CN103780501B - Peer-to-peer network traffic identification method of indistinguishable wavelet support vector machine - Google Patents

Abstract

The invention relates to a peer-to-peer network traffic identification method of an undifferentiated wavelet support vector machine, which comprises the following steps: (1) selecting a characteristic vector: the following three-dimensional feature vectors are used: vector ═ v1, v2, v3 >; wherein V1 represents the mean square error value of the packet size change, V2 represents the ratio of the uplink and downlink speeds at the node, and V3 represents the ratio of the number of IP addresses to the number of ports; (2) selecting an appropriate kernel function; (3) selecting an incremental training algorithm; (4) the Boosting algorithm of P2P flow identification of the wavelet SVM finally obtains a strong classifier H (x) by adopting a weighted voting mode for identifying P2P flow. The invention can efficiently identify the P2P network flow, take countermeasures in time and effectively control the P2P network flow.

Description

A peer-to-peer network traffic identification method based on non-separable wavelet support vector machine

technical field

The invention relates to a peer-to-peer network traffic identification method of an inseparable wavelet support vector machine, which belongs to the technical field of computer peer-to-peer networks.

Background technique

P2P technology (Peer to Peer Computing, referred to as P2P) is developing at a rapid speed. As a new network communication mode, P2P technology has been listed as one of the technologies that will affect the future Internet development. Grid computing technology (Grid Computing) and cloud computing technology (Cloud Computing) have become the focus of related research in the field of distributed computing technology, and have been paid more and more attention by researchers. At present, there is no exact definition for P2P technology, but its ideas have changed people's understanding and understanding of the Internet. The biggest difference between the P2P network and the traditional network is that it allows two users to link each other, transfer and share files with each other, which changes the transmission mode of the server/client in the traditional network, and the resource demander is also the resource owner. Providers, the more demanders of the same resource, the faster the download speed, which significantly improves the speed and efficiency of data transmission.

The rapid development of P2P technology has also brought many problems, which are reflected in the following aspects: (1) Occupying a large amount of network bandwidth: P2P applications such as sharing video and high-definition video occupy a large amount of network bandwidth and consume too much network resources , causing network congestion, and other normal network services cannot be carried out, which affects the rights of users of non-P2P applications and damages the interests of ISPs. (2) Network security protection issues: While the popularity of P2P applications, it also allows a large number of viruses, Trojan horse programs, and unhealthy content information to enter and spread rapidly on the Internet, giving hackers and lawbreakers opportunities to exploit. endanger the interests and safety of users. (3) Copyright issues of P2P file sharing: According to statistics, more than 80% of the content downloaded by P2P is suspected of piracy and infringement, which damages the interests of original authors. Problems such as piracy have increased the intensity of key crackdowns.

Therefore, network security, manageability, and availability of traditional applications are all challenged. To strengthen network traffic monitoring, it is very necessary to conduct in-depth understanding and analysis of P2P traffic and network behavior for the management and monitoring of P2P networks. provide technical support. P2P traffic is different from traditional WEB traffic in that it is difficult to manage and control: (1) There is no fixed network protocol standard: P2P applications use its proprietary protocol, and ordinary firewall technology cannot completely filter P2P traffic ; (2) Dynamic ports are used: in order to avoid using fixed ports to detect P2P traffic, dynamic ports are adopted. Typical applications include PPlive and Skype. (3) Masquerading as normal traffic: When Kazza and other P2P applications transmit traffic, the packet format is disguised as HTTP traffic, which is even more difficult to identify. (4) Use traffic encryption technology: Skype and others use message encryption technology, so that the encrypted P2P traffic cannot be identified according to the method of application layer feature matching.

Therefore, in order to realize the management of P2P traffic, the first problem to be solved is to realize the identification of P2P traffic. In-depth study of the characteristics of P2P network traffic, selection of appropriate identification models, and efficient identification of P2P network traffic, timely countermeasures, and effective control of P2P network traffic have very important theoretical significance and practical value.

Contents of the invention

The purpose of the present invention is to provide a peer-to-peer network traffic identification method of non-separable wavelet support vector machine, in order to find the optimal solution of the classification result under the condition of providing limited information through small samples, thus avoiding the need of many machine learning methods The shortcomings of large sample data sets and the use of nonlinear methods need to establish corresponding models for specific problems, and then efficiently identify P2P network traffic, take timely countermeasures, and effectively control P2P network traffic.

In order to achieve the above object, the technical solution of the present invention is as follows.

A peer-to-peer network traffic identification method for an inseparable wavelet support vector machine, comprising the following steps:

1. Select the eigenvectors:

Selecting an appropriate feature vector is an important aspect of identifying P2P network traffic. When selecting features for P2P network traffic, there are two principles to follow: (1) The traffic of nodes with different functions and providing different services shows differences. Behavioral characteristics, so choose the behavioral characteristics of node traffic as much as possible. (2) The selection of features should be able to reflect the difference between P2P traffic and non-P2P traffic, so as to shorten the training time and improve the accuracy of recognition. When there are enough feature vectors, the classifier can provide a more accurate recognition rate, but providing too many features will make the training time longer and increase the computational complexity.

Based on the above reasons, in the present invention, the analysis of the feature vector is carried out at three levels of data packets, network flows, and node connections:

(1) Features at the data packet level: including the average length of the packet, the maximum length of the packet, the minimum length of the packet, and statistical characteristics such as variance.

(2) Features at the network flow level: Through the original statistical characteristics of the flow, such as start time, end time, service type, etc., the flow-related statistical characteristics are obtained: the average flow duration, the average transmission rate, the average number of bytes of the flow, Packet arrival time interval and variance, etc.

(3) Features at the node connection level: Through the TCP connection status, statistics are made on the relevant characteristics of the node connection, including the symmetry of the connection and the characteristics of the IP address and port.

The following three-dimensional feature vectors are adopted in the present invention:

Vector = <v1, v2, v3>;

Among them, V1 represents the mean square error value of the packet size change, V2 represents the ratio of uplink and downlink speeds at the node, and V3 represents the ratio of the number of IP addresses to the number of ports. When identifying network traffic, the three-dimensional feature vector is used as an input vector, and then the decision function generated by the SVM model can be used to effectively identify its sample P2P sample data.

2. Select the appropriate kernel function:

P2P network traffic presents sudden and uncertain nonlinear traffic characteristics. Wavelet analysis is suitable for local analysis of signals and detection of mutation signals. Combined with wavelet analysis, multi-scale wavelet basis functions are introduced to construct the kernel function of SVM, and wavelet The recognition algorithm of SVM can fully improve the recognition accuracy of SVM. The wavelet basis function is introduced to construct the kernel function of SVM, and it is used for the traffic identification of P2P network, two conditions need to be met: (1) It meets the conditions of the construction of SVM kernel function. (2) The computational complexity of the selected wavelet basis function should not be too high, too many parameter settings will increase the training time of samples.

3. Select the incremental training algorithm:

The idea of the SVM incremental training algorithm is that its decision function is determined by the support vectors. All the support vectors in the training set are retained, and the non-support vectors are discarded. The final incremental training result is consistent with the result of unused incremental learning. of.

The incremental training algorithm is as follows:

Step 1: Obtain the initial classifier f(x) of SVM after training on the initial training set, and SVs ¹ represents the support vector set of f(x);

Step 2: Merge SVs ¹ and the newly added sample set into a new training set. After training, a new classifier will be obtained

f'(x), the new support vector set SVs ² ;

Step 3: Make SVs ¹ =SVs ² , return to Step 2.

In the incremental training algorithm, because each incremental learning in the algorithm only retains the support vectors and discards the non-support vectors, but in reality, the non-support vectors also contain useful information for classification in the data set, which will affect recognition accuracy.

4. Boosting algorithm for P2P traffic recognition of wavelet SVM:

The Boosting algorithm is an iterative algorithm that specifically deals with misclassified samples in integrated learning. Its core idea is to train different classifiers (weak classifiers) for the same training set, and then combine these weak classifiers to form a stronger classifier. The final classifier (strong classifier) of . The algorithm itself is realized by changing the data distribution. It determines the weight of each sample according to whether the classification of each sample in each training set is correct or not, and the accuracy of the last overall classification. The new data set with modified weights is sent to the lower classifier for training, and finally the classifiers obtained from each training are fused together as the final decision classifier. In this way, the key of classifier processing can be placed on the key training data of misclassified samples, thereby improving the recognition accuracy of samples.

The Boosting algorithm of wavelet SVM is to use wavelet SVM as the base classifier to train samples. First, M samples are selected from the entire P2P and non-P2P sample set S according to the weight to form a training subset S _j , and a training subset S j is obtained after training. Base classifier WSVM _j , and then use WSVM _j to test the sample set S, and the classification accuracy of WSVM _j can be obtained; then give higher weight to the misclassified samples; finally select M from S again according to the adjusted weight samples constitute a new training subset S _j+1 , if S _j+1 =S, exit, otherwise repeat the above steps. After t rounds of training, (t≤T, T is the number of iterations), a WSVM-based recognition function sequence WSVM ₁ ,...,WSVM _j is obtained, and WSVM _j is also given a weight, that is, for the sample set S Accuracy of recognition; finally, a strong classifier H(x) is obtained by weighted voting, which is used for P2P traffic recognition.

The specific algorithm is described as follows:

(1) ENTER. Base classifier WSVM; P2P and non-P2P traffic training sample set S={(x ₁ , y ₁ ),..., (x _n , y _n )}, where x _i ∈ R ^d , y ∈ {-1, 1}, 1≤i≤n; number of training iterations T; sample initial weight Di=0(1≤i≤n);

(2) for (j=1; j≤T; j++)

{

1) Select M samples from the training sample set S sequentially according to the size of the weight to obtain the training sample subset S _j ;

2) If S _j =S _j-1 (j>1), exit the loop;

3) Train S _j with WSVM algorithm to get a base classifier WSVM _j ;

4) Use WSVM _j to classify the sample set S, and get the error rate e _j ;

5) The weight of WSVM _j is recorded as α _j =1-ej;

6) Adjust the support vector and the misclassified sample weight in the sample set S to be D _i =D _1+j ;

}

(3) output. Decision function sequence h={WSVM ₁ ,...,WSVM _t }, its weight α={α ₁ ,...,α _t }, t≤T, the final decision function is:

The beneficial effect of this invention is that: the present invention provides a peer-to-peer network traffic identification method of non-separable wavelet support vector machine, in the case of providing limited information through small samples, to find the optimal solution of classification results, thereby avoiding the Many machine learning methods require large sample data sets and use non-linear methods to establish corresponding models for specific problems, so as to efficiently identify P2P network traffic and take timely countermeasures. effective control.

Description of drawings

Fig. 1 is an implementation mode diagram of P2P application connection in the embodiment of the present invention.

Fig. 2 is an implementation mode diagram of P2P application connection in the embodiment of the present invention.

Fig. 3 is a flowchart of the Boosting algorithm of the wavelet SVM in the embodiment of the present invention.

detailed description

Specific embodiments of the present invention will be described below in conjunction with the accompanying drawings, so as to better understand the present invention.

Example

A peer-to-peer network traffic identification method for non-separable wavelet support vector machines, comprising:

1. Select the eigenvectors:

Selecting an appropriate feature vector is an important aspect of identifying P2P network traffic. When selecting features for P2P network traffic, there are two principles to follow: (1) The traffic of nodes with different functions and providing different services shows differences. Behavioral characteristics, so choose the behavioral characteristics of node traffic as much as possible. (2) The selection of features should be able to reflect the difference between P2P traffic and non-P2P traffic, so as to shorten the training time and improve the accuracy of recognition. When there are enough feature vectors, it can provide a more accurate recognition rate for the classifier, but providing too many features will make the training time longer and increase the computational complexity. According to statistics, if in the algorithm based on machine learning The accuracy rate of selecting all flow characteristic attributes and identifying network traffic is only 2% higher than that of characteristic attribute selection, but the execution efficiency of the algorithm is much higher. Therefore, the selection of feature attributes is an important step in P2P traffic identification while ensuring the performance of the classifier and selecting feature vectors as much as possible.

Based on the above reasons, in the present invention, the analysis of the feature vector is carried out at three levels of data packets, network flows, and node connections:

(1) Features at the data packet level: including the average length of the packet, the maximum length of the packet, the minimum length of the packet, and statistical characteristics such as variance.

(2) Features at the network flow level: Through the original statistical characteristics of the flow, such as start time, end time, service type, etc., the flow-related statistical characteristics are obtained: the average flow duration, the average transmission rate, the average number of bytes of the flow, Packet arrival time interval and variance, etc.

(3) Features at the node connection level: Through the TCP connection status, statistics are made on the relevant characteristics of the node connection, including the symmetry of the connection and the characteristics of the IP address and port.

Different nodes in the actual network have different functions. Some nodes function as servers, providing resource transmission services to other nodes in the network, and some nodes function as clients, receiving various services provided by the server. The nodes in the P2P network can serve as servers to provide services to other peer nodes, and can also serve as clients to receive services provided by other peer nodes. Therefore, the traffic of nodes with different functions and providing different services presents different behavioral characteristics, and these behavioral characteristics are analyzed separately below.

Figure 1 is a diagram of the P2P application connection mode. In the P2P network, the connection mode of peer nodes is different from that in the traditional server/client mode. Any node in the P2P network plays a dual role, called peer nodes. P2P applications use random ports between 1024-65535 for data transmission. Under the TCP protocol, when connecting, a source node connects with multiple peer nodes. Compared with the source node, the number of IP addresses of the peer node is larger, and the port of the peer node is a random port, so the ratio of the number of IP addresses of the peer node to the number of ports is close to 1. This is different from the application in the traditional connection mode, so it serves as the identification feature of P2P traffic.

After analyzing the behavioral characteristics from the above three aspects of data packets, network flow, and node connections, the feature vectors adopted can reflect the difference between the traffic in the P2P network and the traditional network, and are also the characteristics of the P2P traffic in the real network. meet the identification requirements. Through the characteristics of these three aspects, the following three-dimensional feature vectors are adopted in the present invention:

Vector = <v1, v2, v3>;

Among them, V1 represents the mean square error value of the packet size change, V2 represents the ratio of uplink and downlink speeds at the node, and V3 represents the ratio of the number of IP addresses to the number of ports. When identifying network traffic, the three-dimensional feature vector is used as an input vector, and then the decision function generated by the SVM model can be used to effectively identify its sample P2P sample data.

2. Select the appropriate kernel function:

SVM uses the method of kernel function to ensure good generalization ability and solve the dimensionality problem of training sample feature space. By selecting different kernel functions, it can deal with nonlinear problems. At present, the identification of P2P network traffic is common. The radial basis (RBF) kernel function is adopted, because the RBF kernel has fewer parameters than other kernel functions, the calculation difficulty is less, and it can be used for samples of all distributions. P2P network traffic presents sudden and uncertain nonlinear traffic characteristics. Wavelet analysis is suitable for local analysis of signals and detection of mutation signals. Combined with wavelet analysis, multi-scale wavelet basis functions are introduced to construct the kernel function of SVM, and wavelet The recognition algorithm of SVM can fully improve the recognition accuracy of SVM. The wavelet basis function is introduced to construct the kernel function of SVM, and it is used for the traffic identification of P2P network, two conditions need to be met: (1) It meets the conditions of the construction of SVM kernel function. (2) The computational complexity of the selected wavelet basis function should not be too high, too many parameter settings will increase the training time of samples. as shown in picture 2.

3. Select the incremental training algorithm:

The traditional SVM completes the training and classification process once, and needs to solve the quadratic programming during training. When the training sample set is relatively large, it needs to occupy a large memory and the convergence speed is slow. With the ever-changing network data information, its data set also presents the characteristics of imbalance and diversity, so the recognition accuracy of the classifier trained by the existing single classifier and incremental algorithm is not very ideal. In fact, the main factor affecting the recognition accuracy is the existence of a large number of misclassified samples. The Boosting algorithm in ensemble learning is a classification method specifically for misclassified samples. The present invention proposes a wavelet SVM-based Boosting algorithm applied to P2P traffic identification, and improves the generalization ability of the learning machine by focusing on training misclassified samples during the learning process, thereby improving the accuracy of identification.

In SVM, the support vector can describe the characteristics of the entire sample data set. For the SVM with a determined kernel function, the optimal classification surface is only related to its support vector, and the classification of the entire sample data set can be equivalent to the classification of the support vector. That is to say, the vectors other than the support vectors in the sample training set are removed, and the training is performed again, then the training result is consistent with the result obtained in the entire sample training set. The idea of the SVM incremental training algorithm is that its decision function is determined by the support vectors. All the support vectors in the training set are retained, and the non-support vectors are discarded. The final incremental training result is consistent with the result of unused incremental learning. of.

The incremental training algorithm is as follows:

Step 1: Obtain the initial classifier f(x) of SVM after training on the initial training set, and SVs ¹ represents the support vector set of f(x);

Step 2: Merge SVs ¹ and the newly added sample set into a new training set. After training, a new classifier f'(x) and a new support vector set SVs ² will be obtained;

Step 3: Make SVs ¹ =SVs ² , return to Step 2.

In the incremental training algorithm, because each incremental learning in the algorithm only retains the support vectors and discards the non-support vectors, but in reality, the non-support vectors also contain useful information for classification in the data set, which will affect recognition accuracy.

4. Boosting algorithm for P2P traffic recognition of wavelet SVM:

The Boosting algorithm is an iterative algorithm that specifically deals with misclassified samples in integrated learning. Its core idea is to train different classifiers (weak classifiers) for the same training set, and then combine these weak classifiers to form a stronger classifier. The final classifier (strong classifier) of . The algorithm itself is realized by changing the data distribution. It determines the weight of each sample according to whether the classification of each sample in each training set is correct or not, and the accuracy of the last overall classification. The new data set with modified weights is sent to the lower classifier for training, and finally the classifiers obtained from each training are fused together as the final decision classifier. In this way, the key of classifier processing can be placed on the key training data of misclassified samples, thereby improving the recognition accuracy of samples.

Fig. 3 is the boosting algorithm flow chart of wavelet SVM in the embodiment of the present invention, is to use wavelet SVM as base classifier to train samples, first select M samples according to the weight size from the whole P2P and non-P2P sample set S to form a training Subset S _j , get a base classifier WSVM _j after training, and then use WSVM _j to test the sample set S, you can get the classification accuracy of WSVM _j ; then give higher weight to the misclassified samples; finally according to After adjusting the weight size, select M samples from S again to form a new training subset S _j+1 , and exit if S _j+1 =S, otherwise repeat the above steps. After t rounds of training, (t≤T, T is the number of iterations), a WSVM-based recognition function sequence WSVM ₁ ,...,WSVM _j is obtained, and WSVM _j is also given a weight, that is, for the sample set S Accuracy of recognition; finally, a strong classifier H(x) is obtained by weighted voting, which is used for P2P traffic recognition.

The specific algorithm is described as follows:

(1) ENTER. Base classifier WSVM; P2P and non-P2P traffic training sample set S={(x ₁ , y ₁ ),..., (x _n , y _n )}, where x _i ∈ R ^d , y ∈ {-1, 1}, 1≤i≤n; number of training iterations T; sample initial weight Di=0(1≤i≤n);

(2) for (j=1; j≤T; j++)

{

1) Select M samples from the training sample set S sequentially according to the size of the weight to obtain the training sample subset S _j ;

2) If S _j =S _j-1 (j>1), exit the loop;

3) Train S _j with WSVM algorithm to get a base classifier WSVM _j ;

4) Use WSVM _j to classify the sample set S, and get the error rate e _j ;

5) The weight of WSVM _j is recorded as α _j =1-ej;

6) Adjust the support vector and the misclassified sample weight in the sample set S to be D _i =D _1+i ;

}

(3) output. Decision function sequence h={WSVM ₁ ,...,WSVM _t }, its weight α={α ₁ ,...,α _t }, t≤T, the final decision function is:

The above description is a preferred embodiment of the present invention, and it should be pointed out that for those skilled in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications are also considered Be the protection scope of the present invention.

Claims (3)

1. a kind of peer-to-peer network method for recognizing flux of inseparable wavelet support vector machines it is characterised in that：Comprise the following steps：

(1) selected characteristic vector：Two principles are followed：A () has difference in functionality and with the node flow providing different services is in Reveal discrepant behavioural characteristic, so selecting the behavioural characteristic of node flow as far as possible；B the selection of () feature is wanted can be anti- Mirroring the difference of P2P flow and non-P2P flow thus playing the shortening training time, improving the purpose of the accuracy of identification；Select Packet, network flow, node connect three aspects as characteristic vector；The feature of described packet aspect：Average including bag Length, the maximum length of bag, the minimum length of bag, and variance statistic feature；The feature of described network flow aspect：By convection current Original statistical nature, the time started, the end time, COS obtains flowing related statistical nature：Mean flow lasting when Between, average transmission rate, the average byte number of stream, time interval and variance that bag reaches；Described node connects the spy of aspect Levy：By the connection status of TCP, the correlated characteristic that node is connected counts, include symmetry that connection presents and IP address, port identity；Using following three-dimensional feature vector：Vector=<V1, v2, v3>；Wherein, V1 represents data package size The mean square deviation of change, V2 represents the ratio of up-downgoing speed at node, and V3 represents the ratio of IP address quantity and port number； When being identified to network traffics, using three-dimensional feature vector as input vector；

(2) select suitable kernel function：Introduce wavelet basis function to construct the kernel function of SVM, and the flow for P2P network Identification, needs to meet two conditions：A () meets the condition of the construction of SVM kernel function；(2) calculating of the wavelet basis function selecting Complexity is low, and excessive parameter setting can increase the training time of sample；

(3) select incremental training algorithm：The thought of SVM incremental training algorithm is exactly its decision function is to be determined by supporting vector , the supporting vector in training set is all remained, gives up non-supporting vector, the result of final incremental training is and does not make It is consistent with the result of incremental learning；

(4) the Boosting algorithm of the P2P flow identification of small echo SVM：Small echo SVM is trained to sample as base grader, M sample is selected to constitute a training subset S according to weight size first from whole P2P and non-P2P sample set S_j, Jing Guoxun A base grader WSVM is drawn after white silk_j, then use WSVM_jTest sample collection S is it can be deduced that WSVM_jClassification accuracy；So Give higher weight to wrong point of sample afterwards；It is last that according to the weight size after adjustment, M sample of selection from S is constituted again New training subset S_j+1If, S_j+1=S then exits, and otherwise repeats above step；After training t wheel, (t≤T, T are iteration Number of times), obtain recognition function sequence WSVM based on WSVM₁..., WSVM_j, WSVM simultaneously_jAlso weights are given, also It is the accuracy rate to sample set S identification；Eventually through obtaining strong classifier H (x) by the way of the ballot having weight, use Identification in P2P flow.

2. the peer-to-peer network method for recognizing flux of a kind of inseparable wavelet support vector machines according to claim 1, it is special Levy and be：Incremental training algorithm steps in described step (3) are as follows：

Step 1：Preliminary classification device f (x) of SVM, SVs are obtained through training on initial training set¹Represent f (x) support to Quantity set；

Step 2：By SVs¹Merge into new training set with newly-increased sample set, after training, new grader f ' (x) will be obtained, New supporting vector collection SVs²；

Step 3：Make SVs¹=SVs², return to step 2.

3. the peer-to-peer network method for recognizing flux of a kind of inseparable wavelet support vector machines according to claim 1, it is special Levy and be：The Boosting arthmetic statement of the P2P flow identification of the small echo SVM in described step (4) is as follows：

(1) input：Base grader WSVM；P2P and non-P2P flow training sample set S={ (x₁, y₁) ..., (x_n, y_n), wherein x_i∈R^d, y ∈ { -1,1 }, 1≤i≤n；The iterations T of training；Sample initial weight Di=0 (1≤i≤n)；

(2) for (j=1；j≤T；j++)

{

1) size according to weight chooses M sample successively from training sample set S, obtains training sample subset S_j；

2) if S_j=S_j-1(j ＞ 1) then exits circulation；

3) use WSVM Algorithm for Training S_j, obtain a base grader WSVM_j；

4) use WSVM_jClassified sample set S, obtaining error rate is e_j；

5)WSVM_jWeight be designated as α_j=1-ej；

6) sample weights that the mistake in adjustment supporting vector and sample set S is divided are D_i=D_1+i；

}

(3) export：Decision function sequences h={ WSVM₁..., WSVM_t, its weight α={ α₁..., α_t, t≤T, final determines Plan function is：

$H\left(x\right)=sign\left(\underset{i=1}{\overset{t}{\&Sigma;}}{\mathrm{\&alpha;}}_i{h}_i\left(x\right)\right).$