CN103516539B - A kind of based on front and back to the multi-network flow static feature extraction method of trigger mechanism - Google Patents
A kind of based on front and back to the multi-network flow static feature extraction method of trigger mechanism Download PDFInfo
- Publication number
- CN103516539B CN103516539B CN201210220115.2A CN201210220115A CN103516539B CN 103516539 B CN103516539 B CN 103516539B CN 201210220115 A CN201210220115 A CN 201210220115A CN 103516539 B CN103516539 B CN 103516539B
- Authority
- CN
- China
- Prior art keywords
- trigger
- pond
- forward direction
- triggering
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of based on front and back to the multi-network flow static feature extraction method of trigger mechanism, the method comprising the steps of: S1. is regular to triggering before and after setting;S2. judge whether that meeting forward direction triggers pond;S3. multi-network flow static feature is extracted;S4. judge whether to meet backward triggering pond.The method of the present invention judges, to trigger mechanism, time started and the end time that in network, multi-network flow static feature is extracted before and after using, on the one hand the expense of follow-up relevant treatment is decreased, multiple network flows of same application, agreement or purpose are effectively integrated, is improve the accuracy of feature extraction;On the other hand flow pending in network has been filtered, it is possible to be effectively improved the performance of legacy network management.The method of the present invention can be high-performance traffic classification system in express network, the design of content monitoring system and realize providing technical support.
Description
Technical field
The present invention relates to network security and field of network management, particularly relate to a kind of based on front and back to
The multi-network flow static feature extraction method of trigger mechanism.
Background technology
Along with developing rapidly of network technology and the network bandwidth, the data traffic in network is the most at double
Increasing, on high-speed backbone network, data traffic has reached Gbit each second, even 10Gbit
Above.Legacy network flow processing system is typically based on network packet, and treatment effeciency cannot
Meet the monitoring requirement under current high speed network environment, and, in being loaded along with packet
Holding frequently using of more and more and cryptographic protocol, the intractability for packet the most more comes
The biggest, packet has been difficult to reflect the characteristic of network traffics.
It is different from flow processing system based on packet, flow processing system based on network flow
By packet according to five-tuple (< source address, destination address, source port, destination interface, association
View >) divided, reduce the number of times that consolidated network stream is operated, effectively subtract
Lack the order of magnitude of pending data, meanwhile, by packet effectively being classified as network flow,
Network traffics processing system have only to pay close attention to the most important in network flow, have and represent meaning
Packet, improves system effectiveness.
But, the developing rapidly of network technology cause network application and procotol the most more
Replacing, increasing agreement and application are in order to ensure that network security and network speed are by whole data
Transmitting procedure is dispersed in multiple network flow data stream, and the detection to single network stream can not be anti-
Reflect the full detail content of agreement or application, therefore, will there are identical purpose or identical characteristics
Network flow effectively integrates, and extracts its statistical nature comprised so that follow-up process and behaviour
Make, become the difficult problem that network manager is in the urgent need to address.
Meanwhile, relative to needing to carry out process, significant network flow, in network environment also
There is the network flow being made without in a large number excessively paying close attention to, therefore, imitate packet and be converted to net
The form of network stream, integrates again by network flow, can rationally filter network flow,
Reject not meet and process the network traffics required, it is possible to the data that very effective reduction is pending
Amount, improves the treatment effeciency of system.
During traditional multi-network flow static feature, to the acquisition of data generally at whole network
Under duration case, although use sliding window mechanism to reduce to a certain extent and wait to locate
The data volume of reason, but still have the loss in bigger time and space, need consumption bigger
System resource.In order to effectively solve this situation, utilize effective front and back to trigger mechanism,
Judge time started and the end time of multi-network flow static feature extraction, whole network is transported
The row time period is cut into multiple effective or invalid feature extraction timeslice.On the one hand, effectively
Decrease pending data volume, reduce memory consumption, filtered need not process to analysis
Useless network traffics, improve the efficiency of system;On the other hand, by rational deteminate machine
System, is effectively carried out the Multi net voting stream with identical purpose or same application and agreement generation
Entirety, improves the accuracy of statistical nature, has effectively reflected the communication of agreement and application
Behavior.
Summary of the invention
(1) to solve the technical problem that
The technical problem to be solved is: how to provide a kind of Multi net voting stream statistics spy
Effective trigger mechanism during levying extraction, in order to reduce pending data volume and system consumption,
Screen out need not flow to be processed, by same application or the statistical nature of multiple network flows of agreement
Integrate, preferably improve the accuracy of statistical nature, the mass data that answer up increases
The challenge that amount is brought.
(2) technical scheme
In order to solve the problems referred to above, the invention provides a kind of based on many to trigger mechanism front and back
Network flow statistical nature extracting method.
The method comprising the steps of:
S1. to triggering rule before and after setting;
S2. judge whether that meeting forward direction triggers pond;
S3. the extraction of multi-network flow static feature;
S4. judge whether to meet backward triggering pond.
Wherein, step S1 farther includes:
S11. set forward direction and trigger pond rule;
Wherein, in step s 11, forward direction triggering pond rule includes that forward direction triggers pond trigger source
(Trigger Source), forward direction trigger pond trigger condition (Trigger Rules);
Wherein, in step s 11, forward direction triggers pond trigger source is can be directly or indirectly from net
The network information obtained in network;
Wherein, in step s 11, forward direction triggering pond trigger condition includes that forward direction triggers pond size
(Trigger Pool Sizes), forward direction trigger sequence (Trigger Sequence) and each touch
The triggering maximum times of clockwork spring part;
S12. backward triggering pond rule is set;
Wherein, in step s 12, backward triggering pond rule includes that forward direction triggers pond trigger source
(Trigger Source), backward triggering pond trigger condition (Trigger Rules);
Wherein, in step s 12, backward triggering pond trigger condition includes backward triggering pond size
(Trigger Pool Sizes), backward trigger sequence (Trigger Sequence) and each touch
The triggering maximum times of clockwork spring part;
Wherein, step S2 farther includes:
S21. obtain from network in specific information according to the requirement in current forward direction source to be triggered
Hold;
S22. judge the triggering stage being presently in, trigger if non-toggle stage or forward direction
The pond stage, then perform step S23;If the backward triggering stage, then perform step S3;
S23. judge whether the information content extracted meets current forward direction source to be triggered and limit,
If be unsatisfactory for, then perform step S21;If it is satisfied, then perform step S24;
The most use forward direction to trigger pond quantity to add 1 or enter next according to forward direction trigger sequence
Step forward direction source to be triggered;
S25. after judging this time to trigger, if met whole forward direction and triggered pond requirement, if
It is unsatisfactory for, performs step S21;If it is satisfied, then perform step S3.
Wherein, step S3 farther includes:
S31. according to statistical nature requirement, from network flow, required statistical information is extracted;
S32., after updating statistical nature data structure, step S4 is performed.
Wherein, step S4 farther includes:
S41. judge whether the information content extracted meets backward source to be triggered and limit, if
It is unsatisfactory for, then performs step S21;If it is satisfied, then perform step S42;
Backward triggering pond quantity has the most been used to add 1 or enter next according to backward trigger sequence
Walk backward source to be triggered;
S43. after judging this time to trigger, if met whole backward triggering pond requirement, if
It is unsatisfactory for, performs step S21;Carry if it is satisfied, then terminate this multi-network flow static feature
Take.
(3) beneficial effect
The method of the present invention is first according to the extraction requirement of multi-network flow static feature, according to institute's pin
Particularity to the network traffics that the communication mechanism of agreement or application is completed, before formulating reasonably
To trigger mechanism and backward trigger mechanism, then according to trigger condition to the network of capture in network
Stream is analyzed, it may be judged whether meets trigger condition, and judges many nets with trigger condition
The time started of network statistical flow characteristic extraction and end time.This based on front and back to the machine of triggering
The multi-network flow static feature extraction method of system can not only screen out the stream being made without processing
Amount, reduces pending data volume, improves system effectiveness;Meanwhile, answer same as far as possible
The multiple network flows produced by, agreement or purpose are effectively integrated, and improve Multi net voting
The accuracy that statistical flow characteristic extracts.The method of the present invention can be high-performance stream in express network
Existing offer technical support is examined in amount categorizing system, the design of content monitoring system.
Accompanying drawing explanation
Fig. 1 is a kind of based on front and back carrying to the multi-network flow static feature of trigger mechanism according to the present invention
Access method.
Fig. 2 is a kind of based on front and back to the multi-network flow static feature of trigger mechanism according to the present invention
To trigger mechanism flow process before and after in extracting method.
Fig. 3 is a kind of based on front and back to the multi-network flow static feature of trigger mechanism according to the present invention
The embodiment schematic diagram of extracting method.
Detailed description of the invention
For proposed by the invention based on front and back to the multi-network flow static feature of trigger mechanism
Extracting method, describes in detail in conjunction with the accompanying drawings and embodiments.
Huge for the pending data volume encountered in current network flow cluster process, process
Inefficient, statistics extracts the situation that difficulty is big, accuracy is poor, and the present invention proposes one
Based on front and back to the multi-network flow static feature extraction method of trigger mechanism.The method first basis
The extraction requirement of multi-network flow static feature, according to the communication mechanism institute of targeted agreement or application
The particularity of the network traffics completed, formulates rational forward direction trigger mechanism and backward triggering machine
System, is then analyzed the network flow of capture in network according to trigger condition, it is judged that be
No meet trigger condition, and judge, with trigger condition, the beginning that multi-network flow static feature is extracted
Time and end time.This based on front and back carrying to the multi-network flow static feature of trigger mechanism
Access method can not only screen out the flow being made without processing, and reduces pending data volume,
Improve system effectiveness;Meanwhile, as far as possible same application, agreement or purpose are produced many
Individual network flow is effectively integrated, and improves the accuracy that multi-network flow static feature is extracted.
As it is shown in figure 1, according to one embodiment of the present invention based on front and back to trigger mechanism
Multi-network flow static feature extraction method carries out following steps,
S1. to triggering rule before and after setting;
S2. judge whether that meeting forward direction triggers pond;
S3. the statistical nature of multiple network flows of same purpose or application is extracted;
S4. judge whether to meet backward triggering pond.
Wherein, step S1 farther includes:
S11. set forward direction and trigger pond rule;
Wherein, in step s 11, forward direction triggering pond rule includes that forward direction triggers pond trigger source
(Trigger Source), forward direction trigger pond trigger condition (Trigger Rules);
Wherein, in step s 11, forward direction triggers pond trigger source is can be directly or indirectly from net
The network information obtained in network;
Wherein, in step s 11, forward direction triggering pond trigger condition includes that forward direction triggers pond size
(Trigger Pool Sizes), forward direction trigger sequence (Trigger Sequence) and each touch
The triggering maximum times of clockwork spring part;
S12. backward triggering pond rule is set;
Wherein, in step s 12, backward triggering pond rule includes that forward direction triggers pond trigger source
(Trigger Source), backward triggering pond trigger condition (Trigger Rules);
Wherein, in step s 12, backward triggering pond trigger condition includes backward triggering pond size
(Trigger Pool Sizes), backward trigger sequence (Trigger Sequence) and each touch
The triggering maximum times of clockwork spring part;
Wherein, step S2 farther includes:
S21. obtain from network in specific information according to the requirement in current forward direction source to be triggered
Hold;
S22. judge the triggering stage being presently in, trigger if non-toggle stage or forward direction
The pond stage, then perform step S23;If the backward triggering stage, then perform step S3;
S23. judge whether the information content extracted meets current forward direction source to be triggered and limit,
If be unsatisfactory for, then perform step S21;If it is satisfied, then perform step S24;
The most use forward direction to trigger pond quantity to add 1 or enter next according to forward direction trigger sequence
Step forward direction source to be triggered;
S25. after judging this time to trigger, if met whole forward direction and triggered pond requirement, if
It is unsatisfactory for, performs step S21;If it is satisfied, then perform step S3.
Wherein, step S3 farther includes:
S31. according to statistical nature requirement, from network flow, required statistical information is extracted;
S32., after updating statistical nature data structure, step S4 is performed.
Wherein, statistical information is including but not limited to shown in table 1:
Table 1 multi-network flow static feature table
Wherein, step S4 farther includes:
S41. judge whether the information content extracted meets backward source to be triggered and limit, if
It is unsatisfactory for, then performs step S21;If it is satisfied, then perform step S42;
Backward triggering pond quantity has the most been used to add 1 or enter next according to backward trigger sequence
Walk backward source to be triggered;
S43. after judging this time to trigger, if met whole backward triggering pond requirement, if
It is unsatisfactory for, performs step S21;Carry if it is satisfied, then terminate this multi-network flow static feature
Take.
Embodiment
Technical scheme is further illustrated below by way of specific embodiment.This enforcement
The method of example comprises the steps:
S1. to triggering rule before and after setting;
Step S1 includes following sub-step:
S11. set forward direction and trigger pond rule, in certain project, carry out flow for P2P agreement and gather
Class, sets forward direction and triggers Chi Yuan, as shown in table 1:
Table 1 forward direction triggers Chi Yuan
Wherein, the definition of forward be this network flow five-tuple < source IP, purpose IP, source port number,
Destination slogan, protocol number > source IP address equal to the source IP address of network flow to be clustered,
Reverse definition is this network flow five-tuple < source IP, purpose IP, source port number, destination interface
Number, protocol number > purpose IP address equal to the source IP address of network flow to be clustered;
Setting forward direction and trigger pond size as 1, the triggering times setting each forward direction trigger source is maximum
Value is 1;
S12. set backward triggering pond rule, in this project, carry out flow for P2P agreement
Cluster, sets backward triggering Chi Yuan, as shown in table 1;
Setting backward triggering pond size as 5, the triggering times setting each backward trigger source is maximum
Value is 1;
S2. judge whether that meeting forward direction triggers pond;
Step S2 includes following sub-step:
S21. from network, extract the network terminated comprising same IP address to be detected
Stream, according to forward and backward trigger source, extracts relevant information, as shown in table 2:
Table 2 extracts information table
S22. judge the triggering stage being presently in, trigger if non-toggle stage or forward direction
The pond stage, then perform step S23;If the backward triggering stage, then perform step S3;
If S23. this network flow is the TCP network flow of forward connection failure or reverse UDP
Stream, then meet current forward direction source to be triggered, performs step S24;Otherwise, then step S21 is performed;
S24., after to using forward direction triggering pond quantity to add 1, step S25 is performed;
S25. the TCP net that whole triggering rules are forward connection failure in pond is triggered due to forward direction
Any one appearance of network stream or reversely UDP flow 1 time, triggers so having met whole forward direction at present
Rule, performs step S3.
S3. multi-network flow static feature is extracted;
Step S3 includes following sub-step:
S31., in this project, need the overall network stream in backward triggering stage is added up
Feature extraction, the statistical nature of extraction is as shown in table 3:
Table 3 statistical nature table
S32. extract network flow statistical nature and cumulative after, perform step S4.
Step S4 includes following sub-step:
If S41. this network flow is the TCP network flow of forward connection failure or reverse UDP
Stream, then meet current backward source to be triggered, performs step S42;Otherwise, then step S21 is performed;
S42., after to using backward triggering pond quantity to add 1, step S43 is performed;
S43. due to backward triggering pond trigger rule be forward connection failure TCP network flow or
Reversely UDP flow occurs that total degree is 5 times, so, it is judged that use the backward triggering pond quantity to be
No it is more than or equal to 5, whole backward triggers rule if met, network flow to be detected is completed
Cluster operation;Otherwise, step S21 is performed.
Claims (2)
1. based on front and back to a multi-network flow static feature extraction method for trigger mechanism, its
Being characterised by, the method comprising the steps of:
S1. to triggering rule before and after setting;
S2. judge whether that meeting forward direction triggers pond;
S3. the extraction of multi-network flow static feature;
S4. judge whether to meet backward triggering pond;
Step S1 farther includes: S11. sets forward direction and triggers pond rule;
Wherein, in step s 11, forward direction trigger pond rule include forward direction trigger pond trigger source,
Forward direction triggers pond trigger condition;
Wherein, in step s 11, forward direction triggers pond trigger source is can be directly or indirectly from net
The network information obtained in network;
Wherein, in step s 11, forward direction trigger pond trigger condition include forward direction trigger pond size,
The triggering maximum times of forward direction trigger sequence and each trigger condition;
S12. backward triggering pond rule is set;
Wherein, in step s 12, backward triggering pond rule include forward direction trigger pond trigger source,
Backward triggering pond trigger condition;
Wherein, in step s 12, backward triggering pond trigger condition include backward triggering pond size,
The triggering maximum times of backward trigger sequence and each trigger condition;
Step S2 farther includes:
S21. obtain from network in specific information according to the requirement in current forward direction source to be triggered
Hold;
S22. judge the triggering stage being presently in, trigger if non-toggle stage or forward direction
The pond stage, then perform step S23;If the backward triggering stage, then perform step S3;
S23. judge whether the information content extracted meets current forward direction source to be triggered and limit,
If be unsatisfactory for, then perform step S21;If it is satisfied, then perform step S24;
The most use forward direction to trigger pond quantity to add 1 or enter next according to forward direction trigger sequence
Step forward direction source to be triggered;
S25. after judging this time to trigger, if met whole forward direction and triggered pond requirement, if
It is unsatisfactory for, performs step S21;If it is satisfied, then perform step S3;
Step S4 farther includes:
S41. judge whether the information content extracted meets backward source to be triggered and limit, if
It is unsatisfactory for, then performs step S21;If it is satisfied, then perform step S42;
Backward triggering pond quantity has the most been used to add 1 or enter next according to backward trigger sequence
Walk backward source to be triggered;
S43. after judging this time to trigger, if met whole backward triggering pond requirement, if
It is unsatisfactory for, performs step S21;Carry if it is satisfied, then terminate this multi-network flow static feature
Take.
2. as claimed in claim 1 based on front and back to the multi-network flow static feature of trigger mechanism
Extracting method, it is characterised in that step S3 farther includes:
S31. according to statistical nature requirement, from network flow, required statistical information is extracted;
S32., after updating statistical nature data structure, step S4 is performed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210220115.2A CN103516539B (en) | 2012-06-28 | 2012-06-28 | A kind of based on front and back to the multi-network flow static feature extraction method of trigger mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210220115.2A CN103516539B (en) | 2012-06-28 | 2012-06-28 | A kind of based on front and back to the multi-network flow static feature extraction method of trigger mechanism |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103516539A CN103516539A (en) | 2014-01-15 |
| CN103516539B true CN103516539B (en) | 2016-09-21 |
Family
ID=49898620
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210220115.2A Active CN103516539B (en) | 2012-06-28 | 2012-06-28 | A kind of based on front and back to the multi-network flow static feature extraction method of trigger mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103516539B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6904014B1 (en) * | 2000-04-27 | 2005-06-07 | Cisco Technology, Inc. | Method and apparatus for performing high-speed traffic shaping |
| CN101420419A (en) * | 2008-10-27 | 2009-04-29 | 吉林大学 | Adaptive high-speed network flow layered sampling and collecting method |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
| CN102468987A (en) * | 2010-11-08 | 2012-05-23 | 清华大学 | NetFlow characteristic vector extraction method |
-
2012
- 2012-06-28 CN CN201210220115.2A patent/CN103516539B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6904014B1 (en) * | 2000-04-27 | 2005-06-07 | Cisco Technology, Inc. | Method and apparatus for performing high-speed traffic shaping |
| CN101420419A (en) * | 2008-10-27 | 2009-04-29 | 吉林大学 | Adaptive high-speed network flow layered sampling and collecting method |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
| CN102468987A (en) * | 2010-11-08 | 2012-05-23 | 清华大学 | NetFlow characteristic vector extraction method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103516539A (en) | 2014-01-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101902484B (en) | Method and system for classifying local area network http application services | |
| CN102035698B (en) | HTTP tunnel detection method based on decision tree classification algorithm | |
| CN102769549B (en) | The method and apparatus of network security monitoring | |
| CN101599963B (en) | Suspected network threat information screener and screening and processing method | |
| CN102468987B (en) | NetFlow characteristic vector extraction method | |
| CN102045209A (en) | Network application monitoring method and system | |
| CN105095399B (en) | Search result method for pushing and device | |
| CN103260190B (en) | Based on the method for auditing safely of LTE long evolving system network | |
| CN109309626A (en) | A kind of high-speed network data packet capturing shunting and caching method based on DPDK | |
| US11888874B2 (en) | Label guided unsupervised learning based network-level application signature generation | |
| CN106972985A (en) | Accelerate the method and DPI equipment of the processing of DPI device datas and forwarding | |
| CN101483649A (en) | Network safe content processing card based on FPGA | |
| CN103475663B (en) | Trojan horse recognition method based on network service behavior characteristics | |
| CN106452859A (en) | Automatic cell phone number characteristic keyword extraction method under fixed network WiFi environment | |
| CN101719847A (en) | High-performance monitoring method for DNS traffic | |
| CN109639592B (en) | Rapid data analysis method and device based on ten-gigabit traffic | |
| CN106375295A (en) | Data storage monitoring method | |
| CN104021348B (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
| EP2741449B1 (en) | Processing of call data records | |
| CN111866882A (en) | Mobile application traffic generation method based on generation countermeasure network | |
| CN110266603A (en) | Authentication business network flow analysis system and method based on http protocol | |
| CN103516539B (en) | A kind of based on front and back to the multi-network flow static feature extraction method of trigger mechanism | |
| CN106372171A (en) | Real-time data processing method of monitoring platform | |
| CN105337797A (en) | Data capturing method of network protocol of complex electronic information system | |
| CN110365551A (en) | Network information gathering method, apparatus, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |