CN103944783B - Stream recognition method based on posteriority feature - Google Patents
Stream recognition method based on posteriority feature Download PDFInfo
- Publication number
- CN103944783B CN103944783B CN201410165425.8A CN201410165425A CN103944783B CN 103944783 B CN103944783 B CN 103944783B CN 201410165425 A CN201410165425 A CN 201410165425A CN 103944783 B CN103944783 B CN 103944783B
- Authority
- CN
- China
- Prior art keywords
- packet
- posteriority
- strategy
- stream
- characteristic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of stream recognition method based on posteriority feature, contain the following steps:1:Posteriority strategy is set;2:Derivation strategy and ageing time T are setr;3:Build and derive from flow table;4:Build backtracking data pool;5:The matching of posteriority strategy is carried out to packet;6:The stream characteristic information contained by the packet of hit posteriority strategy is extracted, the list item for deriving from flow table is set up, time stamp T when complete stream characteristic information occurs with matching is stored in the table entrym;7:The packet write-in backtracking data pool of entrance is carried out into delay process, the packet after time delay is read and is extracted stream characteristic information, flow table is derived from the hash values retrieval according to the stream characteristic information, and records current time for TnIf stream characteristic information is matched with the stream characteristic information of the packet after time delay in deriving from flow table, and meets Tn‑Tm<Tr, then it is hit packet to mark current packet;The present invention realizes that simple, reliability is high.
Description
(1), technical field:The present invention relates to a kind of stream recognition method, more particularly to a kind of stream based on posteriority feature
Recognition methods.
(2), background technology:Realized to the classification treatment of different business stream existing using Business Stream identification and sorting technique
Having in the network equipment has very universal application.In current network device, stream identification in real time is equal with the realization of sorting technique
Carried out based on specific priori strategy, i.e. after strategy matching occurs, extract traffic characteristic, then subsequent flow is processed.
The treatment logic of this priori strategy, when needing to extract complete flow data, before occurring for strategy matching
Packet cannot carry out effective identification and classification in stream through reaching.So as to complete flow data or cannot be to complete cannot be obtained
Flow data take action.
(3), the content of the invention:
The technical problem to be solved in the present invention is:A kind of stream recognition method based on posteriority feature is provided, the method can be real
Now the complete message packet to data flow carries out backtracking process, and realizes that simple, reliability is high.
Technical scheme:
A kind of stream recognition method based on posteriority feature, contains the following steps:
Step 1:Posteriority strategy is set;
Step 2:Derivation strategy and ageing time T are setr, ageing time TrThe effective acting time of correspondence derivation strategy;
Step 3:Build and derive from flow table;
Step 4:Build backtracking data pool;
Step 5:Packet to entering identifying system carries out the matching of posteriority strategy, if a packet P
Match hit, then show that data flow now meets posteriority policy condition, marks and export all packets of the data flow;
Step 6:The stream characteristic information contained by the packet of hit posteriority strategy is extracted, convection current characteristic information is carried out
Hash computings, are set to hash values search key and set up the list item for deriving from flow table, complete stream are stored in the table entry special
Time stamp T when reference ceases and matching occursm, flow table is derived from into list item write-in;
Step 7:The packet write-in backtracking data pool of identifying system will be entered, entered in the memory of backtracking data pool
A length of T during rowdDelay process, be then read out the packet P after time delayd, extract the packet P after time delaydStream feature
Flow table is derived from information, the hash values retrieval according to the stream characteristic information, and records current time for TnIf deriving from stream in flow table
Characteristic information is matched with the stream characteristic information of the packet after time delay, then compare time stamp TmIf meeting Tn-Tm<Tr, then mark
The current packet of note is hit packet.
Posteriority strategy has following feature:A moment in data flow durations, a packet and the posteriority plan
During the characteristic matching omited, the treatment action request after the match is successful is that the packet reached before the data flow is recalled;
Derivation strategy is extracted and derived from by the packet of hit posteriority strategy, and derivation strategy correspondence one is only
Any packet in one data flow and data flow;
Contain N number of derivation strategy in derivation flow table, N is the natural number more than or equal to 1, derive from the index entry of flow table to derive from
The hash values of characteristic information are flowed, the generation time of the complete characterization information containing derivation stream and derivation strategy in flow table is derived from;
Backtracking data pool stores and reads packet respectively using dual-memory ping-pong.
All packets in step 5 contain the packet that match hit advances into identifying system.
Stream characteristic information in step 6 contains five-tuple.
Duration T in step 7dThe average duration of designed capacity, data flow according to identifying system, data entry rate are big
Small these indexs are dynamically determined, or are appointed as fixed value, the fixed value less than identifying system designed capacity can bear when
It is long.Delay process is to realize posterior key means, it is ensured that generate derivation strategy in advance before packet arrival.
To solve hash collision problems, hash barrels of depth can be set and is more than 2, when there is conflict to produce, by relatively more different
The time stamp T of list itemmTo determine to cover list item earlier.
A kind of flow identification system based on posteriority feature, the system based on FPGA/CAM/SRAM/DDR-II realize, wherein
CAM is the abbreviation of Content Addressable Memory.The system includes:
Prescreening engine:The module uses the logic realization of tabling look-up based on CAM, for being flowed into specific according to known conditions
Row prescreening, is lowered into the data traffic of posteriority strategy flow identification system, so that for system provides longer specific duration Td;
Posteriority strategy matching engine:The module using based on CAM logic realization of tabling look-up, for carry out posteriority strategy
Match somebody with somebody;
Derive from flow table maintenance module:The module is used for the maintenance of the derivation flow table item generated after posteriority strategy matching, and will
Flow table item write-in SRAM is stored;
Backtracking data pool module:The mode that the module is based on double DDR-II storages/reading switchings is realized to packet
Time delay, for system provides backdating capability;
Derive from flow table search engine:The module is used to carry out the packet after time delay flow table item matching, and according to
It is marked with result team message.
Beneficial effects of the present invention:
1st, the present invention can carry out posteriority strategy matching in any packet of data flow, and posteriority strategy matching occurs
The characteristic information of stream, and the characteristic action that will be extracted are extracted afterwards in packet in it for the previous period stream of interior arrival,
Realize carrying out backtracking process to the packet of the complete message of data flow, the backtracking process can utilize posteriority strategy to reaching before
Message is identified classification, largely ensures the integrated degree of hit stream.
2nd, the present invention realizes simple, it is not necessary to large-scale External memory equipment, and institute is functional can be real in single circuit plate
It is existing, therefore, reliability is high.
3rd, flexibility of the present invention is good, by the parameter, Ke Yidong such as dynamic adjustment prescreening strategy and tactful ageing time
The tenability of time is recalled in state adjustment convection current.
(4), illustrate:
Fig. 1 is the structural representation of the flow identification system based on posteriority feature;
Fig. 2 is the keyword extraction schematic diagram of posteriority strategy matching in the flow identification system based on posteriority feature;
Fig. 3 is the contents in table schematic diagram of posteriority strategy keyword in the flow identification system based on posteriority feature;
Fig. 4 is the flow table content schematic diagram of posteriority strategy matching engine generation in the flow identification system based on posteriority feature;
Fig. 5 is that the backtracking data pool in the flow identification system based on posteriority feature using dual-memory PPD pingpong delay structure shows
It is intended to.
(5), specific embodiment:
Stream recognition method based on posteriority feature contains the following steps:
Step 1:Posteriority strategy is set;
Step 2:Derivation strategy and ageing time T are setr, ageing time TrThe effective acting time of correspondence derivation strategy;
Step 3:Build and derive from flow table;
Step 4:Build backtracking data pool;
Step 5:Packet to entering identifying system carries out the matching of posteriority strategy, if a packet P
Match hit, then show that data flow now meets posteriority policy condition, marks and export all packets of the data flow;
Step 6:The stream characteristic information contained by the packet of hit posteriority strategy is extracted, convection current characteristic information is carried out
Hash computings, are set to hash values search key and set up the list item for deriving from flow table, complete stream are stored in the table entry special
Time stamp T when reference ceases and matching occursm, flow table is derived from into list item write-in;
Step 7:The packet write-in backtracking data pool of identifying system will be entered, entered in the memory of backtracking data pool
A length of T during rowdDelay process, be then read out the packet P after time delayd, extract the packet P after time delaydStream feature
Flow table is derived from information, the hash values retrieval according to the stream characteristic information, and records current time for TnIf deriving from stream in flow table
Characteristic information is matched with the stream characteristic information of the packet after time delay, then compare time stamp TmIf meeting Tn-Tm<Tr, then mark
The current packet of note is hit packet.
Posteriority strategy has following feature:A moment in data flow durations, a packet and the posteriority plan
During the characteristic matching omited, the treatment action request after the match is successful is that the packet reached before the data flow is recalled;
Derivation strategy is extracted and derived from by the packet of hit posteriority strategy, and derivation strategy correspondence one is only
Any packet in one data flow and data flow;
Contain N number of derivation strategy in derivation flow table, N is the natural number more than or equal to 1, derive from the index entry of flow table to derive from
The hash values of characteristic information are flowed, the generation time of the complete characterization information containing derivation stream and derivation strategy in flow table is derived from;
Backtracking data pool stores and reads packet respectively using dual-memory ping-pong.
All packets in step 5 contain the packet that match hit advances into identifying system.
Stream characteristic information in step 6 contains five-tuple.
Duration T in step 7dThe average duration of designed capacity, data flow according to identifying system, data entry rate are big
Small these indexs are dynamically determined, or are appointed as fixed value, the fixed value less than identifying system designed capacity can bear when
It is long.Delay process is to realize posterior key means, it is ensured that generate derivation strategy in advance before packet arrival.
To solve hash collision problems, hash barrels of depth can be set and is more than 2, when there is conflict to produce, by relatively more different
The time stamp T of list itemmTo determine to cover list item earlier.
A kind of flow identification system based on posteriority feature, the system based on FPGA/CAM/SRAM/DDR-II realize, wherein
CAM is the abbreviation of Content Addressable Memory.The system includes:
Prescreening engine:The module uses the logic realization of tabling look-up based on CAM, for being flowed into specific according to known conditions
Row prescreening, is lowered into the data traffic of posteriority strategy flow identification system, so that for system provides longer specific duration Td;
Posteriority strategy matching engine:The module using based on CAM logic realization of tabling look-up, for carry out posteriority strategy
Match somebody with somebody;
Derive from flow table maintenance module:The module is used for the maintenance of the derivation flow table item generated after posteriority strategy matching, and will
Flow table item write-in SRAM is stored;
Backtracking data pool module:The mode that the module is based on double DDR-II storages/reading switchings is realized to packet
Time delay, for system provides backdating capability;
Derive from flow table search engine:The module is used to carry out the packet after time delay flow table item matching, and according to
It is marked with result team message.
For a better understanding of the present invention, with reference to the flow identification system based on posteriority feature proposed by the invention,
Technical scheme is illustrated.
As shown in figure 1, the message into system first passes around prescreening engine and is filtered.The purpose of prescreening is to reduce
Into the data traffic size of system, so as to provide the longer backtracking time using limited memory.Prescreening can pass through
The stream feature critical word being stored in CAM is carried out, it is also possible to by certain interface/branch road or symbol in directly specified initial data
The data of certain feature are closed to carry out.
The data that Pre-screening module is sent out are respectively fed to message delay module and enter line delay, send into posteriority characteristic matching engine
Matched.
Posteriority characteristic matching engine completes the posteriority strategy matching of data flow.
Posteriority strategy is typically the sensitive words in data flow text, occurs more in the form of character string.The system uses CAM
Chip realizes the lookup of sensitive words in packet.As shown in Fig. 2 the sensitive word width for setting support is CL bytes, list item is wide
It is PL bytes to spend, then from the start of text of data message, interval PL-CL+1 bytes carry out lookup key and extract and deliver to CAM
Chip is searched.For a sensitive words, according to the deviation post that it is likely to occur in lookup key, in CAM chips
In should derive PL-CL band mask list items.As shown in Figure 3.
The stream characteristic information of the packet for the treatment of of currently tabling look-up is carried out HASH by posteriority characteristic matching engine.Work as inspection
Measure in message after the sensitive words containing posteriority strategy, CAM chips return hit indicate and hit tactful ID.Posteriority feature
Matching engine is indicated according to hit, and flow table is read by index of HASH values, and the structure of flow table is as shown in Figure 4.Have in flow table
Whole stream characteristic information, and timestamp during last time match hit.If HASH barrels of depth is if 2, from two tables of flow table
An empty list item and the stream characteristic information and hit time write-in list item that are grouped notebook data are searched out in;If without empty table
, then choose the list item generated at first in two list items and covered.Then carry out flow table renewal.
The complete paired data packet of message delay module enters the function of line delay.The system uses dual-memory table tennis side
Formula stores respectively/read message.As shown in figure 5, setting data message is injected into single memory as the full time is t1, system can connect
The maximum message segment output time delay received is t2, then when timing to Min (t1,t2) when, switching is written and read to memory.Assuming that data
When full gear is injected, single memory most multipotency storage T0Time, and t2>T0, then obviously, Min (t1,t2)>T0.That is, system is minimum
T can be provided0The time delay of time.In fact, due to the effect of front end prescreening engine, the delay duration that system can be provided is remote
More than T0.The delay duration that system can be provided corresponds to the backtracking tenability to packet.
Flow table search engine is responsible for carrying out the packet after time delay the matching based on stream based on flow table.After time delay
Packet is calculated according to consistent HASH algorithms are the same as those described above, then in the reading flow table according to HASH, and and list item
The stream characteristic information of middle storage carries out precise alignment.If consistent, the generation time T of correspondence list item is taken outm, it is with current time
Tn, derivation strategy ageing time is TrIf then meeting Tn–Tm<Tr, that is, judge that flow table is hit in the packet, and carry out corresponding
Exported after mark.
Claims (5)
1. a kind of stream recognition method based on posteriority feature, it is characterized in that:Contain the following steps:
Step 1:Posteriority strategy is set, and the posteriority strategy has following feature:A moment in data flow durations, one
During the characteristic matching of packet and the posteriority strategy, the treatment action request after the match is successful is to being reached before the data flow
Packet recalled;
Step 2:Derivation strategy and ageing time T are setr, ageing time TrThe effective acting time of correspondence derivation strategy;
Step 3:Build and derive from flow table;
Step 4:Build backtracking data pool;
Step 5:Packet to entering carries out the matching of posteriority strategy, if a packet match hit, then table
Bright data flow now meets posteriority policy condition, marks and export all packets of the data flow;
Step 6:The stream characteristic information contained by the packet of hit posteriority strategy is extracted, convection current characteristic information carries out hash fortune
Calculate, hash values are set to search key and the list item for deriving from flow table is set up, complete stream characteristic information is stored in the table entry
Time stamp T when occurring with matchingm, flow table is derived from into list item write-in;
Step 7:The packet write-in backtracking data pool that will enter, a length of T when being carried out in the memory for recalling data poold's
Delay process, is then read out the packet after time delay, extracts the stream characteristic information of the packet after time delay, special according to the stream
Flow table is derived from the hash values retrieval of reference breath, and records current time for TnIf deriving from stream characteristic information and time delay in flow table
The stream characteristic information matching of packet afterwards, then compare time stamp TmIf meeting Tn-Tm<Tr, then current message point is marked
Group is hit packet.
2. the stream recognition method based on posteriority feature according to claim 1, it is characterized in that:The derivation strategy is by ordering
What the packet of middle posteriority strategy was extracted and derived from, in derivation strategy one unique data flow of correspondence and data flow
Any packet;
Contain N number of derivation strategy in the derivation flow table, N is the natural number more than or equal to 1, derive from the index entry of flow table to derive from
The hash values of characteristic information are flowed, the generation time of the complete characterization information containing derivation stream and derivation strategy in flow table is derived from;
The backtracking data pool stores and reads packet respectively using dual-memory ping-pong.
3. the stream recognition method based on posteriority feature according to claim 1, it is characterized in that:It is all in the step 5
Packet contains the packet that match hit is advanced into.
4. the stream recognition method based on posteriority feature according to claim 1, it is characterized in that:Stream in the step 6 is special
Reference breath contains five-tuple.
5. the stream recognition method based on posteriority feature according to claim 1, it is characterized in that:Duration T in the step 7d
It is dynamically determined, or is appointed as according to identification designed capacity, the average duration of data flow, data entry rate size these index
Fixed value, the fixed value is less than the duration that identification designed capacity can bear.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410165425.8A CN103944783B (en) | 2014-04-23 | 2014-04-23 | Stream recognition method based on posteriority feature |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410165425.8A CN103944783B (en) | 2014-04-23 | 2014-04-23 | Stream recognition method based on posteriority feature |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103944783A CN103944783A (en) | 2014-07-23 |
| CN103944783B true CN103944783B (en) | 2017-06-09 |
Family
ID=51192276
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410165425.8A Active CN103944783B (en) | 2014-04-23 | 2014-04-23 | Stream recognition method based on posteriority feature |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103944783B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301812B (en) * | 2021-12-29 | 2024-06-25 | 北京物芯科技有限责任公司 | Method, device, equipment and storage medium for monitoring message processing result |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459554A (en) * | 2008-12-30 | 2009-06-17 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for data stream detection |
| CN102959543A (en) * | 2010-05-04 | 2013-03-06 | 沙扎姆娱乐有限公司 | Methods and systems for processing sample of media stream |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8380506B2 (en) * | 2006-01-27 | 2013-02-19 | Georgia Tech Research Corporation | Automatic pattern recognition using category dependent feature selection |
| US8725666B2 (en) * | 2010-02-26 | 2014-05-13 | Lawrence Livermore National Security, Llc. | Information extraction system |
-
2014
- 2014-04-23 CN CN201410165425.8A patent/CN103944783B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459554A (en) * | 2008-12-30 | 2009-06-17 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for data stream detection |
| CN102959543A (en) * | 2010-05-04 | 2013-03-06 | 沙扎姆娱乐有限公司 | Methods and systems for processing sample of media stream |
Non-Patent Citations (2)
| Title |
|---|
| IPTV媒体流识别技术的研究与实现;江军等;《通信市场》;20120831;全文 * |
| 一种基于SVM后验概率的网络流量识别方法;刘三民等;《计算机工程》;20120930;第38卷(第17期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103944783A (en) | 2014-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Xue et al. | Detecting fake news by exploring the consistency of multimodal data | |
| US20220368703A1 (en) | Method and device for detecting security based on machine learning in combination with rule matching | |
| SG11201909887RA (en) | Methods and apparatuses for recognizing video and training, electronic device and medium | |
| CN105791128B (en) | A kind of IP packet receiving handling method and device | |
| CN107070852A (en) | Network attack detecting method and device | |
| CN105337991B (en) | A kind of integrated message flow is searched and update method | |
| CN108365960B (en) | Random number providing method and device | |
| CN105824825B (en) | A kind of sensitive data recognition methods and device | |
| KR20100116458A (en) | Signature searching method according to signature location in packet | |
| CN107657706A (en) | A kind of gate control system based on RFID and recognition of face and combine recognition methods | |
| CN106709853A (en) | Image retrieval method and system | |
| CN104376108B (en) | A kind of destructuring natural language information abstracting method based on the semantic marks of 6W | |
| CN103905452A (en) | Credible network attack filter device and method | |
| CN107895036A (en) | One kind is based on the online analysis and processing method that cheats at one's exam of safety encryption | |
| CN106815204A (en) | The segmentation method and device of judgement document | |
| CN103944783B (en) | Stream recognition method based on posteriority feature | |
| CN104021179B (en) | The Fast Recognition Algorithm of similarity data under a kind of large data sets | |
| CN107679152A (en) | Data processing method based on multi-layer information joint index | |
| CN110956123A (en) | Rich media content auditing method and device, server and storage medium | |
| CN105119876B (en) | A kind of detection method and system of the domain name automatically generated | |
| CN103823868B (en) | Event recognition method and event relation extraction method oriented to on-line encyclopedia | |
| CN108055227B (en) | WAF unknown attack defense method based on site self-learning | |
| CN102984242A (en) | Automatic identification method and device of application protocols | |
| US9398040B2 (en) | Intrusion detection system false positive detection apparatus and method | |
| CN103856370A (en) | Application flow recognition method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |