CN102025636A - Message feature processing method and device as well as network equipment - Google Patents
Message feature processing method and device as well as network equipment Download PDFInfo
- Publication number
- CN102025636A CN102025636A CN2010105949861A CN201010594986A CN102025636A CN 102025636 A CN102025636 A CN 102025636A CN 2010105949861 A CN2010105949861 A CN 2010105949861A CN 201010594986 A CN201010594986 A CN 201010594986A CN 102025636 A CN102025636 A CN 102025636A
- Authority
- CN
- China
- Prior art keywords
- matching characteristic
- backup
- characteristic
- message
- application message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a message feature processing method and device as well as network equipment, wherein the method comprises the following steps: acquiring the loading information of a current application message; carrying out application identification in accordance with the loading information of the current application message and formal matching features prestored in a feature library; and when the type of the current application message is identified by the formal matching features, acquiring a first backup matching feature and storing the first backup matching feature in accordance with the loading information of the current application message and the loading information of previous application messages with specified number so as to carry out application identification in accordance with the first backup matching features. By using the message feature processing method and device as well as the network equipment provided by the invention, the application messages are subject to the identification, simultaneously, new matching features generate in accordance with identified loading information of the application messages, and the subsequent application identification can be carried out in accordance with the new matching features, thus being capable of improving and the accuracy of application message identification and reducing the erroneous judgment rate.
Description
Technical field
The present invention relates to the communication technology, relate in particular to a kind of message characteristic processing method, device and the network equipment.
Background technology
Along with the fast development of Internet technology, the content of carrying on network is more and more abundanter, and Internet service provider also provides increasing service content to the client, and simultaneously, these services are distinguished according to different application.The required resource information of different application is different usually, and this just requires the network equipment can identify various application, for various application provide best resource, to improve the utilance of network equipment resource.
Before often utilized port to carry out flow identification, and promptly the flow of various application had been studied, and summarized one or more fixed ports of this flow correspondence, for example concluding the commercial port that draws KuGoo (KuGoo) software generic is 7000.When in the flow detection process, finding have the port of flow identical with the port of having summarized (for example port 7000), determine that then this flow belongs to and the corresponding flow of port of having summarized, use the purpose of (for example being identified as the KuGoo software application) to reach identification.
But at present a lot of application software have not re-used fixed port, but frequent dynamic change port or port is set in software function is set port is set voluntarily for the user, even some software also uses other professional fixed ports, for example use port 80, with deception flow detection equipment.Therefore, above-mentioned flow rate testing methods based on port has not satisfied the demand of using identification.And because can there be different place usually in stream or message between the different application; can identify different application by extracting different field; this different field that is used for discerning different application is called as condition code or keyword; therefore, the prior art condition code of giving chapter and verse is again discerned the technical scheme of different application.
Application and identification method based on condition code mainly contains following several at present: a kind of deep message that is based on message detects (Deep Packet Inspection; Abbreviate as: DPI), this method mainly is to carry out depth analysis by four layers of load to message, extract feature field that it comprises or that the frequency of occurrences is the highest, form a kind of feature of application again in conjunction with some port and protocol information, and with the characteristic storage that forms in feature database.Follow-up in the flow identifying, mate in the feature database of storage before by four layers of load and port, the protocol information that extracts message, discern the application under the message.Usually this method the position occurs to feature field strict requirement.Another kind is based on depth detection (the Deep Flow Inspection of stream; Abbreviate as: DFI), this method mainly is based on the state of different application on session connection or data flow and has nothing in common with each other, and is long as the average packet of each stream, the features such as the time interval that each bag arrives; Form a training set by a large amount of stream is analyzed then, produce a Matching Model by training set again.In follow-up flow identifying,, concrete stream and the Matching Model that generates before discern the affiliated application of stream by being mated.
But, along with the continual renovation of technology and the progressively development of network, software version is constantly upgraded, for example redaction constantly appears in software such as QQ, a sudden peal of thunder, different editions software characteristic of correspondence sign indicating number tends to change, concerning based on the application identification of condition code, can produce the inaccurate problem of identification like this because of the variation of condition code.In order to address this problem, each edition upgrading all needs manually to carry out the operation of extraction again of a condition code, and the workload in this maintenance features storehouse is very heavy, and efficient is lower.In addition, this way can make that the feature that a certain application extracts is more and more, and feature extraction is many more, and the probability that causes judging by accident will improve greatly, and along with the progressively upgrading or the renewal of software version, this erroneous judgement probability can increase greatly.Therefore, how software version bring in constant renewal in or the situation of upgrading under, realize that the accurate recognition application type becomes to use the another difficult problem that identification faces.
Summary of the invention
The invention provides a kind of message characteristic processing method, device and the network equipment, in order in software version update or when upgrading, accurately message is used in identification.
The invention provides a kind of message characteristic processing method, comprising:
Obtain the load information of current application message;
Use identification according to the load information of described current application message and the formal matching characteristic that is stored in advance in the feature database;
When identifying the type of described current application message according to described formal matching characteristic, according to the load information of described current application message with specify the load information of the application message of number before, obtain the first backup matching characteristic and storage, to use identification according to the described first backup matching characteristic.
The invention provides a kind of message characteristic processing unit, comprising:
The information acquisition module is used to obtain the load information of current application message;
First identification module is used for using identification according to the load information of described current application message and the formal matching characteristic that is stored in feature database in advance;
The first feature acquisition module, be used for when described first identification module identifies the type of described current application message according to described formal matching characteristic, according to the load information of described current application message with specify the load information of the application message of number before, obtain the first backup matching characteristic and storage, to use identification according to the described first backup matching characteristic.
The invention provides a kind of network equipment, comprise arbitrary message characteristic processing unit provided by the invention.
Message characteristic processing method provided by the invention, device and the network equipment, employing is when discerning the application message, load information according to the application message of having discerned generates new matching characteristic, and use the technical scheme of identification at the new matching characteristic of follow-up basis, can follow the load information of using identifying combination application in real time message and carry out the automatic renewal of matching characteristic, can make matching characteristic change and change automatically with software release upgrade or renewal etc.; Therefore, even software release upgrade or upgraded adopts technical solution of the present invention also can accurately discern the application message, reduce the erroneous judgement probability; Also solve in the prior art problem that needs the manual maintenance feature database because of software release upgrade or renewal simultaneously, improved the efficient in maintenance features storehouse.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The flow chart of the message characteristic processing method that Fig. 1 provides for the embodiment of the invention one;
The flow chart of the message characteristic processing method that Fig. 2 provides for the embodiment of the invention two;
The flow chart of the message characteristic processing method that Fig. 3 provides for the embodiment of the invention three;
The flow chart of the message characteristic processing method that Fig. 4 A provides for the embodiment of the invention four;
Fig. 4 B is the flow chart of a kind of execution mode of step 404;
Fig. 4 C is the flow chart of a kind of execution mode of the described renewal process of step 410;
The structural representation of the message characteristic processing unit that Fig. 5 provides for the embodiment of the invention five;
A kind of structural representation of the message characteristic processing unit that Fig. 6 A provides for the embodiment of the invention six;
The another kind of structural representation of the message characteristic processing unit that Fig. 6 B provides for the embodiment of the invention six.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Embodiment one
The flow chart of the message characteristic processing method that Fig. 1 provides for the embodiment of the invention one.The executive agent of present embodiment can be arbitrary network equipment, and as shown in Figure 1, the message characteristic processing method of present embodiment comprises:
Wherein, when opening a certain application program or application software on the network equipment, have application corresponding message or application data usually and exist, in technical solution of the present invention, will be referred to as the application message.This application message can be the message from other network equipments that the network equipment receives, and also can be the message that is sent to other network equipments by local network device, is referred to as the application message that is captured by the network equipment.The application message of present embodiment generally includes protocol information and payload content etc.; Wherein, protocol information typically refers to the five-tuple information of using message; For transmission control protocol (Transmission ControlProtocol; Abbreviate as: TCP) message, this five-tuple typically refer to source Internet protocol (InternetProtocol; Abbreviate as: IP) address, purpose IP address, IP agreement (being Transmission Control Protocol), tcp source port and TCP destination interface; For User Datagram Protocol (User Datagram Protocol; Abbreviate as: UDP) message, this five-tuple typically refer to source IP address, purpose IP address, IP agreement (being udp protocol), UDP source port and UDP destination interface.The said load information of this step mainly is meant the information of obtaining according to the payload content of using in the message relevant with application.
Concrete, when the network equipment captures the application message,, obtain information such as its load information and five-tuple by carrying out protocal analysis to using message.For example: the network equipment knows that by protocol analysis using message is the TCP message, then will obtain source IP address, purpose IP address, Transmission Control Protocol, tcp source port and the TCP destination interface of using in the message and use payload content that message carries etc., and further extract load information.
Wherein, get access to the load information of using message when the network equipment after, can in feature database, mate in conjunction with the five-tuple information of using message, promptly with feature database in formal matching characteristic mate one by one, so that the application message is discerned.Wherein, when in feature database, matching the formal matching characteristic consistent, can discern the application type that this application message belongs to the formal matching characteristic correspondence that matches with load information, and execution in step 103; After carrying out matching operation with all formal matching characteristics, do not match the formal matching characteristic consistent with load information, then explanation can not identify the type of current application message according to formal matching characteristic, at this moment, the network equipment can end operation or is carried out other operations, does not limit in the present embodiment.
Wherein, be stored in formal matching characteristic in the feature database and be in advance according to the feature extraction of various application software or application program, normally extract in advance and store in the feature database with manual type.
Wherein, specify the application message of number to be meant before the current application message before, identified by the network equipment belong to same application with the current application message several use messages.For the number of using message before specified, present embodiment is not done concrete qualification, can carry out the adaptability setting according to different application software or program.
In specific implementation process, message and load information thereof are used in storage when the network equipment identifies the type of using message, and can use message a plurality of application messages and load information thereof afterwards to this and store.Like this when the network equipment recognizes the current application message and identifies the type of current application message, can according to storage before belong to the load information of a plurality of application messages of same type with this current application message and the load information of current application message obtains the first backup matching characteristic, and the first backup matching characteristic is stored; When the network equipment captures the application message once more, the formal matching characteristic of storing in advance can be combined with this first backup matching characteristic the application message that newly captures is discerned; Present embodiment described " combination " is meant earlier uses identification according to the formal matching characteristic of storage in advance, in the time can't identifying the type of using message according to formal matching characteristic, utilizes the first backup matching characteristic to use identification again.
Wherein, when application software or program do not change, the first backup matching characteristic that obtains might Already in formal matching characteristic in, at this moment, the first backup matching characteristic can not influence using the identification of message; If the first backup matching characteristic is not present in the formal matching characteristic, illustrate that the first backup matching characteristic belongs to new application characteristic, for example may be because the edition upgrading or the renewal of application software or program cause application characteristic that variation has taken place; Because the load information that the application message carries can change with the variation of application software or program, therefore, the first backup matching characteristic that the load information of the application message that basis has identified in using identifying generates can reflect the situation of change of application software or program in real time, at this moment, use identification in conjunction with the first backup matching characteristic, can improve the accuracy when the subsequent applications message discerned greatly, reduce the erroneous judgement probability.
Further, because the first backup matching characteristic obtains in using identifying in real time, the first backup matching characteristic and formal matching characteristic combined use identification, be equivalent to real-time change (for example edition upgrading or renewal) real-time update matching characteristic or real-time servicing feature database according to application software or program, this mode is different by the manual maintenance feature database with prior art, reduce the difficulty and the workload in maintenance features storehouse, improved the efficient in maintenance features storehouse.
Based on above-mentioned, the message characteristic processing method that present embodiment provides, by using in the process of identification according to the load information of using message, the first backup matching characteristic of reaction of formation application software or change of program situation, and carry out subsequent applications in conjunction with the first backup matching characteristic and discern, greatly improved the accuracy of using identification, especially when application software or program upgrade or renewal, this technique effect will be more obvious.
Further, present embodiment provides a kind of embodiment of step 103, specifically being meant provides a kind of execution mode that uses the first backup matching characteristic, this execution mode specifically comprises: step 1031, with the load information of current application message with specify the load information of the application message of number to carry out feature relatively before, obtain the first backup matching characteristic; Step 1032, upgrade according to the first backup matching characteristic and to be stored in the backup of second in feature database matching characteristic in advance, to use identification according to the second backup matching characteristic after upgrading.
In the above-described embodiment, except storing the formal matching characteristic that obtains in advance, also store the backup matching characteristic that obtains in advance in the feature database, i.e. the second backup matching characteristic; And formal matching characteristic priority is higher than the backup matching characteristic, and is different from the backup matching characteristic.Wherein, present embodiment " being stored in the backup of second in feature database matching characteristic in advance " was meant before upgrading operation with the first backup matching characteristic and stores the backup of second in feature database matching characteristic into.The present embodiment mode is stored in the backup of second in feature database feature in advance by upgrading with the first backup matching characteristic, when failing to identify the type of using message according to formal matching characteristic, and when further discerning using message by the second backup matching characteristic, can bring into play the effect of the first backup matching characteristic, and because the first backup matching characteristic has reacted application software or change of program situation, therefore, can further improve identification and use the accuracy of the type of message, reduce the erroneous judgement probability.
Embodiment two
The flow chart of the message characteristic processing method that Fig. 2 provides for the embodiment of the invention two.Present embodiment can be based on embodiment one, repeats no more with the something in common of embodiment one.As shown in Figure 2, the message characteristic processing method of present embodiment comprises:
Step 203 according to the load information of current application message with specify the load information of the application message of number before, is obtained the first backup matching characteristic and storage, using identification according to the first backup matching characteristic, and finishes this identifying operation;
Step 204 is according to the load information of current application message be stored in second in feature database backup matching characteristic in advance and use identification.
Wherein, step 201-step 203 can be referring to the description among the embodiment one.In the present embodiment, except storing the formal matching characteristic that obtains in advance, also store the backup matching characteristic that obtains in advance in the feature database, i.e. the second backup matching characteristic; The formal matching characteristic priority of obtaining in advance is higher than obtains the backup matching characteristic in advance, and is different from the backup matching characteristic.
Step 204 is specially: mate one by one according to the load information of current application message and five-tuple and the second backup matching characteristic; When matching the second backup matching characteristic consistent, can discern the application type that this application message belongs to the backup of second in coupling matching characteristic correspondence with load information and five-tuple; Otherwise, illustrate, fail to identify the type of current application message according to the second backup matching characteristic.
The message characteristic processing method that present embodiment provides, employing is when failing to identify the type of using message according to formal matching characteristic, back up matching characteristic further to using the technical scheme that message is discerned by second, can further improve the accuracy that the type of message is used in identification, reduce the erroneous judgement probability.
Embodiment three
The flow chart of the message characteristic processing method that Fig. 3 provides for the embodiment of the invention three.Present embodiment is based on embodiment one and embodiment two, and the something in common of itself and previous embodiment repeats no more, and as shown in Figure 3, the message characteristic processing method of present embodiment comprises:
Step 303 according to the load information of current application message with specify the load information of the application message of number before, is obtained the first backup matching characteristic and storage, using identification according to the first backup matching characteristic, and finishes this identifying operation;
Step 305 is carried out characteristic similarity relatively with the load information of current application message and the formal matching characteristic in the feature database, and according to whether existing characteristic similarity to satisfy the formal matching characteristic of default similarity threshold in the default similarity threshold judging characteristic storehouse; When comparative result draws in the feature database characteristic similarity that exists with the load information of current application message and satisfies the formal matching characteristic of default similarity threshold, execution in step 306; Otherwise, execution in step 307.
Particularly, the load information of current application message can be carried out similarity one by one with formal matching characteristic and calculate, and whether judging characteristic similarity value is greater than the similarity threshold that sets in advance; And according to the type of using message greater than the pairing formal matching characteristic identification of the characteristic similarity value of similarity threshold; Can identify the current application message by step 306 and belong to the application type that this characteristic similarity that obtains satisfies the formal matching characteristic correspondence of default similarity threshold.
Wherein, step 305 and step 306 are used for doing further identification to using message in the time still can not identifying the type of using message according to the second backup matching characteristic; Again to the similarity coupling, its condition for identification progressively relaxes from formal matching characteristic to the second backup matching characteristic, to strive for correctly identifying the type of using message, improves correct identification and uses the probability of message and the discrimination of message.
Illustrate " characteristic similarity relatively ", for example: assumed load information is 01030406, and a certain formal matching characteristic is 01020406, and similarity threshold is set to 70%; According to judging that load information only has a feature different with this formal matching characteristic as can be known, its similarity value is 75%, greater than similarity threshold, uses the application type that message belongs to formal matching characteristic 01020406 correspondence so can identify, and end operation.When identifying the type of using message according to similarity threshold, illustrate that the load information of this moment is similar with formal matching characteristic but have any different, this load information may mean that variation has taken place for application software or program, and can reflect the variation that is taken place, therefore, this load information as the 3rd backup matching characteristic, is discerned the subsequent applications message being used for, can be improved the accuracy when the subsequent applications message discerned.
Wherein, if when failing to get access to the similarity value, illustrate then in this mode and still fail correctly to identify the type of using message that this moment also can execution in step 307, i.e. end operation greater than the formal matching characteristic of similarity threshold.Can also return failure information simultaneously in this case.
The present embodiment technical scheme is carried out characteristic similarity relatively by load information and the formal matching characteristic to the current application message, when still failing to identify the type of using message, to do further identification according to the second backup matching characteristic, can further improve the accuracy when current application discerned, reduce the erroneous judgement probability; And in the time can identifying the type of using message, the load information of storage current application message to be to be used for the process of subsequent applications identification, the accuracy in the time of can improving subsequent applications identification.
Technical scheme based on the various embodiments described above of the present invention, present embodiment provides a kind of and specifically uses identification mode according to the first backup matching characteristic, promptly upgrade the second backup matching characteristic, to bring into play the effect of the first backup matching characteristic with the first backup matching characteristic.This method can be used as a kind of embodiment of step 103, step 203 or step 303, specifically comprise: step a, with the load information of current application message with specify the load information of the application message of number to carry out feature relatively before, obtain the first backup matching characteristic; Step b upgrades the second backup matching characteristic according to the first backup matching characteristic, to use identification according to the second backup matching characteristic after upgrading.
Need explanation at this, the second backup matching characteristic in step b is meant equally and is utilizing the first backup matching characteristic to store the backup of second in feature database matching characteristic before upgrading operation into, for the second backup matching characteristic is to obtain in which way and store into not do qualification in the feature database, for example: can be manually to extract and store in the feature database.
Wherein, the execution mode of a kind of step a comprises: step a1 with the load information of current application message with specify the load information of the application message of number to divide into groups before, forms a plurality of load information groups; Step a2 carries out feature relatively with the load information in each load information group, obtains a plurality of son backup matching characteristics; Step a3 carries out feature relatively with a plurality of son backup matching characteristics, obtains the first backup matching characteristic.Particularly, in the network equipment, a memory space can be set, be used to store the application message that has identified under every kind of application type; Simultaneously, a packet accouter is set, is used to count the number that the same application type of having stored is used message down.When packet accouter counting reaches when specifying number (is example with 19), the network equipment with the load information of current application message and before the load informations of 19 application messages of same type divide into groups; Suppose to be divided into 4 groups (generally dividing into groups according to the storage order of using message), then every group comprises 5 load informations of using message; Load information in every group is compared, obtain 5 and use that different load informations backs up matching characteristic as son in the messages; Can obtain 4 son backup matching characteristics so altogether, then these 4 son backup matching characteristics be compared again, obtain the son that is different from the formal matching characteristic and back up matching characteristic as the first backup matching characteristic.But the execution mode of step a is not limited to this, for example also can directly 20 application messages of the same type be compared, and obtains the first backup matching characteristic.
Further, provide a kind of embodiment of step b below, specifically comprise:
Step b1 according to the type of the current application message that identifies, obtains the second backup matching characteristic of current application message correspondence; Obtain the second backup matching characteristic that belongs to the current application message in a plurality of second backup matching characteristics of promptly from feature database, storing.
Step b2 judges whether the first backup matching characteristic is present in the second backup matching characteristic of the current application message correspondence of obtaining; If being the first backup matching characteristic, judged result is not present in the second backup matching characteristic of the current application message correspondence of obtaining, then execution in step b3; Otherwise, execution in step b4.
Step b3 is stored in the first backup matching characteristic in the feature database, so that the second backup matching characteristic is upgraded; Be about to the first backup matching characteristic and store in the feature database,, and finish this renewal operation as a kind of second new backup matching characteristic.
Step b4, the match hit number of times of the second backup matching characteristic that will be identical with the first backup matching characteristic adds 1, and finishes this renewal operation.
In this technical scheme, in advance for each backup matching characteristic and formal matching characteristic are provided with match hit time counter, with record match hit number of times.For example: when the formal matching characteristic of basis in step 302 identifies the type of current application message, a certain formal matching characteristic in the load information coupling of current application message is described, the match hit number of times of the formal matching characteristic in then the formal matching characteristic of current application message correspondence promptly being mated adds 1; Again for example: when in step 304 according to the second backup matching characteristic when identifying the type of current application message, the a certain second backup matching characteristic in the load information coupling of current application message is described, the match hit number of times of the second backup matching characteristic in then the second backup matching characteristic of current application message correspondence promptly being mated adds 1.And in step b4, when having the second backup matching characteristic identical in the second backup matching characteristic of current application message correspondence with the first backup matching characteristic, the second backup matching characteristic that then should be identical with the first backup matching characteristic can be by in the coupling, therefore, its match hit number of times is also added 1.Each the formal matching characteristic that passes through like this to be write down and the second backup matching characteristic can be judged the similarity of matching characteristic and current application by the number of times in mating; For example: the match hit number of times is many more, illustrates that the pairing formal matching characteristic or the second backup matching characteristic can embody the feature of current application more.
In addition, based on technique scheme, present embodiment also provides a kind of concrete occupation mode of the 3rd backup matching characteristic.Concrete, directly store into the 3rd backup matching characteristic in the feature database, use as a kind of second new backup matching characteristic, promptly upgrade the second backup matching characteristic, and carry out follow-up application according to the second backup matching characteristic after upgrading and discern, to improve the accuracy of using identification, realized that simultaneously feature database is with the upgrading of software version or dynamically updating and safeguarding of renewal.In like manner, the second backup matching characteristic of present embodiment is meant and is utilizing the 3rd backup matching characteristic to store in the feature database before upgrading operation, for example: can be to back up matching characteristic by second of artificial extraction and storage at first, also can be the second backup matching characteristic after being upgraded by step b.
In this explanation, in technique scheme, the first backup matching characteristic, the second backup matching characteristic and the 3rd backup matching characteristic all belong to when formal matching characteristic can't be discerned the application message, be used for backup matching characteristic used when further message is used in identification, three's difference is mode and the asynchronism(-nization) obtaining or generate.But need explanation, the occupation mode of the first backup matching characteristic and the 3rd backup matching characteristic is not limited to this, also the first backup matching characteristic or the 3rd backup matching characteristic can be used as formal matching characteristic, for example directly use the first backup matching characteristic or the 3rd backup matching characteristic that formal matching characteristic is upgraded, also can reach the purpose of utilizing the first backup matching characteristic or the 3rd backup matching characteristic that the subsequent applications message is discerned.
Further, on the basis of above-mentioned match hit number of times technical scheme, present embodiment also provides the operating procedure of upgrading feature database.Concrete, set a update cycle, promptly first update cycle for example was the grade setting update cycle with the sky, when finishing in one day, can upgrade feature database according to the match hit number of times of the formal matching characteristic and the second backup matching characteristic.For example: can obtain the match hit number of times of formal matching characteristic of same application and the match hit number of times of the second backup matching characteristic by detection, and the match hit number of times of the formal matching characteristic of same application and the match hit number of times of the second backup matching characteristic are carried out size comparison; When the match hit number of times of the second backup matching characteristic of same application during greater than the match hit number of times of formal matching characteristic, illustrate that the second backup matching characteristic more can embody the characteristic of this application, then exchange the second backup matching characteristic and formal matching characteristic, to finish renewal to the matching characteristic of this application, be about to the match hit number of times greater than the second backup matching characteristic of the match hit number of times of formal matching characteristic as new formal matching characteristic, with original formal matching characteristic as the backup matching characteristic; Otherwise, finish to upgrade operation.After by the way the matching characteristic of all application being upgraded, can finish renewal to feature database.Wherein, also can regard as to the renewal of the second backup matching characteristic with to the renewal of formal matching characteristic the renewal of feature database.
By technique scheme, can make the variation of feature database adaptation application software or application program, improve the accuracy of subsequent applications identifying; And the mode of this renewal feature database is carried out fully automatically, and simply easy to implement, compared with prior art, has reduced the workload and the difficulty in renewal or maintenance features storehouse, has improved the efficient in maintenance features storehouse.
Further again, it is a kind of by upgrading the execution mode that the second backup matching characteristic upgrades feature database that present embodiment provides in addition.Concrete, preestablish a update cycle, i.e. second update cycle is for example hour being the grade setting update cycle.This update method specifically comprises: when second update cycle arrived, at first obtain formal matching characteristic and the match hit number of times increment second backup matching characteristic of same application; Wherein, the mode of obtaining match hit number of times increment can be when finishing the match hit time numerical value of record when this update cycle is finished and update cycle last time the match hit time numerical value of record do poor.Then, the match hit number of times increment with the formal matching characteristic of the second backup match hit number of times increment of matching characteristic of this application and designated ratio compares; When the match hit number of times increment of the second backup matching characteristic of this application during less than the match hit number of times increment of the formal matching characteristic of designated ratio, illustrate that this second backup matching characteristic is out-of-date, can't react the feature of current application, upgrade to back up matching characteristic second so can delete the second backup matching characteristic of this application; Otherwise, finish to upgrade operation.For example: setting for second update cycle is 1 hour, designated ratio is 50%, and the match hit number of times of second of a certain application of the record backup matching characteristic was 30 when second update cycle of last time finished, and the match hit number of times of the formal matching characteristic of this application of record is 50; When finishing in 1 hour, the match hit number of times that the network equipment obtains the second backup matching characteristic of this application is 40, the match hit number of times that obtains the formal matching characteristic of this application is 90, not obtain the second match hit number of times increment backup matching characteristic and formal matching characteristic be 10 and 40 by doing difference, relatively draw: the match hit number of times increment of the second backup matching characteristic is less than 50% of the match hit number of times increment of formal matching characteristic, therefore, delete the second backup matching characteristic of this application, to upgrade the second backup matching characteristic.After matching characteristic upgrades to second backup of all application by technique scheme, can finish renewal to feature database.
Can discharge memory space on the one hand by this technical scheme, by reducing the quantity of the second backup matching characteristic, can improve the rate matched of aforementioned each matching process on the other hand, reduce the resource consumption in the matching process.
Need explanation at this, the network equipment can adopt above-mentioned a kind of mode to upgrade feature database, also can adopt above-mentioned dual mode to upgrade feature database simultaneously.Wherein, when adopting dual mode to upgrade feature database, preferably setting for second update cycle was less than or equal to for first update cycle, can make the second out-of-date backup matching characteristic earlier deleted like this, the quantity of the second backup matching characteristic has been reduced, the efficient of the swap operation that carries out formal matching characteristic and backup matching characteristic can be improved, the efficient of upgrading feature database can be improved on the whole.
Below with equipment Network Based, with detailed, complete embodiment technical solution of the present invention is described comprehensively.
Embodiment four
The flow chart of the message characteristic processing method that Fig. 4 A provides for the embodiment of the invention four.Shown in Fig. 4 A, the method for present embodiment comprises:
Wherein, N1 is predefined greater than 1 integer value.In the network equipment, for each matching characteristic all is provided with a match hit time counter, be used to write down matching characteristic in advance, with the adaptedness of expression matching characteristic and application software current state by the number of times of match hit.The match hit number of times is big more, illustrates that this matching characteristic can embody the feature of application software more.Wherein, this N1 use message for identified, belong to the application message of same application with the current application message, and this N1 application message and current application message are together as a mirror image message.
Fig. 4 B is the flow chart of a kind of execution mode of step 404, and this execution mode specifically comprises: the mirror image message quantity of the current application that step 4041, the network equipment have been preserved by mirror image umber counter records; During by mirror image, this mirror image umber counter adds 1 as new application message, and judges whether mirror image umber rolling counters forward surpasses predefined count threshold, when judged result when being, execution in step 4042; Otherwise execution in step 4043.In the present embodiment, count threshold is N2, and N2 is predefined greater than 1 integer value.When mirror image umber rolling counters forward arrived N2, coexistence contained the individual application message of (N2+1) * (N1+1) on the network equipment.
Wherein, vertically feature relatively is meant the N1+1 in every part of mirror image message load information and the five-tuple of using message is carried out feature relatively, obtains son backup matching characteristic; Will get access to N2+1 son backup matching characteristic in the present embodiment.Transverse features is meant that relatively N2+1 the son backup matching characteristic that will obtain carries out feature relatively, therefrom to extract the feature outside the formal matching characteristic.
Wherein, by the operation of carrying out the oldest a mirror image message of deletion can make extract other features based on N2+1 part mirror image message follow the behaviour in service dynamic change of application software, and the application message when having considered that application software is up-to-date and being unlocked guarantees that other features of extracting can reflect the up-to-date characteristics of application software.
Further, the by way of example of " deleting the oldest a mirror image message " that present embodiment provides specifically can be carried out adaptations according to the umber of the mirror image message of preserving in advance and the count threshold of setting, for example the umber of the mirror image message that ought preserve in advance is N2+3, the count threshold of setting is N2, then can delete 3 parts of the oldest mirror image messages, discharge memory space satisfying under the condition of count threshold, but also be not limited thereto, if have enough memory spaces also can not delete, and only adopt nearest N2 part mirror image message.The scheme of " deleting the oldest a mirror image message " that present embodiment provides is a kind of optimal way.
Can extract new backup matching characteristic according to the application message that identifies by this step 404, feature database be upgraded being used for.
Step 406 is upgraded the match hit time counter of the backup matching characteristic correspondence in the coupling, and is changeed and go execution in step 410;
Step 409 writes feature database with newly-generated backup matching characteristic, and continues execution in step 410;
Step 410 is upgraded operation to feature database.
Wherein, Fig. 4 C is the flow chart of a kind of execution mode of the described renewal process of step 410, and this execution mode comprises:
Step 4091 starts renewal and operates, and wherein, the renewal of present embodiment is operating as a kind of trigger action, for example: can start according to the default update cycle and upgrade operation, promptly trigger when the update cycle is preset in timer timing arrival and upgrade operation; Again for example: also can trigger to start and upgrade operation, promptly when having new backup matching characteristic to generate and being written into feature database, trigger to start and upgrade operation by newly-generated backup matching characteristic.The condition that operation is upgraded in the triggering that present embodiment provides is a kind of optimal way.
Whether step 4092 exists on all four matching characteristic in the judging characteristic storehouse, this matching characteristic comprises formal matching characteristic and backup matching characteristic, if exist, and execution in step 4093, otherwise, execution in step 4094.
Step 4093 is deleted one of them matching characteristic, and execution in step 4094; Concrete, if identical matching characteristic is formal matching characteristic, then delete one of them formal matching characteristic; If identical matching characteristic is the backup matching characteristic, then delete one of them backup matching characteristic; If when formal matching characteristic was identical with the backup matching characteristic, then matching characteristic was backed up in deletion.
Step 4094 scans the backup matching characteristic in the feature database, and judges whether to exist the backup matching characteristic of match hit number of times increment less than the match hit number of times increment of the formal matching characteristic of the same application of designated ratio; If then execution in step 4095, on the contrary execution in step 4096.
Step 4095, deletion match hit number of times increment is less than the backup matching characteristic of the match hit number of times increment of the formal matching characteristic of designated ratio, and execution in step 4096.
Step 4096 contrasts the formal matching characteristic and the backup matching characteristic of same application, and whether the match hit number of times of judging formal matching characteristic is less than the match hit number of times of backup matching characteristic; If then execution in step 4097, otherwise, execution in step 4098.
Step 4097 is exchanged formal matching characteristic and the match hit number of times backup matching characteristic greater than formal matching characteristic, and execution in step 4098.
Step 4098, this upgrades EO.
Wherein, step 4092 and step 4093, step 4094 and step 4095 and step 4096 and step 4097 are renewal operations of database being carried out from three aspects, three kinds upgrade operation can executed in parallel, also can adopt wherein any one or its combination, what present embodiment provided is a kind of optimal way with three kinds of execution modes that upgrade the operation combinations.
The technical scheme of above-mentioned renewal feature database, one side can improve the efficient of updating maintenance feature database, can improve when the feature database after using renewal is used identification on the other hand and use the accuracy of discerning.
Based on above-mentioned, present embodiment is below with reference to practical application, and the branch situation describes the flow process of above operation in detail.At first suppose the formal matching characteristic of initialization in advance, and that wherein exist to use A is characterized as 0B 0C0D 0E, and pre-configured mirror image umber counter threshold PKTCNT is 2, update cycle DAYCNT is 2, the designated ratio DELMIN in the update cycle be 50% and similarity threshold LIKERATE be 20% etc.
First kind of situation: suppose that formal matching characteristic is hit.Concrete operations are as follows:
Open and use A, receive the message of using A, its load information is 0B 0C 0D 0E 00 00 01 0203, and load information and formal matching characteristic are mated; If match hit is carried out mirror image and preservation with current message and back 4 messages that belong to same stream, the mirror image of these 5 messages makes mirror image umber counter add 1 as a mirror image message; The value of current mirror image umber counter is compared with the mirror image umber counter threshold values PKTCNT that presets; If the value of current mirror image umber counter is less than mirror image umber counter threshold values PKTCNT, then continuation the same as the first time is carried out mirror image to using message when opening application A next time, and the memory image message; Otherwise, to the mirror image message of the current application A that preserves carry out vertical feature relatively and transverse features relatively, extract and back up matching characteristic, delete the oldest a mirror image message.Wherein, each a mirror image message of using A of opening carries out feature and more promptly constitutes once vertically feature relatively, to repeatedly vertically the result of feature comparison carry out feature and relatively constitute transverse features and compare.Wherein, opening the first five the message load result who uses A for the first time is: 1,0B 0C 0D 0E 00 00 01 02 03; 2,0B 0C 0D 0E 01 00 01 02 03; 3,0B 0C 0D 0E 02 00 01 02 03; 4,0B 0C 0D0E 03 00 01 02 03; 5,0B 0C 0D 0E 04 00 01 02 03; The result that for the first time vertical feature is relatively extracted is: 0B 0C 0D 0E XX 00 01 02 03; Opening the first five the message load result who uses A for the second time is: 1,0B 0C 0D 0E 00 00 01 02 03; 2,0B 0C 0D 0E 00 00 01 02 04; 3,0B 0C 0D 0E 00 00 01 02 05; 4,0B 0C 0D 0E 00 00 01 02 06; 5,0B 0C 0D0E 00 00 01 02 07; The result that for the second time vertical feature is relatively extracted is: 0B 0C 0D 0E XX 00 0102XX; The result that twice vertical feature relatively extracted is: 0B 0C 0D 0E XX 00 01 02 03; 0B0C 0D 0E XX 00 01 02 XX; The result that twice vertical feature relatively extracted carries out the result that transverse features relatively extracts: 0B 0C 0D 0E XX 00 01 02 XX; That extracts is characterized as: 0B 0C 0D0E XX 00 01 02 XX, remove the 0B 0C 0D 0E that has existed in the formal matching characteristic, and the backup matching characteristic that finally obtains is: 00 01 02.The backup matching characteristic that next will obtain compares with the backup matching characteristic of having stored, and its result sees the step 404 in the foregoing description for details, follow-up repeating no more.
Second kind of situation: suppose that formal matching characteristic is not hit.Concrete operations are as follows:
Open and use A, receive the message of using A, suppose that its load information is 0B 00 0D 0E 00 00 0,202 03, its load information is mated with formal matching characteristic storehouse 0B 0C 0D 0E; The result is not in mating, and then the load information with message mates with backup matching characteristic 00 01 02; The result is not also in mating, the load information of message is carried out the similarity coupling with formal matching characteristic 0B 0C 0D 0E, discovery has only character 0C to become 00, similarity is 3/4 greater than similarity threshold values LIKERATE, and load information 0B 00 0D 0E is deposited in the feature database as new backup matching characteristic.
The third situation: suppose that the update cycle arrives.Then concrete renewal operation is as follows:
Suppose that the update cycle is a day rank, formal matching characteristic and backup matching characteristic are scanned, the matching characteristic of deletion condition code repetition; One by one each is used corresponding formal matching characteristic and backs up matching characteristic and scan, to upgrade formal matching characteristic and backup matching characteristic according to the match hit number of times.As mentioned above, the formal matching characteristic of using A has: 0B 0C 0D 0E, the backup matching characteristic has: 00 01 02 and 0B 00 0D 0E.If find the match hit number of times of the match hit number of times of formal matching characteristic less than the backup matching characteristic, the match hit number of times of the formal matching characteristic 0B 0C 0D 0E of for example above-mentioned application A is less than the match hit number of times of backup matching characteristic 00 01 02, then with 0B 0C 0D 0E as the backup matching characteristic, and with 00 01 02 as formal matching characteristic; The match hit number of times of matching characteristic is respectively backed up in scanning simultaneously, the match hit number of times increment of supposing 0B 00 0D 0E in DAYCNT days this update cycle less than the match hit number of times increment of the formal matching characteristic of designated ratio DELMIN, then should back up matching characteristic 0B 00 0D 0E deletion, finally finish renewal operation feature database.
Description by above-mentioned overall flow to technical solution of the present invention, and to the explanation of the independence of various situations as can be known, the message characteristic processing method of present embodiment is actually a kind of and is identifying the method for extracting matching characteristic on the basis of using type of message.This method has the following advantages: 1, constantly extract the feature of using by the mode of extracting the backup matching characteristic simultaneously, make the feature of application more and more accurate, have the advantage that dynamically updates; 2, bring in constant renewal in the state of the match hit time counter of corresponding matching characteristic by the application of real network environment, determine by regularly more newly arriving that more current that matching characteristic is for optimum, back up the conversion between matching characteristic and the formal matching characteristic, can come Dynamic Selection Optimum Matching feature according to different network environments, have very strong flexibility; 3, the coupling of the similarity by matching characteristic has only the application of minor variations to some features, and stronger adaptability is arranged, and makes identification healthy and strong more.Therefore, adopt technical solution of the present invention can solve most of software, have advantages such as accuracy height, flexible operation, False Rate are low owing to upgraded version causes discerning inaccurate problem; By a backup of automatic generation matching characteristic, well solved owing to manually extract the wrong problem of feature that feature is complete or extract, have very strong robustness, significantly reduced the maintenance work of feature database, improved the efficient in maintenance features storehouse.
Embodiment five
The structural representation of the message characteristic processing unit that Fig. 5 provides for the embodiment of the invention five.As shown in Figure 5, the message characteristic processing unit of present embodiment comprises: information acquisition module 51, first identification module 52 and the first feature acquisition module 53.
Wherein, information acquisition module 51 is used to obtain the load information of current application message; First identification module 52 is connected with information acquisition module 51, is used for using identification according to the load information of current application message and the formal matching characteristic that is stored in feature database in advance; Wherein, information acquisition module 51 can also obtain the five-tuple information of current application message, and first identification module 52 can be used identification according to the load information and the five-tuple of current application message simultaneously.The first feature acquisition module 53, be connected with first identification module 52 with information acquisition module 51 respectively, be used for when first identification module 52 identifies the type of current application message according to formal matching characteristic, according to the load information of current application message with specify the load information of the application message of number before, obtain the first backup matching characteristic and storage, to use identification according to the first backup matching characteristic.Wherein, specify the application message of number to be meant before the current application message before, identified by the message characteristic processing unit belong to same application with the current application message several use messages.
Wherein, the message characteristic processing unit of present embodiment also comprises feature database 54 and memory module 55, wherein, feature database 54 is used to store matching characteristic (comprise formal matching characteristic and backup matching characteristic), and memory module 55 can be used for the contents such as application message of storing the current application message and specifying number before.First identification module 52 is connected with feature database 54, and the first feature acquisition module 53 is connected with memory module 55.
The message characteristic processing unit of present embodiment, can be used for carrying out the flow process of the message characteristic processing method that the embodiment of the invention provides, by using in the process of identification according to the load information of using message, the first backup matching characteristic of reaction of formation application software or change of program situation, and carry out subsequent applications in conjunction with the first backup matching characteristic and discern, greatly improved the accuracy of using identification, especially when application software or program upgrade or renewal, this technique effect will be more obvious.
Embodiment six
A kind of structural representation of the message characteristic processing unit that Fig. 6 A provides for the embodiment of the invention six.Present embodiment realizes that based on embodiment five as shown in Figure 6A, the message characteristic processing unit of present embodiment also comprises: second identification module 56, feature comparison module 57, the 3rd identification module 58 and the second feature acquisition module 59.
Wherein, second identification module 56, be connected with feature database 54 with information acquisition module 51, first identification module 52 respectively, be used at first identification module 52 during, according to the load information of current application message be stored in second in the feature database 54 in advance and back up matching characteristic and use identification according to the unidentified type that goes out the current application message of formal matching characteristic; When second identification module 56 identifies the type of current application message, can end operation or carry out other and handle operation, specifically can the corresponding function module be set and realize according to practical application, this is not described in detail in the present embodiment.Feature comparison module 57 is connected with second identification module 56 with feature database 54 respectively, is used for when the unidentified type that goes out the current application message of second identification module 56, and the load information and the formal matching characteristic of current application message carried out characteristic similarity relatively; When feature comparison module 57 relatively draws the formal matching characteristic that does not exist characteristic similarity to satisfy default similarity threshold, can end operation or carry out other processing, present embodiment is not done further introduction to this.The 3rd identification module 58, be connected with feature comparison module 57, be used for when feature comparison module 57 relatively draws feature database and has characteristic similarity with the load information of current application message to satisfy the formal matching characteristic of default similarity threshold, satisfying the type of the formal matching characteristic identification current application message of default similarity threshold according to the characteristic similarity that obtains; The second feature acquisition module 59, be connected with the 3rd identification module 58, be used for when the 3rd identification module 58 identifies the type of current application message, according to the load information of current application message, obtain the 3rd backup matching characteristic and storage, to use identification according to the 3rd backup matching characteristic.
The message characteristic processing unit of present embodiment can be used for carrying out the flow process of the message characteristic processing method that the embodiment of the invention provides, and repeats no more in its detailed operation principle present embodiment.The message characteristic processing unit of present embodiment, can be when failing to identify the type of using message according to formal matching characteristic, further discern by the second backup matching characteristic using message, and when still failing to identify the type of using message according to the second backup matching characteristic, continuation is carried out the characteristic similarity judgement by the load information with the current application message with formal matching characteristic the type of using message is done further identification, can further improve the accuracy when current application discerned, reduce the erroneous judgement probability; And in the time can identifying the type of using message, the load information of storage current application message to be to be used for the process of subsequent applications identification, the accuracy in the time of can improving subsequent applications identification.
Further, shown in Fig. 6 B, a kind of implementation structure of the second feature acquisition module 59 comprises: first obtains submodule 591 and first upgrades recognin module 592.Wherein, first obtains submodule 591, is connected with the 3rd identification module 58, is used for the load information according to the current application message, obtains the 3rd backup matching characteristic; First upgrades recognin module 592, obtain submodule 591 and be connected with first with feature database 54, be used for storing the 3rd backup matching characteristic into feature database 54, so that the second backup matching characteristic is upgraded, for using identification according to second matching characteristic after upgrading.
Further, shown in Fig. 6 B, a kind of implementation structure of the first feature acquisition module 53 comprises: second obtains submodule 531 and second upgrades recognin module 532.Wherein, second obtains submodule 531, be connected with memory module 55 with information acquisition module 51, first identification module 52 respectively, be used for the load information of current application message and specify the load information of the application message of number to carry out feature relatively before, obtain the first backup matching characteristic; Second upgrades recognin module 532, obtains submodule 531 with feature database 54 and second respectively and is connected, and is used for upgrading the second backup matching characteristic according to the first backup matching characteristic, to use identification according to the second backup matching characteristic after upgrading.Wherein, the second backup matching characteristic is meant that upgrading recognin module 532 second utilizes the first backup matching characteristic to store in the feature database before upgrading operation, can also can be after upgrading through the first renewal recognin module 592 before for example by artificial initial the extraction.
Particularly, a kind of second implementation structure that obtains submodule 531 comprises: grouped element, first acquiring unit and second acquisition unit.Wherein, grouped element is used for the load information of current application message and specifies the load information of the application message of number to divide into groups before, forms a plurality of load information groups; First acquiring unit is used for the load information of each load information group is carried out feature relatively, obtains a plurality of son backup matching characteristics; Second acquisition unit is used for a plurality of son backup matching characteristics are carried out feature relatively, obtains the first backup matching characteristic.
Particularly, a kind of second implementation structure that upgrades recognin module 532 comprises: the 3rd acquiring unit, judging unit, feature updating block and number of times updating block.Wherein, the 3rd acquiring unit is used for the type according to the current application message that identifies, and obtains the second backup matching characteristic of current application message correspondence; Judging unit is used for judging whether the first backup matching characteristic is present in the second backup matching characteristic of the current application message correspondence of obtaining; The feature updating block is used in the judged result of judging unit the first backup matching characteristic being stored in the feature database 54, so that the second backup matching characteristic is upgraded when not existing; The number of times updating block is used in the judged result of judging unit when existing, and the match hit number of times of the second backup matching characteristic that will be identical with the first backup matching characteristic adds 1.
Wherein, second obtains submodule and second updating submodule can be used for implementing step 1031 and step 1032 and step a and the described flow process of step b among the inventive method embodiment, be provided with match hit time counter for each backup matching characteristic and formal matching characteristic in advance in this technical scheme, be employed number of times in the message coupling with record.The message characteristic processing unit of present embodiment has been realized dynamically updating in real time matching characteristic or feature database by upgrading the second backup matching characteristic with the first backup matching characteristic or the 3rd backup matching characteristic; Further carry out subsequent applications identification, can improve the accuracy of using identification with the second backup matching characteristic after upgrading.
Based on technique scheme, the message characteristic processing unit of present embodiment also comprises: number of times update module 60, be connected with second identification module 56 with first identification module 52 respectively, be used for when first identification module 52 identifies the type of current application message according to formal matching characteristic or second identification module 56 according to the second backup matching characteristic, the match hit number of times of the formal matching characteristic of current application message correspondence or the corresponding second backup matching characteristic is added 1.
Further, shown in Fig. 6 B, the message characteristic processing unit of present embodiment also comprises: first update module 61 and second update module 62.Wherein, first update module 61 is connected with feature database 54, is used for when default first update cycle arrives the match hit number of times of the match hit number of times of the formal matching characteristic of more same application and the second backup matching characteristic; And during greater than the match hit number of times of formal matching characteristic, exchange the formal matching characteristic and the second backup matching characteristic of this application, to upgrade feature database 54 at the match hit number of times of the second backup matching characteristic of this application.Second update module 62 is connected with feature database 54, is used for when default second update cycle arrives, and obtains formal matching characteristic and the match hit number of times increment second backup matching characteristic of same application; The match hit number of times increment of the formal matching characteristic of the second backup match hit number of times increment of matching characteristic of this application and designated ratio is compared; And during less than the match hit number of times increment of the formal matching characteristic of designated ratio, delete the second corresponding backup matching characteristic of this applications, with renewal feature database 54 at this match hit number of times increment of using the second corresponding backup matching characteristic.
Wherein, first update module and second update module can be used for carrying out the technical scheme of step 409 among the flow process of appropriate section in the embodiment of the invention three or the embodiment four.Wherein, method according to the renewal feature database that is adopted, the message characteristic processing unit of present embodiment can optionally be provided with first update module and/or second update module, and being set simultaneously, first update module and second update module adopt two kinds of update modes that feature database is upgraded to make renewal more comprehensive, therefore, be a kind of optimal way, be the structure of message characteristic processing unit shown in Fig. 6 B with this optimal way.
In sum, the message characteristic processing unit of present embodiment has the following advantages: 1, can dynamically update feature database according to the feature of using by the flow process of the message characteristic processing method carrying out the embodiment of the invention and provide; 2, by the conversion between backup matching characteristic and the formal matching characteristic, can select the Optimum Matching feature more flexibly, improve the coupling accuracy; 3, by the similarity coupling of matching characteristic,, stronger adaptability etc. is arranged applicable to feature being had only the application of minor variations use identification.
Embodiment seven
The embodiment of the invention seven provides a kind of network equipment, comprises the message characteristic processing unit.The message characteristic processing unit that the message characteristic processing unit of present embodiment can provide for the above embodiment of the present invention, its structure and operation principle do not repeat them here.The network equipment of present embodiment can be any equipment that need discern message, for example personal computer, switch, router or server etc.
The network equipment of present embodiment is owing to have the message characteristic processing unit that the embodiment of the invention provides, can be used for carrying out the flow process of the message characteristic processing method that the embodiment of the invention provides, when the application message is used identification, have advantages such as accuracy height, flexible operation, False Rate be low, and can dynamically update feature database simultaneously, significantly reduce the maintenance work of feature database, improved the efficient in maintenance features storehouse.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (20)
1. a message characteristic processing method is characterized in that, comprising:
Obtain the load information of current application message;
Use identification according to the load information of described current application message and the formal matching characteristic that is stored in advance in the feature database;
When identifying the type of described current application message according to described formal matching characteristic, according to the load information of described current application message with specify the load information of the application message of number before, obtain the first backup matching characteristic and storage, to use identification according to the described first backup matching characteristic.
2. message characteristic processing method according to claim 1, it is characterized in that, according to the load information of described current application message with specify the load information of the application message of number before, obtain the first backup matching characteristic and storage, comprise to use identification according to the described first backup matching characteristic:
With the load information of described current application message with specify the load information of the application message of number to carry out feature relatively before, obtain the described first backup matching characteristic;
Be stored in the backup of second in feature database matching characteristic in advance according to the described first backup matching characteristic renewal, to use identification according to the second backup matching characteristic after upgrading.
3. message characteristic processing method according to claim 1 is characterized in that, also comprises:
When according to the unidentified type that goes out described current application message of described formal matching characteristic, according to the load information of described current application message be stored in the backup of second in feature database matching characteristic in advance and use identification;
When according to the unidentified type that goes out described current application message of the described second backup matching characteristic, the load information and the described formal matching characteristic of described current application message carried out characteristic similarity relatively;
When the characteristic similarity of the load information of existence and described current application message satisfies the formal matching characteristic of default similarity threshold in relatively drawing described feature database, satisfy the type that the formal matching characteristic of presetting similarity threshold is discerned described current application message according to the characteristic similarity that obtains, and according to the load information of described current application message, obtain the 3rd backup matching characteristic and storage, to use identification according to described the 3rd backup matching characteristic.
4. message characteristic processing method according to claim 3 is characterized in that, according to the load information of described current application message, obtains the 3rd backup matching characteristic and storage, is specially to use identification according to described the 3rd backup matching characteristic:
According to the load information of described current application message, obtain described the 3rd backup matching characteristic;
Described the 3rd backup matching characteristic is stored in the described feature database, and the described second backup matching characteristic is upgraded, to use identification according to second matching characteristic after upgrading.
5. message characteristic processing method according to claim 4, it is characterized in that, according to the load information of described current application message with specify the load information of the application message of number before, obtain the first backup matching characteristic and storage, comprise to use identification according to the described first backup matching characteristic:
With the load information of described current application message with specify the load information of the application message of number to carry out feature relatively before, obtain the described first backup matching characteristic;
Upgrade the described second backup matching characteristic according to the described first backup matching characteristic, to use identification according to the second backup matching characteristic after upgrading.
6. message characteristic processing method according to claim 5 is characterized in that, with the load information of described current application message with specify the load information of the application message of number to carry out feature relatively before, obtains the described first backup matching characteristic and comprises:
With the load information of described current application message with specify the load information of the application message of number to divide into groups before, form a plurality of load information groups;
Load information in each load information group is carried out feature relatively, obtain a plurality of son backup matching characteristics;
Described a plurality of son backup matching characteristics are carried out feature relatively, obtain the described first backup matching characteristic.
7. according to claim 5 or 6 described message characteristic processing methods, it is characterized in that, upgrade the described second backup matching characteristic according to the described first backup matching characteristic and comprise:
According to the type of the described current application message that identifies, obtain the second backup matching characteristic of described current application message correspondence;
Judge whether the described first backup matching characteristic is present in the second backup matching characteristic of the described current application message correspondence of obtaining;
If judged result is stored in the described first backup matching characteristic in the described feature database for not existing, so that the described second backup matching characteristic is upgraded;
If judged result is for existing, the match hit number of times of the second backup matching characteristic that will be identical with the described first backup matching characteristic adds 1.
8. message characteristic processing method according to claim 7 is characterized in that, also comprises when identifying the type of described current application message according to described formal matching characteristic or the described second backup matching characteristic:
The match hit number of times of the match hit number of times of the formal matching characteristic of described current application message correspondence or the corresponding second backup matching characteristic is added 1.
9. message characteristic processing method according to claim 8 is characterized in that, also comprises:
When default first update cycle arrives, the more same match hit number of times of corresponding formal matching characteristic and the match hit number of times of the second backup matching characteristic used;
When the described same match hit number of times of using the second corresponding backup matching characteristic during, exchange the described same corresponding formal matching characteristic and the second backup matching characteristic used, to upgrade described feature database greater than the match hit number of times of formal matching characteristic.
10. message characteristic processing method according to claim 8 is characterized in that, also comprises:
When default second update cycle arrives, obtain same formal matching characteristic and the match hit number of times increment second backup matching characteristic of using correspondence;
The match hit number of times increment of the match hit number of times increment of the second backup matching characteristic that described same application is corresponding and the formal matching characteristic of designated ratio compares;
When the described same match hit number of times increment of using the second corresponding backup matching characteristic during, delete the described same second corresponding backup matching characteristic of using, to upgrade described feature database less than the match hit number of times increment of the formal matching characteristic of designated ratio.
11. a message characteristic processing unit is characterized in that, comprising:
The information acquisition module is used to obtain the load information of current application message;
First identification module is used for using identification according to the load information of described current application message and the formal matching characteristic that is stored in feature database in advance;
The first feature acquisition module, be used for when described first identification module identifies the type of described current application message according to described formal matching characteristic, according to the load information of described current application message with specify the load information of the application message of number before, obtain the first backup matching characteristic and storage, to use identification according to the described first backup matching characteristic.
12. message characteristic processing unit according to claim 11 is characterized in that, also comprises:
Second identification module, be used at described first identification module during, according to the load information of described current application message be stored in the backup of second in feature database matching characteristic in advance and use identification according to the unidentified type that goes out described current application message of described formal matching characteristic;
The feature comparison module is used for when the unidentified type that goes out described current application message of described second identification module, and the load information and the described formal matching characteristic of described current application message carried out characteristic similarity relatively;
The 3rd identification module, be used for when described feature comparison module relatively draws described feature database and has characteristic similarity with the load information of described current application message to satisfy the formal matching characteristic of default similarity threshold, the formal matching characteristic that satisfies default similarity threshold according to the characteristic similarity that obtains is discerned the type of described current application message;
The second feature acquisition module, be used for when described the 3rd identification module identifies the type of described current application message, according to the load information of described current application message, obtain the 3rd backup matching characteristic and storage, to use identification according to described the 3rd backup matching characteristic.
13. message characteristic processing unit according to claim 12 is characterized in that, the described second feature acquisition module comprises:
First obtains submodule, is used for the load information according to described current application message, obtains the 3rd backup matching characteristic;
First upgrades the recognin module, is used for storing described the 3rd backup matching characteristic into described feature database, and the described second backup matching characteristic is upgraded, to use identification according to second matching characteristic after upgrading.
14. message characteristic processing unit according to claim 13 is characterized in that, the described first feature acquisition module comprises:
Second obtains submodule, is used for the load information of described current application message and specifies the load information of the application message of number to carry out feature relatively before, obtains the described first backup matching characteristic;
Second upgrades the recognin module, is used for upgrading the described second backup matching characteristic according to the described first backup matching characteristic, to use identification according to the second backup matching characteristic after upgrading.
15. message characteristic processing unit according to claim 14 is characterized in that, described second obtains submodule comprises:
Grouped element is used for the load information of described current application message and specifies the load information of the application message of number to divide into groups before, forms a plurality of load information groups;
First acquiring unit is used for the load information of each load information group is carried out feature relatively, obtains a plurality of son backup matching characteristics;
Second acquisition unit is used for described a plurality of son backup matching characteristics are carried out feature relatively, obtains the described first backup matching characteristic.
16., it is characterized in that described second upgrades the recognin module comprises according to claim 14 or 15 described message characteristic processing unit:
The 3rd acquiring unit is used for the type according to the described current application message that identifies, and obtains the second backup matching characteristic of described current application message correspondence;
Judging unit is used for judging whether the described first backup matching characteristic is present in the second backup matching characteristic of the described current application message correspondence of obtaining;
The feature updating block is used in the judged result of described judging unit the described first backup matching characteristic being stored in the described feature database, so that the described second backup matching characteristic is upgraded when not existing;
The number of times updating block is used in the judged result of described judging unit when existing, and the match hit number of times of the second backup matching characteristic that will be identical with the described first backup matching characteristic adds 1.
17. message characteristic processing unit according to claim 16 is characterized in that, also comprises:
The number of times update module, be used for according to described formal matching characteristic or the described second backup matching characteristic when identifying the type of described current application message, the match hit number of times of the formal matching characteristic of described current application message correspondence or the corresponding second backup matching characteristic is added 1.
18. message characteristic processing unit according to claim 17 is characterized in that, also comprises:
First update module is used for when default first update cycle arrives, the more same match hit number of times of corresponding formal matching characteristic and the match hit number of times of the second backup matching characteristic used; And during greater than the match hit number of times of formal matching characteristic, exchange the described same corresponding formal matching characteristic and the second backup matching characteristic used, to upgrade described feature database at the described same match hit number of times of using the second corresponding backup matching characteristic.
19. message characteristic processing unit according to claim 17 is characterized in that, also comprises:
Second update module is used for when default second update cycle arrives, and obtains same formal matching characteristic and the match hit number of times increment second backup matching characteristic of using correspondence; The match hit number of times increment of the match hit number of times increment of the second backup matching characteristic that described same application is corresponding and the formal matching characteristic of designated ratio compares; And at the described same match hit number of times increment of using the second corresponding backup matching characteristic during less than the match hit number of times increment of the formal matching characteristic of designated ratio, delete the described same second corresponding backup matching characteristic of using, to upgrade described feature database.
20. network equipment that comprises each described message characteristic processing unit of claim 11-19.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010594986A CN102025636B (en) | 2010-12-09 | 2010-12-09 | Message feature processing method and device as well as network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010594986A CN102025636B (en) | 2010-12-09 | 2010-12-09 | Message feature processing method and device as well as network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102025636A true CN102025636A (en) | 2011-04-20 |
| CN102025636B CN102025636B (en) | 2012-09-05 |
Family
ID=43866509
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010594986A Active CN102025636B (en) | 2010-12-09 | 2010-12-09 | Message feature processing method and device as well as network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102025636B (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932203A (en) * | 2012-10-31 | 2013-02-13 | 东软集团股份有限公司 | Method and device for inspecting deep packets among heterogeneous platforms |
| CN103095604A (en) * | 2013-01-04 | 2013-05-08 | 海信集团有限公司 | System and method for identifying specific application of home network |
| CN103226583A (en) * | 2013-04-08 | 2013-07-31 | 北京奇虎科技有限公司 | Method and device for recognizing advertisement plugin |
| CN104796406A (en) * | 2015-03-20 | 2015-07-22 | 杭州华三通信技术有限公司 | Method and device for identifying application |
| CN105939328A (en) * | 2016-01-27 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for updating network attack feature library |
| CN106815049A (en) * | 2016-12-29 | 2017-06-09 | 杭州迪普科技股份有限公司 | The method and device of feature database upgrading |
| CN107426059A (en) * | 2017-08-28 | 2017-12-01 | 上海国云信息科技有限公司 | DPI equipment feature databases automatic update method, system, DPI equipment and cloud server |
| CN107483411A (en) * | 2017-07-25 | 2017-12-15 | 中国联合网络通信集团有限公司 | Business recognition method and system |
| CN107547536A (en) * | 2017-08-28 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of feature database update method and device |
| CN107707549A (en) * | 2017-09-30 | 2018-02-16 | 迈普通信技术股份有限公司 | A kind of device and method automatically extracted using feature |
| CN109150742A (en) * | 2018-08-13 | 2019-01-04 | 南京中新赛克科技有限责任公司 | A kind of flow screening system and its method based on network processing unit |
| CN109462598A (en) * | 2018-12-11 | 2019-03-12 | 江苏省未来网络创新研究院 | A method of extracting account information from network message |
| CN109492655A (en) * | 2017-09-11 | 2019-03-19 | 中国移动通信有限公司研究院 | A kind of feature extracting method, device and terminal |
| CN109639593A (en) * | 2018-12-24 | 2019-04-16 | 南京中孚信息技术有限公司 | A kind of upgrade method and device of deep packet inspection system |
| CN110213778A (en) * | 2018-02-28 | 2019-09-06 | 中兴通讯股份有限公司 | A kind of active and standby method and device intelligently matched of network element |
| CN110287699A (en) * | 2019-06-12 | 2019-09-27 | 杭州迪普科技股份有限公司 | The feature extracting method and device of application program |
| CN110808915A (en) * | 2019-10-21 | 2020-02-18 | 新华三信息安全技术有限公司 | Data stream affiliated application identification method and device and data processing equipment |
| WO2020207205A1 (en) * | 2019-04-08 | 2020-10-15 | Oppo广东移动通信有限公司 | Data recognition method, and terminal |
| CN112995172A (en) * | 2021-02-24 | 2021-06-18 | 合肥优尔电子科技有限公司 | Communication method and communication system for butt joint between Internet of things equipment and Internet of things platform |
| CN113890835A (en) * | 2021-09-29 | 2022-01-04 | 杭州迪普科技股份有限公司 | Method and device for processing DPI application test message |
| CN114254704A (en) * | 2021-12-20 | 2022-03-29 | 北京天融信网络安全技术有限公司 | HTTP tunnel detection method and device, electronic equipment and storage medium |
| CN115955521A (en) * | 2022-09-13 | 2023-04-11 | 武汉麦丰创新网络科技有限公司 | Method and system for identifying private message |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
| CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
| CN101257454A (en) * | 2008-03-21 | 2008-09-03 | 北京星网锐捷网络技术有限公司 | Apparatus and method for managing band width |
| CN101510873A (en) * | 2009-03-20 | 2009-08-19 | 扬州永信计算机有限公司 | Method for detection of mixed point-to-point flux based on vector machine support |
| CN101867601A (en) * | 2010-05-14 | 2010-10-20 | 北京理工大学 | File-level P2P network flow identification method |
-
2010
- 2010-12-09 CN CN201010594986A patent/CN102025636B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
| CN101257454A (en) * | 2008-03-21 | 2008-09-03 | 北京星网锐捷网络技术有限公司 | Apparatus and method for managing band width |
| CN101510873A (en) * | 2009-03-20 | 2009-08-19 | 扬州永信计算机有限公司 | Method for detection of mixed point-to-point flux based on vector machine support |
| CN101867601A (en) * | 2010-05-14 | 2010-10-20 | 北京理工大学 | File-level P2P network flow identification method |
Cited By (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932203B (en) * | 2012-10-31 | 2015-06-10 | 东软集团股份有限公司 | Method and device for inspecting deep packets among heterogeneous platforms |
| CN102932203A (en) * | 2012-10-31 | 2013-02-13 | 东软集团股份有限公司 | Method and device for inspecting deep packets among heterogeneous platforms |
| CN103095604A (en) * | 2013-01-04 | 2013-05-08 | 海信集团有限公司 | System and method for identifying specific application of home network |
| CN103226583A (en) * | 2013-04-08 | 2013-07-31 | 北京奇虎科技有限公司 | Method and device for recognizing advertisement plugin |
| WO2014166312A1 (en) * | 2013-04-08 | 2014-10-16 | 北京奇虎科技有限公司 | Method and system for advertisement plug-in recognition |
| US9824212B2 (en) | 2013-04-08 | 2017-11-21 | Beijing Qihoo Technology Company Limited | Method and system for recognizing advertisement plug-ins |
| CN104796406B (en) * | 2015-03-20 | 2018-06-12 | 新华三技术有限公司 | A kind of application and identification method and device |
| CN104796406A (en) * | 2015-03-20 | 2015-07-22 | 杭州华三通信技术有限公司 | Method and device for identifying application |
| CN105939328A (en) * | 2016-01-27 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for updating network attack feature library |
| CN106815049A (en) * | 2016-12-29 | 2017-06-09 | 杭州迪普科技股份有限公司 | The method and device of feature database upgrading |
| CN106815049B (en) * | 2016-12-29 | 2020-01-03 | 杭州迪普科技股份有限公司 | Method and device for upgrading feature library |
| CN107483411A (en) * | 2017-07-25 | 2017-12-15 | 中国联合网络通信集团有限公司 | Business recognition method and system |
| CN107483411B (en) * | 2017-07-25 | 2020-01-31 | 中国联合网络通信集团有限公司 | Service identification method and system |
| CN107547536A (en) * | 2017-08-28 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of feature database update method and device |
| CN107547536B (en) * | 2017-08-28 | 2021-03-19 | 新华三信息安全技术有限公司 | Feature library updating method and device |
| CN107426059B (en) * | 2017-08-28 | 2021-02-05 | 上海国云信息科技有限公司 | DPI equipment feature library automatic updating method and system, DPI equipment and cloud server |
| CN107426059A (en) * | 2017-08-28 | 2017-12-01 | 上海国云信息科技有限公司 | DPI equipment feature databases automatic update method, system, DPI equipment and cloud server |
| CN109492655B (en) * | 2017-09-11 | 2021-08-06 | 中国移动通信有限公司研究院 | Feature extraction method and device and terminal |
| CN109492655A (en) * | 2017-09-11 | 2019-03-19 | 中国移动通信有限公司研究院 | A kind of feature extracting method, device and terminal |
| CN107707549A (en) * | 2017-09-30 | 2018-02-16 | 迈普通信技术股份有限公司 | A kind of device and method automatically extracted using feature |
| CN110213778A (en) * | 2018-02-28 | 2019-09-06 | 中兴通讯股份有限公司 | A kind of active and standby method and device intelligently matched of network element |
| WO2019165841A1 (en) * | 2018-02-28 | 2019-09-06 | 中兴通讯股份有限公司 | Master and standby pairing method and apparatus for network element |
| CN110213778B (en) * | 2018-02-28 | 2021-11-05 | 中兴通讯股份有限公司 | Method and device for intelligently pairing main network element and standby network element |
| CN109150742A (en) * | 2018-08-13 | 2019-01-04 | 南京中新赛克科技有限责任公司 | A kind of flow screening system and its method based on network processing unit |
| CN109462598B (en) * | 2018-12-11 | 2021-08-17 | 江苏省未来网络创新研究院 | Method for extracting account information from network message |
| CN109462598A (en) * | 2018-12-11 | 2019-03-12 | 江苏省未来网络创新研究院 | A method of extracting account information from network message |
| CN109639593A (en) * | 2018-12-24 | 2019-04-16 | 南京中孚信息技术有限公司 | A kind of upgrade method and device of deep packet inspection system |
| WO2020207205A1 (en) * | 2019-04-08 | 2020-10-15 | Oppo广东移动通信有限公司 | Data recognition method, and terminal |
| CN110287699A (en) * | 2019-06-12 | 2019-09-27 | 杭州迪普科技股份有限公司 | The feature extracting method and device of application program |
| CN110808915A (en) * | 2019-10-21 | 2020-02-18 | 新华三信息安全技术有限公司 | Data stream affiliated application identification method and device and data processing equipment |
| CN110808915B (en) * | 2019-10-21 | 2022-03-08 | 新华三信息安全技术有限公司 | Data stream affiliated application identification method and device and data processing equipment |
| CN112995172A (en) * | 2021-02-24 | 2021-06-18 | 合肥优尔电子科技有限公司 | Communication method and communication system for butt joint between Internet of things equipment and Internet of things platform |
| CN113890835A (en) * | 2021-09-29 | 2022-01-04 | 杭州迪普科技股份有限公司 | Method and device for processing DPI application test message |
| CN114254704A (en) * | 2021-12-20 | 2022-03-29 | 北京天融信网络安全技术有限公司 | HTTP tunnel detection method and device, electronic equipment and storage medium |
| CN115955521A (en) * | 2022-09-13 | 2023-04-11 | 武汉麦丰创新网络科技有限公司 | Method and system for identifying private message |
| CN115955521B (en) * | 2022-09-13 | 2023-08-11 | 武汉麦丰创新网络科技有限公司 | Private message identification method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102025636B (en) | 2012-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102025636B (en) | Message feature processing method and device as well as network equipment | |
| US7827299B2 (en) | Transitioning between historical and real time data streams in the processing of data change messages | |
| CN110569298B (en) | Data docking and visualization method and system | |
| CN111767327B (en) | Data warehouse construction method and system with dependency relationship among data streams | |
| CN115994251B (en) | Target projectile telemetering data analysis device and analysis system | |
| CN109582335A (en) | It is a kind of without interrupt storage cluster node online upgrading method, device and equipment | |
| CN110191109B (en) | Message sampling method and device | |
| CN107608860A (en) | A kind of method, apparatus, the equipment of error log classification storage | |
| CN110311953A (en) | A kind of media article uploads and storage system and method | |
| CN101247281A (en) | Protocol packet detecting method, system and equipment | |
| CN111049731A (en) | Instant chat application monitoring method and system | |
| CN112349340B (en) | Method for constructing waste equipment overwriting scheme library based on cyclic test | |
| CN102571923A (en) | Data synchronization system and method | |
| CN111181819A (en) | Serial port communication method for receiving multi-byte data frame based on linked list structure | |
| CN112187563B (en) | Method and device for counting time delay of main operation code | |
| CN110324208B (en) | Data loss processing method, intelligent terminal and storage medium | |
| CN112416557A (en) | Method and device for determining call relation, storage medium and electronic device | |
| CN111797150A (en) | Method and system for high concurrent data docking and forwarding | |
| CN116545740A (en) | Threat behavior analysis method and server based on big data | |
| CN108345902B (en) | Self-learning white list model base construction and white list detection method based on transaction characteristics | |
| CN114297216B (en) | Data synchronization method and device, computer storage medium and electronic equipment | |
| CN101827068A (en) | Business scenario reduction method and device | |
| CN110795043B (en) | Distributed storage block zeroing method and device, electronic equipment and storage medium | |
| JP2008108046A (en) | Transaction processing system, transaction processing method and program therefor | |
| CN113852610A (en) | Message processing method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |