceptual schema of a kind of possibility structure of terminal 900.Those skilled in the art should be noted that, the accurate structure of terminal 900 is along with concrete application and overall design constraints and change.Processor 902 can be realized system and method disclosed herein.

Terminal 900 can realize by the front-end transceiver 904 that links to each other with antenna 906.Baseband processor 908 can link to each other with transceiver 904.This baseband processor 908 can be by the architecture based on software, and perhaps the structure of any other type realizes.Can adopt microprocessor as platform, come runs software program, this software program provides control and total system management function or the like.Can realize digital signal processor (DSP) with Embedded communication software layer, the algorithm of this communication software layer operation special-purpose is to reduce the processing demands on the microprocessor.This DSP can be used to multiple signal processing function is provided, as obtains pilot signal, time synchronized, frequency tracking, spread processing, modulation function and forward error correction.

Terminal 900 can also comprise the multiple user interface 910 that links to each other with baseband processor 908.User interface 910 can comprise keyboard, mouse, touch-screen, display, bell ringer, vibrator, audio tweeter, microphone, camera and/or other input-output apparatus.

Baseband processor 908 comprises processor 902.In the implementation based on software of this baseband processor 908, processor 902 can be the software program that operates on the microprocessor.But, what it should be appreciated by those skilled in the art is, processor 902 is not limited in this embodiment, but can realize by any method as known in the art, comprises any hardware configuration, software arrangements or the combination of these two that can carry out various functions as described herein.Processor 902 can be used to store memory of data 912 and link to each other.

It will be appreciated that embodiment as described herein can realize with hardware, software, firmware, middleware, microcode or their any combination.When system and/or method were realized by software, firmware, middleware, microcode, program code or code segment, they can be stored in the machine readable media, in memory unit.Certain code segment can be represented process, function, subprogram, program, routine, subroutine, module, software kit, class, any instruction set, data structure or program statement.A code segment can link to each other with another section code segment or hardware circuit by transmitting and/or reception information, data, independent variable, parameter or memory contents.Information, independent variable, parameter, data or the like can comprise that Memory Sharing, message transmission, token transmission, Network Transmission etc. transmit, transmit or transmit by any suitable method.

Top description comprises the example of one or more embodiment.Certainly, can not describe all possible combination of parts or method in order to describe these embodiment, but those of ordinary skill in the art should be realized that these embodiment can do further combination and conversion.Therefore, the embodiments described herein institute of being intended to contain in the spirit that falls into appended claims and the protection range changes, revises and is out of shape.In addition, with regard to " comprising " speech that uses in specification or claims, the mode that contains of this speech is similar to " comprising " speech, just explains as link word in the claims as " comprising " speech.

Claims

1, a kind of method that grouping is classified of being used for comprises:

Grouping is described as characteristic vector; And

Described characteristic vector is mapped to feature space.

2, the method for claim 1 also comprises:

Define a feature prism;

With respect to described feature prism described grouping is classified; And

Judge whether described characteristic vector and described feature prism mate.

3, method as claimed in claim 2 also comprises:

If described characteristic vector and described feature prism are complementary, then allow described grouping to transmit by packet filter.

4, method as claimed in claim 2 also comprises:

If described characteristic vector and described feature prism do not match, then tackle described grouping by packet filter.

5, method as claimed in claim 2, if exist a prismatic p to comprise vector v, then the prismatic P of the characteristic vector v of described grouping and feature is complementary.

6, the method for claim 1, described characteristic vector are the characteristic vectors of n dimension.

7, the method for claim 1, described feature space are the feature spaces of n dimension.

8, the method for claim 1, described characteristic vector comprise by the represented feature of numeral.

9, method as claimed in claim 8, described feature is by the numeral in the predefined ranges of value.

10, method as claimed in claim 8, described numeral are based on the generation number of at least one feature of described grouping.

11, the method for claim 1 is described as characteristic vector with described grouping and is based on the grouping criteria for classification and is described.

12, a kind of equipment that grouping is classified of being used for comprises:

Identification component, at least one feature of definition grouping; And

Classification element is classified to described grouping according to the feature of described at least one definition at least in part.

13, equipment as claimed in claim 12, described identification component is with the numeral of at least one characterizing definition for comprising in predefined ranges of value of described grouping.

14, equipment as claimed in claim 12 also comprises:

The prediction parts, according to the information from previous grouping, generating one has status flag at least in part.

15, equipment as claimed in claim 12 also comprises:

Comparing unit is used matching technique, is beneficial to the data access of described grouping is classified.

16, equipment as claimed in claim 12, described at least one feature are the features that comprises that is present in the described grouping.

17, equipment as claimed in claim 12, described at least one feature are by the represented generating feature of undefined value.

18, equipment as claimed in claim 17, the element in the codomain that described undefined value is described feature.

19, equipment as claimed in claim 12, described at least one feature is that status flag is arranged.

20, equipment as claimed in claim 12 is mobile phone.

21, equipment as claimed in claim 12 is personal digital assistant.

22, equipment as claimed in claim 12 is personal computer.

23, a kind of system that data are classified of being used for comprises:

Identification module is identified as characteristic vector with packet; And

Respective modules, described characteristic vector is corresponding with feature space.

24, system as claimed in claim 23 also comprises:

Definition module defines a feature prism;

Sort module is classified described packet with respect to described feature prism; And

Matching module is complementary described characteristic vector and described feature prism.

25, system as claimed in claim 24 also comprises:

Allow by module,, then allow to give the recipient described Data packets transit if described characteristic vector and described feature prism are complementary.

26, system as claimed in claim 24 also comprises:

Blocking module if described characteristic vector and described feature prism do not match, is then tackled described packet, in case it passes to the recipient.

27, system as claimed in claim 23, described characteristic vector comprise can be by the feature of numeral.

28, system as claimed in claim 27, described feature can be by the numeral in the predefined ranges of value.

29, system as claimed in claim 27, described numeral is based on the generation number of at least one feature of described grouping.

30, system as claimed in claim 23, described characteristic vector are the characteristic vectors of n dimension.

31, system as claimed in claim 23, described feature space is the feature space of n dimension.

32, a kind of portable communication device comprises the described system of claim 23.

33, a kind of processor is carried out the instruction of dividing into groups to mate, and described instruction comprises:

Construct a spatial index;

Prism is inserted in the described spatial index; And

By described spatial index being carried out the some inquiry, will divide into groups and prism is complementary.