CN102025636B - Message feature processing method and device as well as network equipment - Google Patents
Message feature processing method and device as well as network equipment Download PDFInfo
- Publication number
- CN102025636B CN102025636B CN201010594986A CN201010594986A CN102025636B CN 102025636 B CN102025636 B CN 102025636B CN 201010594986 A CN201010594986 A CN 201010594986A CN 201010594986 A CN201010594986 A CN 201010594986A CN 102025636 B CN102025636 B CN 102025636B
- Authority
- CN
- China
- Prior art keywords
- matching characteristic
- characteristic
- backup
- message
- application message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a message feature processing method and device as well as network equipment, wherein the method comprises the following steps: acquiring the loading information of a current application message; carrying out application identification in accordance with the loading information of the current application message and formal matching features prestored in a feature library; and when the type of the current application message is identified by the formal matching features, acquiring a first backup matching feature and storing the first backup matching feature in accordance with the loading information of the current application message and the loading information of previous application messages with specified number so as to carry out application identification in accordance with the first backup matching features. By using the message feature processing method and device as well as the network equipment provided by the invention, the application messages are subject to the identification, simultaneously, new matching features generate in accordance with identified loading information of the application messages, and the subsequent application identification can be carried out in accordance with the new matching features, thus being capable of improving and the accuracy of application message identification and reducing the erroneous judgment rate.
Description
Technical field
The present invention relates to the communication technology, relate in particular to a kind of message characteristic processing method, device and the network equipment.
Background technology
Along with the fast development of Internet technology, the content of on network, carrying is more and more abundanter, and Internet service provider also provides increasing service content to the client, and simultaneously, these services are distinguished according to different application.The required resource information of different application is different usually, and this just requires the network equipment can identify various application, for various application provide best resource, to improve the utilance of network equipment resource.
Before often utilized port to carry out flow identification, and promptly the flow of various application had been studied, and summarized the corresponding one or more fixed ports of this flow, for example concluding the commercial port that draws KuGoo (KuGoo) software generic is 7000.When in the flow detection process, finding have the port of flow identical with the port of having summarized (for example port 7000); Confirm that then this flow belongs to and the corresponding flow of port of having summarized, to reach the purpose of recognition application (for example being identified as the KuGoo software application).
But plurality of applications software has not re-used fixed port at present; But frequent dynamic change port or port is set in software function is set supplies the user that port is set voluntarily; Even some software also uses other professional fixed ports; For example use port 80, with deception flow detection equipment.Therefore, above-mentioned flow rate testing methods based on port has not satisfied the demand of using identification.And because can there be different place usually in stream or message between the different application; Can identify different application through extracting different field; This different field that is used for discerning different application is called as condition code or keyword; Therefore, the prior art condition code of giving chapter and verse is again discerned the technical scheme of different application.
Application and identification method based on condition code mainly contains following several kinds at present: a kind of deep message that is based on message detects (Deep Packet Inspection; Abbreviate as: DPI); This method mainly is to carry out depth analysis through four layers of load to message; That extract that it comprises or the highest feature field of the frequency of occurrences combines some port and protocol information to form a kind of characteristic of application again, and with the characteristic storage that forms in feature database.Follow-up in the flow identifying, four layers of load and the port through extracting message, protocol information before mate in the feature database of storage, discern the affiliated application of message.Usually this method the position occurs to feature field has strict requirement.Another kind is based on depth detection (the Deep Flow Inspection of stream; Abbreviate as: DFI), this method mainly is based on the state of different application on session connection or data flow and has nothing in common with each other, and is long like the average packet of each stream, the characteristics such as the time interval that each bag arrives; Form a training set through a large amount of stream is analyzed then, produce a Matching Model by training set again.In follow-up flow identifying,, the preceding with it Matching Model that generates of concrete stream discerns the affiliated application of stream through being mated.
But; Along with the continual renovation of technology and the progressively development of network; Software version is constantly upgraded, and for example redaction constantly appears in software such as QQ, a sudden peal of thunder, and different editions software characteristic of correspondence sign indicating number tends to change; Concerning based on the application identification of condition code, can produce the inaccurate problem of identification like this because of the variation of condition code.In order to address this problem, each edition upgrading all needs the artificial operation of extraction again of carrying out a condition code, and the workload in this maintenance features storehouse is very heavy, and efficient is lower.In addition, this way can make that the characteristic that a certain application extracts is more and more, and feature extraction is many more, and the probability that causes judging by accident will improve greatly, and along with the progressively upgrading or the renewal of software version, this erroneous judgement probability can increase greatly.Therefore, how software version bring in constant renewal in or the situation of upgrading under, realize that the accurate recognition application type becomes to use the another difficult problem that identification faces.
Summary of the invention
The present invention provides a kind of message characteristic processing method, device and the network equipment, in order in software version update or when upgrading, and accurate recognition application message.
The present invention provides a kind of message characteristic processing method, comprising:
Obtain the load information of current application message;
Use identification according to the load information of said current application message and the formal matching characteristic that is stored in advance in the feature database;
When identifying the type of said current application message according to said formal matching characteristic; According to the load information of said current application message with specify the load information of the application message of number before; Obtain the first backup matching characteristic and storage, to use identification according to the said first backup matching characteristic.
The present invention provides a kind of message characteristic processing unit, comprising:
The information acquisition module is used to obtain the load information of current application message;
First identification module is used for using identification according to the load information of said current application message and the formal matching characteristic that is stored in feature database in advance;
The first characteristic acquisition module; Be used for when said first identification module identifies the type of said current application message according to said formal matching characteristic; According to the load information of said current application message with specify the load information of the application message of number before; Obtain the first backup matching characteristic and storage, to use identification according to the said first backup matching characteristic.
The present invention provides a kind of network equipment, comprises arbitrary message characteristic processing unit provided by the invention.
Message characteristic processing method provided by the invention, device and the network equipment; Be employed in when using message and discern; Load information according to the application message of having discerned generates new matching characteristic; And use the technical scheme of identification at the new matching characteristic of follow-up basis, and can follow and use the load information that identifying combines to use message in real time and carry out the automatic renewal of matching characteristic, can make matching characteristic change and change automatically with software release upgrade or renewal etc.; Therefore, even also accurate recognition application message of technical scheme of the present invention is adopted in software release upgrade or upgraded, reduce the erroneous judgement probability; Also solve in the prior art problem that needs the manual maintenance feature database because of software release upgrade or renewal simultaneously, improved the efficient in maintenance features storehouse.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The flow chart of the message characteristic processing method that Fig. 1 provides for the embodiment of the invention one;
The flow chart of the message characteristic processing method that Fig. 2 provides for the embodiment of the invention two;
The flow chart of the message characteristic processing method that Fig. 3 provides for the embodiment of the invention three;
Fig. 4 A is the flow chart of the message characteristic processing method that provides of the embodiment of the invention four;
Fig. 4 B is the flow chart of a kind of execution mode of step 404;
Fig. 4 C is the flow chart of a kind of execution mode of the said renewal process of step 410;
The structural representation of the message characteristic processing unit that Fig. 5 provides for the embodiment of the invention five;
Fig. 6 A is a kind of structural representation of the message characteristic processing unit that provides of the embodiment of the invention six;
Fig. 6 B is the another kind of structural representation of the message characteristic processing unit that provides of the embodiment of the invention six.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Embodiment one
The flow chart of the message characteristic processing method that Fig. 1 provides for the embodiment of the invention one.The executive agent of present embodiment can be arbitrary network equipment, and is as shown in Figure 1, and the message characteristic processing method of present embodiment comprises:
Step 101 is obtained the load information of current application message;
Wherein, when opening a certain application program or application software on the network equipment, have application corresponding message or application data usually and exist, in technical scheme of the present invention, will be referred to as the application message.This application message can be the message from other network equipments that the network equipment receives, and also can be the message that is sent to other network equipments by local network device, is referred to as the application message that is captured by the network equipment.The application message of present embodiment generally includes protocol information and payload content etc.; Wherein, protocol information typically refers to the five-tuple information of using message; For transmission control protocol (Transmission ControlProtocol; Abbreviate as: TCP) message, this five-tuple typically refer to source Internet protocol (InternetProtocol; Abbreviate as: IP) address, purpose IP address, IP agreement (being Transmission Control Protocol), tcp source port and TCP destination interface; For User Datagram Protocol (User Datagram Protocol; Abbreviate as: UDP) message, this five-tuple typically refer to source IP address, purpose IP address, IP agreement (being udp protocol), UDP source port and UDP destination interface.The said load information of this step mainly is meant the information of obtaining according to the payload content of using in the message relevant with application.
Concrete, when the network equipment captures the application message,, obtain information such as its load information and five-tuple through carrying out protocal analysis to using message.For example: the network equipment knows that through protocol analysis using message is the TCP message; Then will obtain source IP address, purpose IP address, Transmission Control Protocol, tcp source port and the TCP destination interface of using in the message and use payload content that message carries etc., and further extract load information.
Step 102 is used identification according to the load information of current application message and the formal matching characteristic that is stored in advance in the feature database;
Wherein, get access to the load information of using message when the network equipment after, can combine to use the five-tuple information of message, in feature database, mate, promptly with feature database in formal matching characteristic mate one by one, to discern to using message.Wherein, when in feature database, matching the formal matching characteristic consistent, can discern this application message and belong to the corresponding application type of formal matching characteristic that matches with load information, and execution in step 103; After carrying out matching operation with all formal matching characteristics; Do not match the formal matching characteristic consistent with load information; Then explanation can not identify the type of current application message according to formal matching characteristic; At this moment, the network equipment can end operation or is carried out other operations, does not limit in the present embodiment.
Wherein, be stored in formal matching characteristic in the feature database and be in advance according to the feature extraction of various application software or application program, normally extract in advance and store in the feature database with manual type.
Step 103; When identifying the type of current application message according to formal matching characteristic; According to the load information of current application message with specify the load information of the application message of number before, obtain the first backup matching characteristic and storage, to use identification according to the first backup matching characteristic.
Wherein, specify the application message of number to be meant before the current application message before, identified by the network equipment belong to same application with the current application message several use messages.For the number of using message before specified, present embodiment is not done concrete qualification, can carry out the adaptability setting according to different application software or program.
In the practical implementation process, message and load information thereof are used in storage when the network equipment identifies the type of using message, and can use message a plurality of application messages and load information thereof afterwards to this and store.Like this when the network equipment recognizes the current application message and identifies the type of current application message; Can according to before the load information of load information and current application message that belongs to a plurality of application messages of same type with this current application message of storage obtain the first backup matching characteristic, and the first backup matching characteristic is stored; When the network equipment captures the application message once more, can the formal matching characteristic of storing in advance be combined with this first backup matching characteristic the application message that newly captures is discerned; Present embodiment described " combination " is meant earlier uses identification according to the formal matching characteristic of storage in advance, in the time can't identifying the type of using message according to formal matching characteristic, utilizes the first backup matching characteristic to use identification again.
Wherein, when application software or program do not change, the first backup matching characteristic that obtains might Already in formal matching characteristic in, at this moment, the first backup matching characteristic can not influence using the identification of message; If the first backup matching characteristic is not present in the formal matching characteristic, explain that the first backup matching characteristic belongs to new application characteristic, for example maybe be because the edition upgrading or the renewal of application software or program cause application characteristic that variation has taken place; Because the load information that the application message carries can change with the variation of application software or program; Therefore; The first backup matching characteristic that the load information of the application message that basis has identified in using identifying generates can reflect the situation of change of application software or program in real time, at this moment, uses identification in conjunction with the first backup matching characteristic; Can improve the accuracy when the subsequent applications message discerned greatly, reduce the erroneous judgement probability.
Further; Because the first backup matching characteristic obtains in using identifying in real time; The first backup matching characteristic combined with formal matching characteristic use identification, be equivalent to real-time change (for example edition upgrading or renewal) real-time update matching characteristic or real-time servicing feature database according to application software or program, this mode is different by the manual maintenance feature database with prior art; Reduce the difficulty and the workload in maintenance features storehouse, improved the efficient in maintenance features storehouse.
Based on above-mentioned; The message characteristic processing method that present embodiment provides is through using in the process of identification the first backup matching characteristic of reaction of formation application software or change of program situation according to the load information of using message; And combine the first backup matching characteristic to carry out subsequent applications identification; Greatly improved the accuracy of using identification, especially when application software or program upgrade or renewal, this technique effect will be more obvious.
Further; Present embodiment provides a kind of embodiment of step 103; Specifically being meant provides a kind of execution mode that uses the first backup matching characteristic; This execution mode specifically comprises: step 1031, with the load information of current application message with specify the load information of the application message of number to carry out characteristic relatively before, obtain the first backup matching characteristic; Step 1032, upgrade according to the first backup matching characteristic and to be stored in the backup of second in feature database matching characteristic in advance, to use identification according to the second backup matching characteristic after upgrading.
In the above-described embodiment, except storing the formal matching characteristic that obtains in advance, also store the backup matching characteristic that obtains in advance in the feature database, i.e. the second backup matching characteristic; And formal matching characteristic priority is higher than the backup matching characteristic, and is different from the backup matching characteristic.Wherein, present embodiment " being stored in the backup of second in feature database matching characteristic in advance " was meant before upgrading operation with the first backup matching characteristic and stores the backup of second in feature database matching characteristic into.The present embodiment mode is stored in the backup of second in feature database characteristic in advance through upgrading with the first backup matching characteristic; When failing to identify the type of using message according to formal matching characteristic; And when further discerning using message through the second backup matching characteristic; Can bring into play the effect of the first backup matching characteristic, and because the first backup matching characteristic has reacted application software or change of program situation, therefore; Can further improve the accuracy of the type of recognition application message, reduce the erroneous judgement probability.
Embodiment two
The flow chart of the message characteristic processing method that Fig. 2 provides for the embodiment of the invention two.Present embodiment can be based on embodiment one, repeats no more with the something in common of embodiment one.As shown in Figure 2, the message characteristic processing method of present embodiment comprises:
Step 203 according to the load information of current application message with specify the load information of the application message of number before, is obtained the first backup matching characteristic and storage, using identification according to the first backup matching characteristic, and finishes this identifying operation;
Step 204 is according to the load information of current application message be stored in second in feature database backup matching characteristic in advance and use identification.
Wherein, step 201-step 203 can be referring to the description among the embodiment one.In the present embodiment, except storing the formal matching characteristic that obtains in advance, also store the backup matching characteristic that obtains in advance in the feature database, i.e. the second backup matching characteristic; The formal matching characteristic priority of obtaining in advance is higher than obtains the backup matching characteristic in advance, and is different from the backup matching characteristic.
Step 204 is specially: mate one by one according to the load information of current application message and five-tuple and the second backup matching characteristic; When matching the second backup matching characteristic consistent, can discern this application message and belong to the corresponding application type of the backup of second in coupling matching characteristic with load information and five-tuple; Otherwise, explain, fail to identify the type of current application message according to the second backup matching characteristic.
The message characteristic processing method that present embodiment provides; Be employed in when failing to identify the type of using message according to formal matching characteristic; Back up matching characteristic further to using the technical scheme that message is discerned through second; Can further improve the accuracy of the type of recognition application message, reduce the erroneous judgement probability.
Embodiment three
The flow chart of the message characteristic processing method that Fig. 3 provides for the embodiment of the invention three.Present embodiment is based on embodiment one and embodiment two, and the something in common of itself and previous embodiment repeats no more, and as shown in Figure 3, the message characteristic processing method of present embodiment comprises:
Step 303 according to the load information of current application message with specify the load information of the application message of number before, is obtained the first backup matching characteristic and storage, using identification according to the first backup matching characteristic, and finishes this identifying operation;
Step 305 is carried out characteristic similarity relatively with the load information of current application message and the formal matching characteristic in the feature database, and according to whether existing characteristic similarity to satisfy the formal matching characteristic of preset similarity threshold in the preset similarity threshold judging characteristic storehouse; When comparative result draws in the feature database characteristic similarity that exists with the load information of current application message and satisfies the formal matching characteristic of preset similarity threshold, execution in step 306; Otherwise, execution in step 307.
Particularly, can the load information of current application message be carried out similarity one by one with formal matching characteristic and calculate, and whether judging characteristic similarity value is greater than the similarity threshold that is provided with in advance; And according to type greater than the pairing formal matching characteristic recognition application message of the characteristic similarity value of similarity threshold; Can identify the current application message through step 306 and belong to the corresponding application type of formal matching characteristic that this characteristic similarity that obtains satisfies preset similarity threshold.
Wherein, step 305 and step 306 are used in the time still can not identifying the type of using message according to the second backup matching characteristic, doing further identification to using message; Again to the similarity coupling, its condition for identification progressively relaxes, and to strive for correctly identifying the type of using message, improves the probability of correct recognition application message and the discrimination of message from formal matching characteristic to the second backup matching characteristic.
Illustrate " characteristic similarity relatively ", for example: assumed load information is 01030406, and a certain formal matching characteristic is 01020406, and similarity threshold is set to 70%; Can know that according to judging the formal matching characteristic of load information and this only has a characteristic different, its similarity value is 75%, greater than similarity threshold, uses the application type that message belongs to formal matching characteristic 01020406 correspondence so can identify, and end operation.When identifying the type of using message according to similarity threshold; Explain that the load information of this moment is similar with formal matching characteristic but have any different that this load information possibly mean that variation has taken place for application software or program, and can reflect the variation that is taken place; Therefore; This load information as the 3rd backup matching characteristic, is discerned the subsequent applications message being used for, can be improved the accuracy when the subsequent applications message discerned.
Wherein, if when failing to get access to the similarity value, explain then with this mode and still fail correctly to identify the type of using message that this moment also can execution in step 307, i.e. end operation greater than the formal matching characteristic of similarity threshold.Can also return failure information simultaneously in this case.
The present embodiment technical scheme is carried out characteristic similarity relatively through the load information to the current application message with formal matching characteristic; When still failing to identify the type of using message, to do further identification according to the second backup matching characteristic; Can further improve the accuracy when current application discerned, reduce the erroneous judgement probability; And in the time can identifying the type of using message, the load information of storage current application message to be to be used for the process of subsequent applications identification, the accuracy in the time of can improving subsequent applications identification.
Technical scheme based on above-mentioned each embodiment of the present invention; Present embodiment provides a kind of and specifically uses identification mode according to the first backup matching characteristic; Promptly upgrade the second backup matching characteristic, to bring into play the effect of the first backup matching characteristic with the first backup matching characteristic.This method can be used as a kind of embodiment of step 103, step 203 or step 303; Specifically comprise: step a; With the load information of current application message with specify the load information of the application message of number to carry out characteristic relatively before, obtain the first backup matching characteristic; Step b upgrades the second backup matching characteristic according to the first backup matching characteristic, to use identification according to the second backup matching characteristic after upgrading.
Need explanation at this; The second backup matching characteristic in step b is meant that equally utilizing the first backup matching characteristic to upgrade operation stores the backup of second in feature database matching characteristic before into; For the second backup matching characteristic is to obtain in which way and store into not do qualification in the feature database, for example: can be that manual work is extracted and stored in the feature database.
Wherein, the execution mode of a kind of step a comprises: step a1 with the load information of current application message with specify the load information of the application message of number to divide into groups before, forms a plurality of load information groups; Step a2 carries out characteristic relatively with the load information in each load information group, obtains a plurality of son backup matching characteristics; Step a3 carries out characteristic relatively with a plurality of son backup matching characteristics, obtains the first backup matching characteristic.Particularly, in the network equipment, a memory space can be set, be used to store the application message that has identified under every kind of application type; Simultaneously, a packet accouter is set, is used to count the number that the same application type of having stored is used message down.When packet accouter counting reaches when specifying number (is example with 19), the network equipment divides into groups the load information of current application message and the load informations of 19 application messages of same type before; Suppose to be divided into 4 groups (generally dividing into groups according to the storage order of using message), then every group comprises 5 load informations of using message; Load information in every group is compared, obtain 5 and use that different load informations backs up matching characteristic as son in the messages; Can obtain 4 son backup matching characteristics so altogether, then these 4 son backup matching characteristics compared again, obtain the son that is different from the formal matching characteristic and back up matching characteristic as the first backup matching characteristic.But the execution mode of step a is not limited to this, for example also can directly 20 application messages of the same type be compared, and obtains the first backup matching characteristic.
Further, provide a kind of embodiment of step b below, specifically comprise:
Step b1 according to the type of the current application message that identifies, obtains the second corresponding backup matching characteristic of current application message; Obtain the second backup matching characteristic that belongs to the current application message in a plurality of second backup matching characteristics of promptly from feature database, storing.
Step b2 judges whether the first backup matching characteristic is present in the second backup matching characteristic of the current application message correspondence of obtaining; If being the first backup matching characteristic, judged result is not present in the second backup matching characteristic of the current application message correspondence of obtaining, then execution in step b3; Otherwise, execution in step b4.
Step b3 is stored in the first backup matching characteristic in the feature database, so that the second backup matching characteristic is upgraded; Be about to the first backup matching characteristic and store in the feature database,, and finish to upgrade operation as a kind of second new backup matching characteristic.
Step b4, the match hit number of times of the second backup matching characteristic that will be identical with the first backup matching characteristic adds 1, and finishes to upgrade operation.
In this technical scheme, in advance for each backup matching characteristic and formal matching characteristic are provided with match hit time counter, with record match hit number of times.For example: when the formal matching characteristic of basis in step 302 identifies the type of current application message; A certain formal matching characteristic in the load information coupling of current application message is described, the match hit number of times of the formal matching characteristic during then that the current application message is corresponding formal matching characteristic promptly matees adds 1; Again for example: when in step 304 according to the second backup matching characteristic when identifying the type of current application message; The a certain second backup matching characteristic in the load information coupling of current application message is described, the match hit number of times of the second backup matching characteristic during second then that the current application message is the corresponding backup matching characteristic promptly matees adds 1.And in step b4; When having the second backup matching characteristic identical in the second corresponding backup matching characteristic of current application message with the first backup matching characteristic; The second backup matching characteristic that then should be identical with the first backup matching characteristic can be by in the coupling; Therefore, its match hit number of times is also added 1.Each the formal matching characteristic that passes through like this to be write down and the second backup matching characteristic can be judged the similarity of matching characteristic and current application by the number of times in mating; For example: the match hit number of times is many more, explains that the pairing formal matching characteristic or the second backup matching characteristic can embody the characteristic of current application more.
In addition, based on technique scheme, present embodiment also provides a kind of concrete occupation mode of the 3rd backup matching characteristic.Concrete; Directly store into the 3rd backup matching characteristic in the feature database; Use as a kind of second new backup matching characteristic, promptly upgrade the second backup matching characteristic, and carry out follow-up application identification according to the second backup matching characteristic after upgrading; To improve the accuracy of using identification, realized that simultaneously feature database is with the upgrading of software version or dynamically updating and safeguarding of renewal.In like manner; Present embodiment second the backup matching characteristic be meant utilize the 3rd the backup matching characteristic upgrade the operation before store in the feature database; For example: can be the second backup matching characteristic that is extracted and stored by manual work at first, also can be the second backup matching characteristic after being upgraded by step b.
In this explanation; In technique scheme; The first backup matching characteristic, the second backup matching characteristic and the 3rd backup matching characteristic all belong to when formal matching characteristic can't the recognition application message; Used backup matching characteristic when being used for further recognition application message, three's difference are mode and the asynchronism(-nization) obtaining or generate.But need explanation; The occupation mode of the first backup matching characteristic and the 3rd backup matching characteristic is not limited to this; Also can the first backup matching characteristic or the 3rd backup matching characteristic be used as formal matching characteristic; For example directly use the first backup matching characteristic or the 3rd backup matching characteristic that formal matching characteristic is upgraded, also can reach the purpose of utilizing the first backup matching characteristic or the 3rd backup matching characteristic that the subsequent applications message is discerned.
Further, on the basis of above-mentioned match hit number of times technical scheme, present embodiment also provides the operating procedure of upgrading feature database.Concrete, set a update cycle, promptly first update cycle for example was the grade setting update cycle with the sky, when finishing in one day, can upgrade feature database according to the match hit number of times of the formal matching characteristic and the second backup matching characteristic.For example: can obtain match hit number of times and the match hit number of times of the second backup matching characteristic of the formal matching characteristic of same application through detection, and the match hit number of times of the formal matching characteristic of same application and the match hit number of times of the second backup matching characteristic are carried out size comparison; When the match hit number of times of the second backup matching characteristic of same application during greater than the match hit number of times of formal matching characteristic; Explain that the second backup matching characteristic more can embody the characteristic of this application; Then exchange the second backup matching characteristic and formal matching characteristic; To accomplish renewal to the matching characteristic of this application; Be about to the match hit number of times greater than the second backup matching characteristic of the match hit number of times of formal matching characteristic as new formal matching characteristic, with original formal matching characteristic as the backup matching characteristic; Otherwise, finish to upgrade operation.After by the way the matching characteristic of all application being upgraded, can accomplish renewal to feature database.Wherein, also can regard as to the renewal of the second backup matching characteristic with to the renewal of formal matching characteristic the renewal of feature database.
Through technique scheme, can make the variation of feature database adaptation application software or application program, improve the accuracy of subsequent applications identifying; And the mode of this renewal feature database is carried out fully automatically, and simply easy to implement, compared with prior art, has reduced the workload and the difficulty in renewal or maintenance features storehouse, has improved the efficient in maintenance features storehouse.
Further again, it is a kind of through upgrading the execution mode that the second backup matching characteristic upgrades feature database that present embodiment provides in addition.Concrete, preestablish a update cycle, i.e. second update cycle is for example hour being the grade setting update cycle.This update method specifically comprises: when second update cycle arrived, at first obtain formal matching characteristic and the match hit number of times increment second backup matching characteristic of same application; Wherein, the mode of obtaining match hit number of times increment can be when the match hit time numerical value of record finished with the update cycle last time when this update cycle is finished the inferior numerical value of match hit of record do poor.Then, the match hit number of times increment with the formal matching characteristic of match hit number of times increment and the designated ratio of the second backup matching characteristic of this application compares; When the match hit number of times increment of the second backup matching characteristic of this application during less than the match hit number of times increment of the formal matching characteristic of designated ratio; Explain that this second backup matching characteristic is out-of-date; Can't react the characteristic of current application, upgrade to back up matching characteristic second so can delete the second backup matching characteristic of this application; Otherwise, finish to upgrade operation.For example: setting for second update cycle is 1 hour; Designated ratio is 50%; And the match hit number of times of second of a certain application of the record backup matching characteristic was 30 when second update cycle of last time finished, and the match hit number of times of the formal matching characteristic of this application of record is 50; When finishing in 1 hour; The match hit number of times that the network equipment obtains the second backup matching characteristic of this application is 40; The match hit number of times that obtains the formal matching characteristic of this application is 90; Not obtain the match hit number of times increment with formal matching characteristic of the second backup matching characteristic be 10 and 40 through doing difference, relatively draws: the match hit number of times increment of the second backup matching characteristic is less than 50% of the match hit number of times increment of formal matching characteristic, therefore; Delete the second backup matching characteristic of this application, to upgrade the second backup matching characteristic.After matching characteristic upgrades to second backup of all application through technique scheme, can accomplish renewal to feature database.
Can discharge memory space on the one hand through this technical scheme, through reducing the quantity of the second backup matching characteristic, can improve the rate matched of aforementioned each matching process on the other hand, reduce the resource consumption in the matching process.
Need explanation at this, the network equipment can adopt above-mentioned a kind of mode to upgrade feature database, also can adopt above-mentioned dual mode to upgrade feature database simultaneously.Wherein, When adopting dual mode to upgrade feature database; Preferably setting for second update cycle was less than or equal to for first update cycle, and the second out-of-date backup matching characteristic is deleted earlier, and the quantity of the second backup matching characteristic has been reduced; The efficient of carrying out the formal matching characteristic and the swap operation of backup matching characteristic can be improved, the efficient of upgrading feature database can be improved on the whole.
Below with equipment Network Based, with detailed, complete embodiment technical scheme of the present invention is described comprehensively.
Embodiment four
Fig. 4 A is the flow chart of the message characteristic processing method that provides of the embodiment of the invention four.Shown in Fig. 4 A, the method for present embodiment comprises:
Wherein, N1 is predefined greater than 1 integer value.In the network equipment, for each matching characteristic all is provided with a match hit time counter, be used to write down matching characteristic in advance, with the adaptedness of expression matching characteristic and application software current state by the number of times of match hit.The match hit number of times is big more, explains that this matching characteristic can embody the characteristic of application software more.Wherein, this N1 use message for identified, belong to the application message of same application with the current application message, and this N1 application message and current application message are together as a mirror image message.
Fig. 4 B is the flow chart of a kind of execution mode of step 404, and this execution mode specifically comprises: the mirror image message quantity of the current application that step 4041, the network equipment have been preserved through mirror image umber counter records; During by mirror image, this mirror image umber counter adds 1 as new application message, and judges whether mirror image umber rolling counters forward surpasses predefined count threshold, when judged result when being, execution in step 4042; Otherwise execution in step 4043.In the present embodiment, count threshold is N2, and N2 is predefined greater than 1 integer value.When mirror image umber rolling counters forward arrived N2, coexistence contained the individual application message of (N2+1) * (N1+1) on the network equipment.
Wherein, vertically characteristic relatively is meant the N1+1 in every part of mirror image message load information and the five-tuple of using message is carried out characteristic relatively, obtains son backup matching characteristic; Will get access to N2+1 son backup matching characteristic in the present embodiment.Transverse features relatively is meant the N2+1 that obtains a son backup matching characteristic is carried out characteristic relatively, therefrom to extract the characteristic outside the formal matching characteristic.
Wherein, Through the operation of carrying out the oldest a mirror image message of deletion can make extract other characteristics based on N2+1 part mirror image message follow the behaviour in service dynamic change of application software; And the application message when having considered that application software is up-to-date and being unlocked guarantees that other characteristics of extracting can reflect the up-to-date characteristics of application software.
Further; The by way of example of " deleting the oldest a mirror image message " that present embodiment provides specifically can be carried out adaptations according to the umber of the mirror image message of preserving in advance and the count threshold of setting; The umber of the mirror image message that for example ought preserve in advance is N2+3, and the count threshold of setting is N2, then can delete 3 parts of the oldest mirror image messages; Discharge memory space satisfying under the condition of count threshold; But also be not limited thereto,, and only adopt nearest N2 part mirror image message if there are enough memory spaces also can not delete.The scheme of " deleting the oldest a mirror image message " that present embodiment provides is a kind of optimal way.
Can extract new backup matching characteristic according to the application message that identifies through this step 404, feature database upgraded being used for.
Step 406 is upgraded the corresponding match hit time counter of backup matching characteristic in the coupling, and is changeed and go execution in step 410;
Step 409 writes feature database with newly-generated backup matching characteristic, and continues execution in step 410;
Step 410 is upgraded operation to feature database.
Wherein, Fig. 4 C is the flow chart of a kind of execution mode of the said renewal process of step 410, and this execution mode comprises:
Step 4091 starts renewal and operates, and wherein, the renewal of present embodiment is operating as a kind of trigger action, for example: can start according to the preset update cycle and upgrade operation, promptly when the update cycle is preset in timer timing arrival, trigger and upgrade operation; Again for example: also can trigger to start and upgrade operation, promptly when having new backup matching characteristic to generate and being written into feature database, trigger to start and upgrade operation by newly-generated backup matching characteristic.The condition that operation is upgraded in the triggering that present embodiment provides is a kind of optimal way.
Whether step 4092 exists on all four matching characteristic in the judging characteristic storehouse, this matching characteristic comprises formal matching characteristic and backup matching characteristic, if exist, and execution in step 4093, otherwise, execution in step 4094.
Step 4093 is deleted one of them matching characteristic, and execution in step 4094; Concrete, if identical matching characteristic is formal matching characteristic, then delete one of them formal matching characteristic; If identical matching characteristic is the backup matching characteristic, then delete one of them backup matching characteristic; If when formal matching characteristic was identical with the backup matching characteristic, then matching characteristic was backed up in deletion.
Step 4094 scans the backup matching characteristic in the feature database, and judges whether to exist the backup matching characteristic of match hit number of times increment less than the match hit number of times increment of the formal matching characteristic of the same application of designated ratio; If then execution in step 4095, on the contrary execution in step 4096.
Step 4095, deletion match hit number of times increment is less than the backup matching characteristic of the match hit number of times increment of the formal matching characteristic of designated ratio, and execution in step 4096.
Step 4096, formal matching characteristic that contrasts same application and backup matching characteristic, and whether the match hit number of times of judging formal matching characteristic is less than the match hit number of times of backup matching characteristic; If then execution in step 4097, otherwise, execution in step 4098.
Step 4097 is exchanged formal matching characteristic and the match hit number of times backup matching characteristic greater than formal matching characteristic, and execution in step 4098.
Step 4098, this upgrades EO.
Wherein, Step 4092 and step 4093, step 4094 and step 4095 and step 4096 and step 4097 are renewal operations of database being carried out from three aspects; Three kinds upgrade operation can executed in parallel; Can adopt also wherein that any one or its combination, present embodiment provide to upgrade the execution modes that operation combines with three kinds be a kind of optimal way.
The technical scheme of above-mentioned renewal feature database, one side can improve the efficient of updating maintenance feature database, can improve the accuracy of using identification when the feature database after application update is used identification on the other hand.
Based on above-mentioned, will combine practical application below the present embodiment, the branch situation specifies the flow process of above operation.At first suppose the formal matching characteristic of initialization in advance; And that wherein exist to use A is characterized as 0B 0C0D 0E; And pre-configured mirror image umber counter threshold PKTCNT is 2, update cycle DAYCNT is 2, the designated ratio DELMIN in the update cycle be 50% and similarity threshold LIKERATE be 20% etc.
First kind of situation: suppose that formal matching characteristic is hit.Concrete operations are following:
Open and use A, receive the message of using A, its load information is 0B 0C 0D 0E 00 00 01 0203, and load information and formal matching characteristic are mated; If match hit is carried out mirror image and preservation with current message and back 4 messages that belong to same stream, the mirror image of these 5 messages makes mirror image umber counter add 1 as a mirror image message; The value of current mirror image umber counter is compared with preset mirror image umber counter threshold values PKTCNT; If the value of current mirror image umber counter less than mirror image umber counter threshold values PKTCNT, then equally continues for the first time together to carry out mirror image to using message when opening application A next time, and the memory image message; Otherwise, to the mirror image message of the current application A that preserves carry out vertical characteristic relatively with transverse features relatively, extract and back up matching characteristic, delete the oldest a mirror image message.Wherein, each a mirror image message of using A of opening carries out characteristic and more promptly constitutes once vertically characteristic relatively, to repeatedly vertically the result of characteristic comparison carry out characteristic and relatively constitute transverse features and compare.Wherein, opening the first five the message load result who uses A for the first time is: 1,0B 0C 0D 0E 00 00 01 02 03; 2,0B 0C 0D 0E 01 00 01 02 03; 3,0B 0C 0D 0E 02 00 01 02 03; 4,0B 0C 0D0E 03 00 01 02 03; 5,0B 0C 0D 0E 04 00 01 02 03; The result that for the first time vertical characteristic is relatively extracted is: 0B 0C 0D 0E XX 00 01 02 03; Opening the first five the message load result who uses A for the second time is: 1,0B 0C 0D 0E 00 00 01 02 03; 2,0B 0C 0D 0E 00 00 01 02 04; 3,0B 0C 0D 0E 00 00 01 02 05; 4,0B 0C 0D 0E 00 00 01 02 06; 5,0B 0C 0D0E 00 00 01 02 07; The result that for the second time vertical characteristic is relatively extracted is: 0B 0C 0D 0E XX 00 0102XX; The result that twice vertical characteristic relatively extracted is: 0B 0C 0D 0E XX 00 01 02 03; 0B0C 0D 0E XX 00 01 02 XX; The result that twice vertical characteristic relatively extracted carries out the result that transverse features relatively extracts: 0B 0C 0D 0E XX 00 01 02 XX; That extracts is characterized as: 0B 0C 0D0E XX 00 01 02 XX, remove the 0B 0C 0D 0E that has existed in the formal matching characteristic, and the backup matching characteristic that finally obtains is: 00 01 02.The backup matching characteristic that next will obtain compares with the backup matching characteristic of having stored, and its result sees the step 404 in the foregoing description for details, follow-up repeating no more.
Second kind of situation: suppose that formal matching characteristic is not hit.Concrete operations are following:
Open and use A, receive the message of using A, suppose that its load information is 0B 00 0D 0E 00 00 0,202 03, its load information is mated with formal matching characteristic storehouse 0B 0C 0D 0E; The result is not in mating, and then the load information with message matees with backup matching characteristic 00 01 02; The result is not also in mating; The load information of message is carried out the similarity coupling with formal matching characteristic 0B 0C 0D 0E; Discovery has only character 0C to become 00; Similarity is 3/4 greater than similarity threshold values LIKERATE, and load information 0B 00 0D 0E is deposited in the feature database as new backup matching characteristic.
The third situation: suppose that the update cycle arrives.Then concrete the renewal operated as follows:
Suppose that the update cycle is a day rank, formal matching characteristic and backup matching characteristic are scanned, the matching characteristic of deletion condition code repetition; One by one each is used corresponding formal matching characteristic and scan, to upgrade formal matching characteristic and backup matching characteristic according to the match hit number of times with the backup matching characteristic.As stated, the formal matching characteristic of using A has: 0B 0C 0D 0E, the backup matching characteristic has: 00 01 02 with 0B 00 0D 0E.If find the match hit number of times of the match hit number of times of formal matching characteristic less than the backup matching characteristic; The match hit number of times of the formal matching characteristic 0B 0C 0D 0E of for example above-mentioned application A is less than the match hit number of times of backup matching characteristic 00 01 02; Then with 0B 0C 0D 0E as the backup matching characteristic, and with 00 01 02 as formal matching characteristic; The match hit number of times of matching characteristic is respectively backed up in scanning simultaneously; The match hit number of times increment of supposing 0B 00 0D 0E in DAYCNT days this update cycle less than the match hit number of times increment of the formal matching characteristic of designated ratio DELMIN; Then should back up matching characteristic 0B 00 0D 0E deletion, the final renewal operation of accomplishing feature database.
Description through above-mentioned overall flow to technical scheme of the present invention; And can know that to the independent explanation of various situation the message characteristic processing method of present embodiment is actually a kind of and is identifying the method for extracting matching characteristic on the basis of using type of message.This method has the following advantages: 1, come constantly to extract the characteristic of using through the mode of extracting the backup matching characteristic simultaneously, make the characteristic of application more and more accurate, have the advantage that dynamically updates; 2, bring in constant renewal in the state of the match hit time counter of corresponding matching characteristic through the application of real network environment; Confirm through regularly more newly arriving that more current that matching characteristic is for optimum; Back up the conversion between matching characteristic and the formal matching characteristic; Can come Dynamic Selection Optimum Matching characteristic according to different network environments, have very strong flexibility; 3, the coupling of the similarity through matching characteristic has only the application of minor variations to some characteristics, and stronger adaptability is arranged, and makes identification healthy and strong more.Therefore, adopt technical scheme of the present invention can solve most of software, have advantages such as accuracy height, flexible operation, False Rate be low owing to upgraded version causes discerning inaccurate problem; Through a backup of automatic generation matching characteristic, well solved because the wrong problem of characteristic that characteristic is complete or extract is extracted in manual work, have very strong robustness, significantly reduced the maintenance work of feature database, improved the efficient in maintenance features storehouse.
Embodiment five
The structural representation of the message characteristic processing unit that Fig. 5 provides for the embodiment of the invention five.As shown in Figure 5, the message characteristic processing unit of present embodiment comprises: information acquisition module 51, first identification module 52 and the first characteristic acquisition module 53.
Wherein, information acquisition module 51 is used to obtain the load information of current application message; First identification module 52 is connected with information acquisition module 51, is used for using identification according to the load information of current application message and the formal matching characteristic that is stored in feature database in advance; Wherein, information acquisition module 51 can also obtain the five-tuple information of current application message, and first identification module 52 can be used identification according to the load information and the five-tuple of current application message simultaneously.The first characteristic acquisition module 53; Be connected with first identification module 52 with information acquisition module 51 respectively; Be used for when first identification module 52 identifies the type of current application message according to formal matching characteristic; According to the load information of current application message with specify the load information of the application message of number before, obtain the first backup matching characteristic and storage, to use identification according to the first backup matching characteristic.Wherein, specify the application message of number to be meant before the current application message before, identified by the message characteristic processing unit belong to same application with the current application message several use messages.
Wherein, The message characteristic processing unit of present embodiment also comprises feature database 54 and memory module 55; Wherein, Feature database 54 is used to store matching characteristic (comprise formal matching characteristic with backup matching characteristic), and memory module 55 can be used for the contents such as application message of storing the current application message and specifying number before.First identification module 52 is connected with feature database 54, and the first characteristic acquisition module 53 is connected with memory module 55.
The message characteristic processing unit of present embodiment; Can be used for carrying out the flow process of the message characteristic processing method that the embodiment of the invention provides; Through using in the process of identification according to the load information of using message; The first backup matching characteristic of reaction of formation application software or change of program situation, and combine the first backup matching characteristic to carry out subsequent applications identification, greatly improved the accuracy of using identification; Especially when application software or program upgrade or renewal, this technique effect will be more obvious.
Embodiment six
Fig. 6 A is a kind of structural representation of the message characteristic processing unit that provides of the embodiment of the invention six.Present embodiment realizes that based on embodiment five shown in Fig. 6 A, the message characteristic processing unit of present embodiment also comprises: second identification module 56, characteristic comparison module 57, the 3rd identification module 58 and the second characteristic acquisition module 59.
Wherein, Second identification module 56; Be connected with feature database 54 with information acquisition module 51, first identification module 52 respectively; Be used at first identification module 52 during according to the unidentified type that goes out the current application message of formal matching characteristic, according to the load information of current application message be stored in second in the feature database 54 in advance and back up matching characteristic and use identification; When second identification module 56 identifies the type of current application message, can end operation or carry out other and handle operation, specifically can the corresponding function module be set and realize according to practical application, this is not described in detail in the present embodiment.Characteristic comparison module 57 is connected with second identification module 56 with feature database 54 respectively, is used for when the unidentified type that goes out the current application message of second identification module 56, and the load information and the formal matching characteristic of current application message carried out characteristic similarity relatively; When characteristic comparison module 57 relatively draws the formal matching characteristic that does not exist characteristic similarity to satisfy preset similarity threshold, can end operation or carry out other processing, present embodiment is not done further introduction to this.The 3rd identification module 58; Be connected with characteristic comparison module 57; Be used for when characteristic comparison module 57 relatively draws feature database and has characteristic similarity with the load information of current application message to satisfy the formal matching characteristic of preset similarity threshold, satisfying the type of the formal matching characteristic identification current application message of preset similarity threshold according to the characteristic similarity that obtains; The second characteristic acquisition module 59; Be connected with the 3rd identification module 58, be used for when the 3rd identification module 58 identifies the type of current application message, according to the load information of current application message; Obtain the 3rd backup matching characteristic and storage, to use identification according to the 3rd backup matching characteristic.
The message characteristic processing unit of present embodiment can be used for carrying out the flow process of the message characteristic processing method that the embodiment of the invention provides, and repeats no more in its detailed operation principle present embodiment.The message characteristic processing unit of present embodiment; Can be when failing to identify the type of using message according to formal matching characteristic; Further discern through the second backup matching characteristic using message; And when still failing to identify the type of using message according to the second backup matching characteristic; Continuation judges the type of using message done further identification through the load information of current application message and formal matching characteristic being carried out characteristic similarity, can further improve the accuracy when current application discern, reduces and judges probability by accident; And in the time can identifying the type of using message, the load information of storage current application message to be to be used for the process of subsequent applications identification, the accuracy in the time of can improving subsequent applications identification.
Further, shown in Fig. 6 B, a kind of implementation structure of the second characteristic acquisition module 59 comprises: first obtains submodule 591 and first upgrades recognin module 592.Wherein, first obtains submodule 591, is connected with the 3rd identification module 58, is used for the load information according to the current application message, obtains the 3rd backup matching characteristic; First upgrades recognin module 592; Obtain submodule 591 and be connected with first with feature database 54; Be used for storing the 3rd backup matching characteristic into feature database 54, so that the second backup matching characteristic is upgraded, for using identification according to the second backup matching characteristic after upgrading.
Further, shown in Fig. 6 B, a kind of implementation structure of the first characteristic acquisition module 53 comprises: second obtains submodule 531 and second upgrades recognin module 532.Wherein, Second obtains submodule 531; Be connected with memory module 55 with information acquisition module 51, first identification module 52 respectively, be used for the load information of current application message and specify the load information of the application message of number to carry out characteristic relatively before, obtain the first backup matching characteristic; Second upgrades recognin module 532, obtains submodule 531 with feature database 54 and second respectively and is connected, and is used for upgrading the second backup matching characteristic according to the first backup matching characteristic, to use identification according to the second backup matching characteristic after upgrading.Wherein, The second backup matching characteristic is meant that utilizing the first backup matching characteristic to upgrade operation in the second renewal recognin module 532 stores in the feature database before; For example can extract by manual work is initial, also can be after upgrading 592 renewals of recognin module through first before.
Particularly, a kind of second obtain submodule 531 implementation structure comprise: grouped element, first acquiring unit and second acquisition unit.Wherein, grouped element is used for the load information of current application message and specifies the load information of the application message of number to divide into groups before, forms a plurality of load information groups; First acquiring unit is used for the load information of each load information group is carried out characteristic relatively, obtains a plurality of son backup matching characteristics; Second acquisition unit is used for a plurality of son backup matching characteristics are carried out characteristic relatively, obtains the first backup matching characteristic.
Particularly, a kind of implementation structure of the second renewal recognin module 532 comprises: the 3rd acquiring unit, judging unit, characteristic updating block and number of times updating block.Wherein, the 3rd acquiring unit is used for the type according to the current application message that identifies, and obtains the second corresponding backup matching characteristic of current application message; Judging unit is used for judging whether the first backup matching characteristic is present in the second corresponding backup matching characteristic of current application message that obtains; The characteristic updating block is used in the judged result of judging unit the first backup matching characteristic being stored in the feature database 54, so that the second backup matching characteristic is upgraded when not existing; The number of times updating block is used in the judged result of judging unit when existing, and the match hit number of times of the second backup matching characteristic that will be identical with the first backup matching characteristic adds 1.
Wherein, Second obtains submodule and second updating submodule can be used for step 1031 and step 1032 and step a and the described flow process of step b among the embodiment of the present invention method embodiment; In advance for each backup matching characteristic and formal matching characteristic are provided with match hit time counter, be employed the number of times in the message coupling in this technical scheme with record.The message characteristic processing unit of present embodiment has been realized the Real-time and Dynamic of matching characteristic or feature database is upgraded through upgrading the second backup matching characteristic with the first backup matching characteristic or the 3rd backup matching characteristic; Further carry out subsequent applications identification, can improve the accuracy of using identification with the second backup matching characteristic after upgrading.
Based on technique scheme; The message characteristic processing unit of present embodiment also comprises: number of times update module 60; Be connected with second identification module 56 with first identification module 52 respectively; Be used for when first identification module 52 identifies the type of current application message according to formal matching characteristic or second identification module 56 according to the second backup matching characteristic, the match hit number of times of the formal matching characteristic that the current application message is corresponding or the corresponding second backup matching characteristic adds 1.
Further, shown in Fig. 6 B, the message characteristic processing unit of present embodiment also comprises: first update module 61 and second update module 62.Wherein, first update module 61 is connected with feature database 54, is used for when preset first update cycle arrives the match hit number of times of the match hit number of times of the formal matching characteristic of more same application and the second backup matching characteristic; And during greater than the match hit number of times of formal matching characteristic, exchange the formal matching characteristic and the second backup matching characteristic of this application, to upgrade feature database 54 at the match hit number of times of the second backup matching characteristic of this application.Second update module 62 is connected with feature database 54, is used for when preset second update cycle arrives, and obtains formal matching characteristic and the match hit number of times increment second backup matching characteristic of same application; The match hit number of times increment of the formal matching characteristic of match hit number of times increment and the designated ratio of the second backup matching characteristic of this application is compared; And during less than the match hit number of times increment of the formal matching characteristic of designated ratio, delete the second corresponding backup matching characteristic of this applications, with renewal feature database 54 at this match hit number of times increment of using the second corresponding backup matching characteristic.
Wherein, first update module and second update module can be used for carrying out the technical scheme of step 409 among flow process or the embodiment four of appropriate section in the embodiment of the invention three.Wherein, Method according to the renewal feature database that is adopted; The message characteristic processing unit of present embodiment can optionally be provided with first update module and/or second update module, adopts two kinds of update modes that feature database is upgraded can to make renewal more comprehensive and first update module and second update module are set simultaneously, therefore; Be a kind of optimal way, be the structure of message characteristic processing unit shown in Fig. 6 B with this optimal way.
In sum, the message characteristic processing unit of present embodiment has the following advantages: 1, can dynamically update feature database according to the characteristic of using through the flow process of the message characteristic processing method carrying out the embodiment of the invention and provide; 2, through the conversion between backup matching characteristic and the formal matching characteristic, can select the Optimum Matching characteristic more flexibly, improve the coupling accuracy; 3, through the similarity coupling of matching characteristic,, stronger adaptability etc. is arranged applicable to characteristic being had only the application of minor variations use identification.
Embodiment seven
The embodiment of the invention seven provides a kind of network equipment, comprises the message characteristic processing unit.The message characteristic processing unit that the message characteristic processing unit of present embodiment can provide for the above embodiment of the present invention, its structure and operation principle repeat no more at this.The network equipment of present embodiment can be any equipment that need discern message, for example personal computer, switch, router or server etc.
The network equipment of present embodiment is owing to have the message characteristic processing unit that the embodiment of the invention provides; Can be used for carrying out the flow process of the message characteristic processing method that the embodiment of the invention provides; When using message and use identification, have advantages such as accuracy height, flexible operation, False Rate are low, and can feature database be dynamically updated simultaneously; Significantly reduce the maintenance work of feature database, improved the efficient in maintenance features storehouse.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of program command; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
What should explain at last is: above embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although with reference to previous embodiment the present invention has been carried out detailed explanation, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.
Claims (20)
1. a message characteristic processing method is characterized in that, comprising:
Obtain the load information of current application message;
Use identification according to the load information of said current application message and the formal matching characteristic that is stored in advance in the feature database;
When identifying the type of said current application message according to said formal matching characteristic; According to the load information of said current application message with specify the load information of the application message of number before; Obtain the first backup matching characteristic and storage, to use identification according to the said first backup matching characteristic.
2. message characteristic processing method according to claim 1; It is characterized in that; According to the load information of said current application message with specify the load information of the application message of number before; Obtain the first backup matching characteristic and storage, comprise to use identification according to the said first backup matching characteristic:
With the load information of said current application message with specify the load information of the application message of number to carry out characteristic relatively before, obtain the said first backup matching characteristic;
Be stored in the backup of second in feature database matching characteristic in advance according to the said first backup matching characteristic renewal, to use identification according to the second backup matching characteristic after upgrading.
3. message characteristic processing method according to claim 1 is characterized in that, also comprises:
When according to the unidentified type that goes out said current application message of said formal matching characteristic, according to the load information of said current application message be stored in the backup of second in feature database matching characteristic in advance and use identification;
When according to the unidentified type that goes out said current application message of the said second backup matching characteristic, the load information and the said formal matching characteristic of said current application message carried out characteristic similarity relatively;
When the characteristic similarity of the load information of existence and said current application message satisfies the formal matching characteristic of preset similarity threshold in relatively drawing said feature database; Satisfy the type that the formal matching characteristic of presetting similarity threshold is discerned said current application message according to the characteristic similarity that obtains; And according to the load information of said current application message; Obtain the 3rd backup matching characteristic and storage, to use identification according to said the 3rd backup matching characteristic.
4. message characteristic processing method according to claim 3 is characterized in that, according to the load information of said current application message, obtains the 3rd backup matching characteristic and storage, is specially to use identification according to said the 3rd backup matching characteristic:
According to the load information of said current application message, obtain said the 3rd backup matching characteristic;
Said the 3rd backup matching characteristic is stored in the said feature database, and the said second backup matching characteristic is upgraded, to use identification according to the second backup matching characteristic after upgrading.
5. message characteristic processing method according to claim 4; It is characterized in that; According to the load information of said current application message with specify the load information of the application message of number before; Obtain the first backup matching characteristic and storage, comprise to use identification according to the said first backup matching characteristic:
With the load information of said current application message with specify the load information of the application message of number to carry out characteristic relatively before, obtain the said first backup matching characteristic;
Upgrade the said second backup matching characteristic according to the said first backup matching characteristic, to use identification according to the second backup matching characteristic after upgrading.
6. message characteristic processing method according to claim 5 is characterized in that, with the load information of said current application message with specify the load information of the application message of number to carry out characteristic relatively before, obtains the said first backup matching characteristic and comprises:
With the load information of said current application message with specify the load information of the application message of number to divide into groups before, form a plurality of load information groups;
Load information in each load information group is carried out characteristic relatively, obtain a plurality of son backup matching characteristics;
Said a plurality of son backup matching characteristics are carried out characteristic relatively, obtain the said first backup matching characteristic.
7. according to claim 5 or 6 described message characteristic processing methods, it is characterized in that, upgrade the said second backup matching characteristic according to the said first backup matching characteristic and comprise:
According to the type of the said current application message that identifies, obtain the second corresponding backup matching characteristic of said current application message;
Judge whether the said first backup matching characteristic is present in the second backup matching characteristic of the said current application message correspondence of obtaining;
If judged result is stored in the said first backup matching characteristic in the said feature database for not existing, so that the said second backup matching characteristic is upgraded;
If judged result is for existing, the match hit number of times of the second backup matching characteristic that will be identical with the said first backup matching characteristic adds 1.
8. message characteristic processing method according to claim 7 is characterized in that, when identifying the type of said current application message according to the perhaps said second backup matching characteristic of said formal matching characteristic, also comprises:
The match hit number of times of the second backup matching characteristic of the match hit number of times of the formal matching characteristic that said current application message is corresponding or correspondence adds 1.
9. message characteristic processing method according to claim 8 is characterized in that, also comprises:
When preset first update cycle arrives, the more same match hit number of times of corresponding formal matching characteristic and the match hit number of times of the second backup matching characteristic used;
When the said same match hit number of times of using the second corresponding backup matching characteristic during, exchange the said same corresponding formal matching characteristic and the second backup matching characteristic used, to upgrade said feature database greater than the match hit number of times of formal matching characteristic.
10. message characteristic processing method according to claim 8 is characterized in that, also comprises:
When preset second update cycle arrives, obtain same formal matching characteristic and the match hit number of times increment second backup matching characteristic of using correspondence;
The match hit number of times increment of the match hit number of times increment of the second backup matching characteristic that said same application is corresponding and the formal matching characteristic of designated ratio compares;
When the said same match hit number of times increment of using the second corresponding backup matching characteristic during, delete the said same second corresponding backup matching characteristic of using, to upgrade said feature database less than the match hit number of times increment of the formal matching characteristic of designated ratio.
11. a message characteristic processing unit is characterized in that, comprising:
The information acquisition module is used to obtain the load information of current application message;
First identification module is used for using identification according to the load information of said current application message and the formal matching characteristic that is stored in feature database in advance;
The first characteristic acquisition module; Be used for when said first identification module identifies the type of said current application message according to said formal matching characteristic; According to the load information of said current application message with specify the load information of the application message of number before; Obtain the first backup matching characteristic and storage, to use identification according to the said first backup matching characteristic.
12. message characteristic processing unit according to claim 11 is characterized in that, also comprises:
Second identification module; Be used at said first identification module during, according to the load information of said current application message be stored in the backup of second in feature database matching characteristic in advance and use identification according to the unidentified type that goes out said current application message of said formal matching characteristic;
The characteristic comparison module is used for when the unidentified type that goes out said current application message of said second identification module, and the load information and the said formal matching characteristic of said current application message carried out characteristic similarity relatively;
The 3rd identification module; Be used for when said characteristic comparison module relatively draws said feature database and has characteristic similarity with the load information of said current application message to satisfy the formal matching characteristic of preset similarity threshold, the formal matching characteristic that satisfies preset similarity threshold according to the characteristic similarity that obtains is discerned the type of said current application message;
The second characteristic acquisition module; Be used for when said the 3rd identification module identifies the type of said current application message; According to the load information of said current application message, obtain the 3rd backup matching characteristic and storage, to use identification according to said the 3rd backup matching characteristic.
13. message characteristic processing unit according to claim 12 is characterized in that, the said second characteristic acquisition module comprises:
First obtains submodule, is used for the load information according to said current application message, obtains the 3rd backup matching characteristic;
First upgrades the recognin module, is used for storing said the 3rd backup matching characteristic into said feature database, and the said second backup matching characteristic is upgraded, to use identification according to the second backup matching characteristic after upgrading.
14. message characteristic processing unit according to claim 13 is characterized in that, the said first characteristic acquisition module comprises:
Second obtains submodule, is used for the load information of said current application message and specifies the load information of the application message of number to carry out characteristic relatively before, obtains the said first backup matching characteristic;
Second upgrades the recognin module, is used for upgrading the said second backup matching characteristic according to the said first backup matching characteristic, to use identification according to the second backup matching characteristic after upgrading.
15. message characteristic processing unit according to claim 14 is characterized in that, said second obtains submodule comprises:
Grouped element is used for the load information of said current application message and specifies the load information of the application message of number to divide into groups before, forms a plurality of load information groups;
First acquiring unit is used for the load information of each load information group is carried out characteristic relatively, obtains a plurality of son backup matching characteristics;
Second acquisition unit is used for said a plurality of son backup matching characteristics are carried out characteristic relatively, obtains the said first backup matching characteristic.
16., it is characterized in that said second upgrades the recognin module comprises according to claim 14 or 15 described message characteristic processing unit:
The 3rd acquiring unit is used for the type according to the said current application message that identifies, and obtains the second corresponding backup matching characteristic of said current application message;
Judging unit is used for judging whether the said first backup matching characteristic is present in the second corresponding backup matching characteristic of said current application message that obtains;
The characteristic updating block is used in the judged result of said judging unit the said first backup matching characteristic being stored in the said feature database, so that the said second backup matching characteristic is upgraded when not existing;
The number of times updating block is used in the judged result of said judging unit when existing, and the match hit number of times of the second backup matching characteristic that will be identical with the said first backup matching characteristic adds 1.
17. message characteristic processing unit according to claim 16 is characterized in that, also comprises:
The number of times update module; Be used for when identifying the type of said current application message according to the perhaps said second backup matching characteristic of said formal matching characteristic, the match hit number of times of the second backup matching characteristic of formal matching characteristic that said current application message is corresponding or correspondence adds 1.
18. message characteristic processing unit according to claim 17 is characterized in that, also comprises:
First update module is used for when preset first update cycle arrives, the more same match hit number of times of corresponding formal matching characteristic and the match hit number of times of the second backup matching characteristic used; And during greater than the match hit number of times of formal matching characteristic, exchange the said same corresponding formal matching characteristic and the second backup matching characteristic used, to upgrade said feature database at the said same match hit number of times of using the second corresponding backup matching characteristic.
19. message characteristic processing unit according to claim 17 is characterized in that, also comprises:
Second update module is used for when preset second update cycle arrives, and obtains same formal matching characteristic and the match hit number of times increment second backup matching characteristic of using correspondence; The match hit number of times increment of the match hit number of times increment of the second backup matching characteristic that said same application is corresponding and the formal matching characteristic of designated ratio compares; And at the said same match hit number of times increment of using the second corresponding backup matching characteristic during less than the match hit number of times increment of the formal matching characteristic of designated ratio; Delete the said same second corresponding backup matching characteristic of using, to upgrade said feature database.
20. network equipment that comprises each described message characteristic processing unit of claim 11-19.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010594986A CN102025636B (en) | 2010-12-09 | 2010-12-09 | Message feature processing method and device as well as network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010594986A CN102025636B (en) | 2010-12-09 | 2010-12-09 | Message feature processing method and device as well as network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102025636A CN102025636A (en) | 2011-04-20 |
| CN102025636B true CN102025636B (en) | 2012-09-05 |
Family
ID=43866509
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010594986A Active CN102025636B (en) | 2010-12-09 | 2010-12-09 | Message feature processing method and device as well as network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102025636B (en) |
Families Citing this family (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932203B (en) * | 2012-10-31 | 2015-06-10 | 东软集团股份有限公司 | Method and device for inspecting deep packets among heterogeneous platforms |
| CN103095604A (en) * | 2013-01-04 | 2013-05-08 | 海信集团有限公司 | System and method for identifying specific application of home network |
| CN103226583B (en) * | 2013-04-08 | 2017-07-28 | 北京奇虎科技有限公司 | A kind of method and apparatus of ad plug-in identification |
| CN104796406B (en) * | 2015-03-20 | 2018-06-12 | 新华三技术有限公司 | A kind of application and identification method and device |
| CN105939328A (en) * | 2016-01-27 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for updating network attack feature library |
| CN106815049B (en) * | 2016-12-29 | 2020-01-03 | 杭州迪普科技股份有限公司 | Method and device for upgrading feature library |
| CN107483411B (en) * | 2017-07-25 | 2020-01-31 | 中国联合网络通信集团有限公司 | Service identification method and system |
| CN107547536B (en) * | 2017-08-28 | 2021-03-19 | 新华三信息安全技术有限公司 | Feature library updating method and device |
| CN107426059B (en) * | 2017-08-28 | 2021-02-05 | 上海国云信息科技有限公司 | DPI equipment feature library automatic updating method and system, DPI equipment and cloud server |
| CN109492655B (en) * | 2017-09-11 | 2021-08-06 | 中国移动通信有限公司研究院 | Feature extraction method and device and terminal |
| CN107707549B (en) * | 2017-09-30 | 2020-07-28 | 迈普通信技术股份有限公司 | Device and method for automatically extracting application characteristics |
| CN110213778B (en) * | 2018-02-28 | 2021-11-05 | 中兴通讯股份有限公司 | Method and device for intelligently pairing main network element and standby network element |
| CN109150742A (en) * | 2018-08-13 | 2019-01-04 | 南京中新赛克科技有限责任公司 | A kind of flow screening system and its method based on network processing unit |
| CN109462598B (en) * | 2018-12-11 | 2021-08-17 | 江苏省未来网络创新研究院 | Method for extracting account information from network message |
| CN109639593B (en) * | 2018-12-24 | 2022-08-12 | 南京中孚信息技术有限公司 | Upgrading method and device of deep packet analysis system |
| CN110034976B (en) * | 2019-04-08 | 2021-06-15 | Oppo广东移动通信有限公司 | Data identification method and device |
| CN110287699B (en) * | 2019-06-12 | 2021-02-26 | 杭州迪普科技股份有限公司 | Application program feature extraction method and device |
| CN110808915B (en) * | 2019-10-21 | 2022-03-08 | 新华三信息安全技术有限公司 | Data stream affiliated application identification method and device and data processing equipment |
| CN112995172B (en) * | 2021-02-24 | 2022-09-09 | 合肥优尔电子科技有限公司 | Communication method and communication system for butt joint between Internet of things equipment and Internet of things platform |
| CN113890835A (en) * | 2021-09-29 | 2022-01-04 | 杭州迪普科技股份有限公司 | Method and device for processing DPI application test message |
| CN114254704A (en) * | 2021-12-20 | 2022-03-29 | 北京天融信网络安全技术有限公司 | HTTP tunnel detection method and device, electronic equipment and storage medium |
| CN115955521B (en) * | 2022-09-13 | 2023-08-11 | 武汉麦丰创新网络科技有限公司 | Private message identification method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
| CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
| CN101257454A (en) * | 2008-03-21 | 2008-09-03 | 北京星网锐捷网络技术有限公司 | Apparatus and method for managing band width |
| CN101510873A (en) * | 2009-03-20 | 2009-08-19 | 扬州永信计算机有限公司 | Method for detection of mixed point-to-point flux based on vector machine support |
| CN101867601A (en) * | 2010-05-14 | 2010-10-20 | 北京理工大学 | File-level P2P network flow identification method |
-
2010
- 2010-12-09 CN CN201010594986A patent/CN102025636B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
| CN101257454A (en) * | 2008-03-21 | 2008-09-03 | 北京星网锐捷网络技术有限公司 | Apparatus and method for managing band width |
| CN101510873A (en) * | 2009-03-20 | 2009-08-19 | 扬州永信计算机有限公司 | Method for detection of mixed point-to-point flux based on vector machine support |
| CN101867601A (en) * | 2010-05-14 | 2010-10-20 | 北京理工大学 | File-level P2P network flow identification method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102025636A (en) | 2011-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102025636B (en) | Message feature processing method and device as well as network equipment | |
| US7827299B2 (en) | Transitioning between historical and real time data streams in the processing of data change messages | |
| KR101109219B1 (en) | Systems and methods for the propagation of conflict resolution to enforce item convergencei.e.,data convergence | |
| CN110569298B (en) | Data docking and visualization method and system | |
| US6411974B1 (en) | Method to collate and extract desired contents from heterogeneous text-data streams | |
| CN101246486B (en) | Method and apparatus for improved process of expressions | |
| CN111767327B (en) | Data warehouse construction method and system with dependency relationship among data streams | |
| CN107608860A (en) | A kind of method, apparatus, the equipment of error log classification storage | |
| CN115994251B (en) | Target projectile telemetering data analysis device and analysis system | |
| CN110191109B (en) | Message sampling method and device | |
| CN102497353A (en) | Processing method, server and system for multi-server distributed data | |
| CN110311953A (en) | A kind of media article uploads and storage system and method | |
| CN106095597A (en) | Client data processing method and processing device | |
| CN112349340B (en) | Method for constructing waste equipment overwriting scheme library based on cyclic test | |
| US20080320494A1 (en) | Data processing method, data processing apparatus, and data processing program | |
| CN102571923A (en) | Data synchronization system and method | |
| CN111181819B (en) | Serial port communication method for receiving multi-byte data frame based on linked list structure | |
| CN111797150B (en) | Method and system for high concurrent data docking and forwarding | |
| US6351826B1 (en) | Method and apparatus for automatically verifying communication software | |
| CN112416557A (en) | Method and device for determining call relation, storage medium and electronic device | |
| CN116545740A (en) | Threat behavior analysis method and server based on big data | |
| CN108345902B (en) | Self-learning white list model base construction and white list detection method based on transaction characteristics | |
| CN101082969A (en) | Method and system for categorized displaying multiple sets kalendar affair in unified kalendar views | |
| CN114297216B (en) | Data synchronization method and device, computer storage medium and electronic equipment | |
| CN105893286A (en) | Data processing method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |