CN101645806B - Network flow classifying system and network flow classifying method combining DPI and DFI - Google Patents
Network flow classifying system and network flow classifying method combining DPI and DFI Download PDFInfo
- Publication number
- CN101645806B CN101645806B CN2009100346437A CN200910034643A CN101645806B CN 101645806 B CN101645806 B CN 101645806B CN 2009100346437 A CN2009100346437 A CN 2009100346437A CN 200910034643 A CN200910034643 A CN 200910034643A CN 101645806 B CN101645806 B CN 101645806B
- Authority
- CN
- China
- Prior art keywords
- module
- flow
- data flow
- dpi
- dfi
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention discloses a network flow classifying system and a network flow classifying method combining a DPI and a DFI. The network flow classifying system is formed by combining a DPI service recognizing system module and a DFI flow recognizing system module, wherein the DPI module comprises a flow meter detecting module and a flow recognizing module; and the DFI module comprises a sample acquiring module, a classifier training module and a classifier classifying and predicting module. The sample acquiring module divides data stream capable of being accurately recognized by the flow recognizing module in the DPI into several classes and adopts the data stream as a sample to train the classifier training module so as to acquire a classifying model which can distinguish the class of the network flow; then the flow which can not be recognized by the flow recognizing module of the DPI passes through the classifier classifying and predicting module of the DFI so as to achieve the aim for distinguishing the class of the flow which can not be recognized by the DPI. The invention is more comprehensive than a method for singly using the DPI or the DFI and can accurately recognize a service which is not encrypted in an application layer and distinguish the class of the service which is encrypted in the application layer.
Description
Technical field
The present invention relates to net flow assorted system and sorting technique that DPI and DFI combine, belong to the network data transmission field.
Background technology
Along with network application emerges in an endless stream, emerging services such as P2P, online game, IPTV, WEBTV, taken the most of bandwidth in the Internet, with BT and Edonkey is that the P2P of representative uses and to have occupied more than 2/3 of whole internet traffic, the development of infrastructure network of operator has been absorbed in the improper situation of " congested-dilatation-congested again ", the corresponding reduction of profitability.Can't realize that traffic identification has increased operating cost of operator, reduce client's satisfaction.So how depth perception network application provides Network control and management means, the harmonious network that structure can be runed, can manage effectively limits correct guidance to P2P, change unfavorable using by oneself, become the heat subject that telecom operators need research at present badly.
Based on above reason, must identify different network traffic datas by technological means, thereby can control and manage it.
The method of recognition network data streaming service mainly contains following several at present:
(1) based on the network data flow traffic identification technology of port: this recognition technology is that the different port by registration among the various IANA of being applied in (Internet Assigned Numbers Authority) number is discerned.For example detecting port numbers is 80 o'clock, thinks that then on behalf of common online, this application use.And some the illegal application on the current network can adopt mode hiding or the personation port numbers to hide detection and supervision, cause the data flow of counterfeit legal message corroding network.Change such as the novel employed port of P2P agreement, so the accuracy rate of port numbers identification is more and more lower, this method more and more has been not suitable for the identification to the existing network data streaming service.
(2) DPI (Deep Packet Inspection) deep-packet detection network data flow traffic identification technology: when meeting some novel agreement of using dynamic port, adopting will be powerless based on the recognition technology of port.The DPI technology has also increased application layer analysis except the Back ground Information below 4 layers is analyzed, discern various application and content thereof.Analyze by application layer load characteristic exactly, find out the tagged word of its application layer, thereby miscellaneous service is discerned a series of packets.This method deals with very difficulty when running into the application layer data encryption.
(3) DFI (Deep Flow Inspection) deep stream detects network data flow traffic identification technology: when the DPI recognition technology runs into the application layer data encryption, just be difficult to come it is discerned by the feature of analytical applications layer data.The DFI technology is to come technology that business is discerned according to the feature of stream, and the state that promptly different application types is embodied on session connection or the data flow is had nothing in common with each other.The characteristics of DFI are that the feature of entire stream is analyzed, and for example the average packet of each stream is long, the time interval that each bag arrives etc.Need not detect using layer data, thereby whether application layer data is encrypted this recognition technology as broad as long.The feature that belongs to the data flow of same kind business generally all is very approaching, and for example the traffic characteristic of these two kinds of IM softwares of QQ and MSN may be just very approaching, and therefore the shortcoming of this method is to distinguish the several big class of network traffics.IM for example, P2P, WEB etc.
Summary of the invention
Goal of the invention:
The technical problem to be solved in the present invention is, low at accuracy rate based on port identification technology, DPI and DFI technology exist the identification of the business of using layer of data encryption very difficult respectively, and can only carry out the defective that big class is distinguished to network traffics, net flow assorted system and sorting technique that DPI and DFI are combined have been proposed.
Technical scheme:
The technical solution adopted for the present invention to solve the technical problems is: earlier network traffics are carried out the differentiation of big class, construct DPI network data flow business identifying system then, the business that application layer does not have to encrypt is carried out the application layer feature extraction, the feature of extracting is put into feature database, the data flow of the agreement that can discern with DPI is as the sample of DFI service identification module then, DFI is trained, after training is finished the DFI module is added in DPI business identifying system back, allow DPI pass through the identification of DFI module again by recognition data stream, thereby can't carry out the differentiation of big class by recognition data stream DPI.Concrete technical scheme is as follows:
The net flow assorted system that DPI of the present invention and DFI combine comprises two module be combined intos of DPI business identifying system and DFI flux recognition system;
In the described DPI business identifying system, comprising:
A. stream table detection module judges that whether current data flow is the data flow of type;
B. data flow feature library, the feature of memorying data flow;
C. flow identification module is according to the different business of the representative of the feature identification network traffics in the data flow feature library;
D. protocol process module is used for the processing to concrete business, and to the processing of the big class of network;
In the described DFI flux recognition system, comprising:
E. sample acquisition module, the stream feature extraction that is used for business that DPI can accurately be discerned is come out, and is divided into different classifications, as the training sample of grader training module;
F. grader training module, the sample training that the sample acquisition module is provided obtains a training pattern;
G. grader classification prediction module is classified to other data according to the model that the grader training module obtains;
It is a kind of based on net flow assorted method of the present invention that the present invention also provides, and may further comprise the steps:
(a) data flow is earlier through the stream table detection module in the DPI business identifying system, stream table detection module detects current data stream whether in the state table that stream table detection module is safeguarded, when this data flow in state table, then stream table detection module is sent to protocol process module directly with after the current data flow label; In this data flow was not at state table, the detection module of then failing to be sold at auction was sent to the flow identification module with this data flow, enters (b) step;
(b) the flow identification module checks whether this data flow contains any feature in the data flow feature library in the DPI business identifying system; In data flow feature library, recognize the traffic characteristic that coupling is arranged with this data flow when the flow identification module, then this data flow of the current message correspondence of mark is specific data flow, upgrade the state table of safeguarding in the stream table detection module, simultaneously the current data flow label is sent to protocol process module later on; When the flow identification module does not recognize the traffic characteristic that mates with this data flow in data flow feature library, then this data flow is sent to the DFI flux recognition system, enter (c) step;
(c) the flow identification module can recognition data stream be sent to the sample acquisition module in the DFI flux recognition system, after the sample file of online this data flow of acquisition of sample acquisition module, this sample file is sent to the grader training module carries out off-line training, obtain disaggregated model, the grader training module is sent to grader classification prediction module with this disaggregated model; Grader classification prediction module can't be classified by recognition data stream to flow identification module in (b) step according to the disaggregated model that training obtains;
(d) grader classification prediction module will divide the data flow of class to carry out respective markers to be sent to protocol process module, protocol process module according in the above step to the not isolabeling of data flow, carry out concrete professional or respectively at the processing of the big class of difference.
In DPI business identifying system of the present invention, described data flow feature library comprises the application layer feature of the partial service in each big class of network traffics.For example: the business that belongs to this big class of instant message has QQ and the HI of Baidu etc., and the application layer of QQ is characterized as packet and begins with 0x02, finishes with 0x03, and it is 0x0000010031564d49 that the application layer of the HI of Baidu is characterized as the first eight byte.The business that belongs to this big class of P2P has TTlive and Sopcast etc., the net load length that the application layer of TTlive is characterized as first bag of each stream is 52 bytes, first three byte is 0xffff01, latter two byte is 0x0002, and the application layer of Sopcast is characterized as first has the tagged word of the packet of net load to be expressed as with regular expression: ^DESCRIBE.*User-Agent:WMPlayer.
Beneficial effect
The net flow assorted system and method that DPI of the present invention and DFI combine earlier carries out DPI identification to network data, and DPI can't recognition data stream advances DFI again and classifies, and had increased the accuracy that network traffics are classified.
Description of drawings
Fig. 1 is the structured flowchart of DPI identification module;
Fig. 2 is the structured flowchart of DFI identification module;
Fig. 3 is the block diagram of the net flow assorted method that combines of DPI of the present invention and DFI;
Fig. 4 is the flow chart of the net flow assorted method that combines of DPI of the present invention and DFI.
Embodiment
Below in conjunction with accompanying drawing the present invention is described in more detail.
As shown in Figure 1, in first implementation step of the net flow assorted system that DPI of the present invention and DFI combine, the network traffics recognition system is connected in the network based on ICP/IP protocol, a stream table detection module is wherein arranged, a protocol process module, a flow identification module and a data flow feature library.
Include the various business that belongs to the big class of several network traffics respectively in the data flow feature library.Be exemplified below:
What (1) belong to this big class of IM (instant messaging) has QQ and a HI of Baidu etc., and the application layer of QQ is characterized as packet and begins with 0x02, finishes with 0x03, and it is 0x0000010031564d49 that the application layer of the HI of Baidu is characterized as the first eight byte.
(2) business that belongs to this big class of P2P has TTlive and Sopcast etc., the net load length that the application layer of TTlive is characterized as first bag of each stream is 52 bytes, first three byte is 0xffff01, latter two byte is 0x0002, and the application layer of Sopcast is characterized as first has the tagged word of the packet of net load to be expressed as with regular expression: ^DESCRIBE.*User-Agent:WMPlayer.
Store the feature of above-mentioned all kinds of business in the data flow feature library.
Stream table detection module is safeguarded a state table, information comprises five-tuple (the ip address, source of data flow in the table, purpose ip address, source port, destination interface, protocol number) and the ID of affiliated protocol type, after network data flow enters at first with oneself five-tuple and the comparison of the information in the state table, whether check in this state table, if send into protocol process module after then will its ID in this state table marking with affiliated protocol type.
Information format for example safeguarding in the state table such as following table second row
| Ip address, source | Purpose ip address | Source port | Destination interface | Protocol type | Agreement ID |
| 119.147.18.47 | 10.8.7.43 | 8000 | 4000 | 0x11 | 5 |
Wherein 119.147.18.47 is ip address, source, and 10.8.7.43 is purpose ip address, the 8000th, and source port, the 4000th, destination interface, 0x11 are protocol number (udp protocols), the 5th, and the agreement ID that can oneself define, such as us the agreement ID of QQ is decided to be 5, so 5 data flow of just representing QQ.In case there is new data stream to enter stream table detection module, at first the five-tuple of oneself and the first five items (five-tuple) of the information in the table are compared, if have the five-tuple of oneself in the Discovery Status table, send into protocol process module after then this data flow being marked with agreement ID, if do not have in state table to find that the record with own five-tuple coupling then enters the flow identification module.
The flow identification module is analyzed the network data flow application layer data earlier, and the feature in its application layer feature and the data flow feature library compared, if the feature string of application layer data meets one or more feature in the data flow feature library, then the flow identification module is labeled as corresponding protocols ID with it, and this flow is updated to stream table detection module, if in data flow feature library, there is not feature with its feature string coupling, then the data traffic identification module does not carry out mark to it, but it is sent into the DFI identification module, by the DFI identification module it is further discerned.
Deposit the application layer tagged word of the business of having discerned in advance in the data flow feature library, such as preceding 20 bytes perseverance of the application layer of bitspirit is 0x13426974546f7272656e742070726f746f636f6c, and preceding 5 bytes perseverance of application layer is 0x3c00000001 during PP click-through file in download.The flow identification module exactly by with the storehouse in aspect ratio whether can discern and belong to which kind of agreement to coming judgment data stream.
As shown in Figure 2, it is the structured flowchart of the DFI part in the net flow assorted system that combines of DPI and DFI, wherein mainly contain the sample acquisition module, the grader training module, with grader classification prediction module, the sample acquisition module with the flow identification module among Fig. 1 accurately recognition data stream as sample, it is included in the big class of dividing good several network traffics before, and therefrom extract needed stream feature, such as QQ is that the flow identification module can accurately be discerned, and QQ belongs to this big class of IM (instant messaging), and each QQ network data flow can be as the sample of this big class of IM so.We also can accurately discern the HI of Baidu equally, and the HI of Baidu also belongs to this big class of IM, and each HI of Baidu network data flow also can be used as the sample of this big class of IM so.We calculate the stream feature of each sample after obtaining sample, and are long such as the average packet of this stream, the average time interval of bag etc., and this sample carried out mark with definite big class under it.Adopt use the same method us can be by TTlive and Sopcast network data flow being extracted the sample of this big class of P2P, and the sample of other several big classes concentrates in together us with all these samples and just can obtain a sample file.Its file format such as following table:
A sample is represented in each provisional capital in this document, big class under this row sample of first character representation of every row, for example we represent this big class of P2P with 1 this ID, this big class of IM (instant messaging) is represented with 2, WEB is used this big class to be represented with 3, first of this file row and the third line represent it is the sample data of P2P so, and second line display is the sample data of IM (instant messaging), and fourth line represents it is the sample data that WEB uses.The big class ID back of each row of file is the value of aspect indexing and this feature, for example we are long this first-class feature 1 index of the average packet of stream, average time interval 2 index of bag arrival, represent first row just to show that the average packet length of this sample data is 1000 so, the average time interval that bag arrives is 0.005.More than two certainly of the features of each stream, other features are no longer listed here.The effect of sample acquisition module is exactly accurately to extract its stream feature the recognition data stream from the flow identification module, and this feature is preserved with the form of sample file.
The grader training module obtains a forecast model by the training of sample that the sample acquisition module is obtained.
The flow that grader classification prediction module can't be discerned the flow identification module by forecast model is classified.
Fig. 3 is the combination of DPI identification module and DFI identification module, can be divided into online and two big classes of off-line, stream table detection module, protocol process module, the flow identification module, data flow feature library, sample acquisition module, grader classification prediction module is online, and the grader training module is an off-line.Before carrying out online classification, need carry out sample earlier and obtain the process that generates a disaggregated model with grader training, at this time the flow identification module accurately recognition data flow and directly send into the sample acquisition module.
The online acquisition sample file of sample acquisition module can carry out off-line training to grader later, obtain disaggregated model, when the flow identification module in the DPI system can't be discerned, through the grader classification prediction module of DFI system, grader classification prediction module can't be classified by recognition data stream to the flow identification module according to the disaggregated model that training obtains again.
Fig. 4 is the flow chart of the net flow assorted method that combines of DPI of the present invention and DFI.
The processing procedure of network data when this flow chart is online classification, its prerequisite are that grader has been trained and finished and obtained disaggregated model.
At first, when network traffics arrive, at first arrive stream table detection module, according to the current message of the detection of preamble in message mark whether.If the type of current message corresponding data stream is mark, then use the mode corresponding to handle current data stream with type.If the type of current message corresponding data stream does not have mark, then enter the flow identification module and discern judgement, the foundation of flow identification module identification is exactly the data flow feature library among Fig. 1, if the flow identification module can be discerned and then upgrade stream table detection module, so that the message that belongs to same flow just can be detected when the stream table detects.If the flow identification module can't be discerned, then enter grader classification prediction module, grader classification prediction module is classified to the flow that can't discern according to the disaggregated model that the DFI off-line training obtains.Because the all-network data traffic must belong to a class in several big classes, so here the flow that can't discern of the flow identification module of all DPI is all classified by big class.Send into protocol process module after classification is finished, protocol process module is handled respectively according to the difference of classification.The protocol process module here comprises two big process object, and one is the processing to concrete business, and another one is the processing to the big class of network.
Handle network traffics by the way, than merely using DPI or DFI to come comprehensively, it can accurately be discerned the business that application layer does not have to encrypt, and also can carry out the differentiation of big class to the business of using infill layer.
Claims (2)
1.DPI the net flow assorted system with DFI combines is characterized in that: comprise two module be combined intos of DPI business identifying system and DFI flux recognition system;
In the described DPI business identifying system, comprising:
A. stream table detection module judges that whether current data flow is the data flow of type;
B. data flow feature library, the feature of memorying data flow;
C. flow identification module is according to the different business of the representative of the feature identification network traffics in the data flow feature library;
D. protocol process module is used for the processing to concrete business, and to the processing of the big class of network;
In the described DFI flux recognition system, comprising:
E. sample acquisition module, the stream feature extraction that is used for business that DPI can accurately be discerned is come out, and is divided into different classifications, as the training sample of grader training module;
F. grader training module, the sample training that the sample acquisition module is provided obtains a training pattern;
G. grader classification prediction module is classified to other data according to the model that the grader training module obtains.
2. the net flow assorted method of a net flow assorted system that combines based on the described DPI of claim 1 and DFI may further comprise the steps:
(a) data flow is earlier through the stream table detection module in the DPI business identifying system, stream table detection module detects current data stream whether in the state table that stream table detection module is safeguarded, when this data flow in state table, then stream table detection module is sent to protocol process module directly with after the current data flow label; In this data flow was not at state table, then stream table detection module was sent to the flow identification module with this data flow, enters (b) step;
(b) the flow identification module checks whether this data flow contains any feature in the data flow feature library in the DPI business identifying system; In data flow feature library, recognize the traffic characteristic that coupling is arranged with this data flow when the flow identification module, then this data flow of the current message correspondence of mark is specific data flow, upgrade the state table of safeguarding in the stream table detection module, simultaneously the current data flow label is sent to protocol process module later on; When the flow identification module does not recognize the traffic characteristic that mates with this data flow in data flow feature library, then this data flow is sent to the DFI flux recognition system, enter (c) step;
(c) the flow identification module can recognition data stream be sent to the sample acquisition module in the DFI flux recognition system, after the sample file of online this data flow of acquisition of sample acquisition module, this sample file is sent to the grader training module carries out off-line training, obtain disaggregated model, the grader training module is sent to grader classification prediction module with this disaggregated model; Grader classification prediction module can't be classified by recognition data stream to flow identification module in (b) step according to the disaggregated model that training obtains;
(d) grader classification prediction module will divide the data flow of class to carry out respective markers to be sent to protocol process module, protocol process module according in the above step to the not isolabeling of data flow, carry out concrete professional or respectively at the processing of the big class of difference.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100346437A CN101645806B (en) | 2009-09-04 | 2009-09-04 | Network flow classifying system and network flow classifying method combining DPI and DFI |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100346437A CN101645806B (en) | 2009-09-04 | 2009-09-04 | Network flow classifying system and network flow classifying method combining DPI and DFI |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101645806A CN101645806A (en) | 2010-02-10 |
| CN101645806B true CN101645806B (en) | 2011-09-07 |
Family
ID=41657531
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100346437A Expired - Fee Related CN101645806B (en) | 2009-09-04 | 2009-09-04 | Network flow classifying system and network flow classifying method combining DPI and DFI |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101645806B (en) |
Families Citing this family (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101814977B (en) * | 2010-04-22 | 2012-11-21 | 北京邮电大学 | TCP flow on-line identification method and device utilizing head feature of data stream |
| CN102025623B (en) * | 2010-12-07 | 2013-03-20 | 苏州迈科网络安全技术股份有限公司 | Intelligent network flow control method |
| CN102420830A (en) * | 2010-12-16 | 2012-04-18 | 北京大学 | Peer-to-peer (P2P) protocol type identification method |
| CN102201982A (en) * | 2011-04-29 | 2011-09-28 | 北京网康科技有限公司 | Application identification method and equipment thereof |
| CN103023670B (en) * | 2011-09-20 | 2017-09-08 | 中兴通讯股份有限公司 | Message traffic kind identification method and device based on DPI |
| CN102724317B (en) * | 2012-06-21 | 2016-05-25 | 华为技术有限公司 | A kind of network traffic data sorting technique and device |
| CN102868638A (en) * | 2012-08-16 | 2013-01-09 | 苏州迈科网络安全技术股份有限公司 | Method and system for dynamically regulating bandwidth |
| EP2806602A4 (en) * | 2013-02-04 | 2015-03-04 | Huawei Tech Co Ltd | Feature extraction device, network traffic identification method, device and system. |
| CN104348638B (en) * | 2013-07-29 | 2017-12-01 | 中国移动通信集团公司 | Identify method, system and the equipment of the type of service of session traffic |
| CN104348675B (en) * | 2013-08-02 | 2017-10-13 | 北京邮电大学 | Bidirectional service data stream recognition method and device |
| CN104468252A (en) * | 2013-09-23 | 2015-03-25 | 重庆康拜因科技有限公司 | Intelligent network service identification method based on positive transfer learning |
| CN103916294B (en) | 2014-04-29 | 2018-05-04 | 华为技术有限公司 | The recognition methods of protocol type and device |
| CN105323116B (en) * | 2014-08-01 | 2018-06-29 | 中国电信股份有限公司 | The acquisition method of internet FEATURE service flow and device, system |
| CN104394032A (en) * | 2014-11-24 | 2015-03-04 | 北京美琦华悦通讯科技有限公司 | System and method for rapidly identifying OTT (over the top) application flow characteristics |
| US20160283859A1 (en) * | 2015-03-25 | 2016-09-29 | Cisco Technology, Inc. | Network traffic classification |
| CN108141377B (en) * | 2015-10-12 | 2020-08-07 | 华为技术有限公司 | Early classification of network flows |
| CN105429817A (en) * | 2015-10-30 | 2016-03-23 | 中兴软创科技股份有限公司 | Illegal business identification device and illegal business identification method based on DPI and DFI |
| CN105591973B (en) * | 2015-12-31 | 2019-12-20 | 杭州数梦工场科技有限公司 | Application identification method and device |
| CN106411775B (en) * | 2016-08-31 | 2019-06-14 | 国家计算机网络与信息安全管理中心 | A kind of internet traffic classification samples mask method |
| CN106330612B (en) * | 2016-08-31 | 2019-07-23 | 国家计算机网络与信息安全管理中心 | A kind of internet traffic classification assessment method and system |
| CN106603278A (en) * | 2016-11-29 | 2017-04-26 | 任子行网络技术股份有限公司 | Network application audit management method based on audit data management model and apparatus thereof |
| CN107302472A (en) * | 2017-06-14 | 2017-10-27 | 苏州海加网络科技股份有限公司 | Application Activity recognition method and system based on stream morphological feature |
| CN107819646A (en) * | 2017-10-23 | 2018-03-20 | 国网冀北电力有限公司信息通信分公司 | A kind of net flow assorted system and method for distributed transmission |
| CN108183834B (en) * | 2017-12-04 | 2019-05-21 | 中国联合网络通信集团有限公司 | A kind of network flow management-control method and managing and control system based on DFI and DPI |
| CN109951347B (en) | 2017-12-21 | 2021-11-19 | 华为技术有限公司 | Service identification method, device and network equipment |
| CN108418758B (en) * | 2018-01-05 | 2021-01-29 | 网宿科技股份有限公司 | Single packet identification method and flow guiding method |
| CN110233769B (en) * | 2018-03-06 | 2021-09-14 | 华为技术有限公司 | Flow detection method and apparatus, sample training method and apparatus, and medium |
| CN114513456A (en) * | 2018-10-12 | 2022-05-17 | 华为技术有限公司 | Service flow processing method and device |
| CN109040141B (en) * | 2018-10-17 | 2019-11-12 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN109660656A (en) * | 2018-11-20 | 2019-04-19 | 重庆邮电大学 | A kind of intelligent terminal method for identifying application program |
| CN111245667A (en) * | 2018-11-28 | 2020-06-05 | 中国移动通信集团浙江有限公司 | Network service identification method and device |
| CN111275453A (en) * | 2018-12-03 | 2020-06-12 | 中国移动通信集团上海有限公司 | Industry identification method and system of Internet of things equipment |
| CN109729017B (en) * | 2019-03-14 | 2023-02-14 | 哈尔滨工程大学 | Load balancing method based on DPI prediction |
| CN110048962A (en) * | 2019-04-24 | 2019-07-23 | 广东工业大学 | A kind of method of net flow assorted, system and equipment |
| CN111917665A (en) * | 2020-07-23 | 2020-11-10 | 华中科技大学 | Terminal application data stream identification method and system |
| CN112235160B (en) * | 2020-10-14 | 2022-02-01 | 福建奇点时空数字科技有限公司 | Flow identification method based on protocol data deep layer detection |
| CN112491643B (en) * | 2020-11-11 | 2022-01-18 | 北京马赫谷科技有限公司 | Deep packet inspection method, device, equipment and storage medium |
| CN113382039B (en) * | 2021-05-07 | 2023-01-13 | 中国科学院信息工程研究所 | Application identification method and system based on 5G mobile network flow analysis |
| CN113949672A (en) * | 2021-10-18 | 2022-01-18 | 南京中孚信息技术有限公司 | Novel VPN identification universal technology and device |
-
2009
- 2009-09-04 CN CN2009100346437A patent/CN101645806B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101645806A (en) | 2010-02-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101645806B (en) | Network flow classifying system and network flow classifying method combining DPI and DFI | |
| CN101741744B (en) | Network flow identification method | |
| CN107819646A (en) | A kind of net flow assorted system and method for distributed transmission | |
| CN105871832B (en) | A kind of network application encryption method for recognizing flux and its device based on protocol attribute | |
| CN110391958B (en) | Method for automatically extracting and identifying characteristics of network encrypted flow | |
| CN104270392B (en) | A kind of network protocol identification method learnt based on three grader coorinated trainings and system | |
| CN102571486B (en) | Traffic identification method based on bag of word (BOW) model and statistic features | |
| CN101414939B (en) | Internet application recognition method based on dynamical depth package detection | |
| CN109861957A (en) | A kind of the user behavior fining classification method and system of the privately owned cryptographic protocol of mobile application | |
| CN102315974A (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
| CN106657141A (en) | Android malware real-time detection method based on network flow analysis | |
| CN102394827A (en) | Hierarchical classification method for internet flow | |
| WO2011050545A1 (en) | Automatic analysis method for unknown application layer protocols | |
| CN104468252A (en) | Intelligent network service identification method based on positive transfer learning | |
| CN110213124A (en) | Passive operation system identification method and device based on the more sessions of TCP | |
| CN107465643A (en) | A kind of net flow assorted method of deep learning | |
| CN112381119B (en) | Multi-scene classification method and system based on decentralized application encryption flow characteristics | |
| CN104657747A (en) | Online game stream classifying method based on statistical characteristics | |
| CN109660656A (en) | A kind of intelligent terminal method for identifying application program | |
| CN110971601A (en) | Efficient network message transmission layer multi-level feature extraction method and system | |
| CN105959321A (en) | Passive identification method and apparatus for network remote host operation system | |
| CN103281158A (en) | Method for detecting communication granularity of deep web and detection equipment thereof | |
| CN101321097A (en) | Tencent network living broadcast business recognition method based on payload depth detection | |
| CN104021348A (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
| CN106789416A (en) | The recognition methods of industrial control system specialized protocol and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110907 Termination date: 20140904 |
|
| EXPY | Termination of patent right or utility model |