CN105357118A - Rule based flow classifying method and system - Google Patents
Rule based flow classifying method and system Download PDFInfo
- Publication number
- CN105357118A CN105357118A CN201510698328.XA CN201510698328A CN105357118A CN 105357118 A CN105357118 A CN 105357118A CN 201510698328 A CN201510698328 A CN 201510698328A CN 105357118 A CN105357118 A CN 105357118A
- Authority
- CN
- China
- Prior art keywords
- rule
- layer
- rules
- domain name
- uniform resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a rule based flow classifying method and device. The rule based flow classifying method comprises the steps of presetting a rule set and constructing a rule hierarchical matching tree based on rules in the rule set, wherein the rule hierarchical matching tree comprises a first rule layer and a second rule layer; when a data packet is received, obtaining a host and a URI (Uniform Resource Identifier) of the data packet; searching matched rules in the first rule layer according to the host by the matcher; after determining that the first rule layer matched rules are found, triggering a next matcher in the first rule layer matched rules to search matched rules in the second rule layer based on the uniform resource identifier. According to the rule based flow classifying method and device, stability of the system for resource consumption along with increase of rules and protocol domains is ensured, and the flow classifying speed is also increased.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of rule-based traffic classification method and system.
Background technology
At present, application model new in the Internet and application continue to bring out, and network traffics constantly increase, and present variation, bring huge challenge to the Internet operation and management.Real-time network traffic classification is to help ISP awareness network running status, and optimized network operation and management is significant.
In rule-based traffic classification system, for a large amount of rules based on semanteme, usually all rules are all assigned in the territory of combining for certainty limited (DFA), wherein, two kinds of matching process are had: rule construct adaptation in Fig. 1, completes the matching process of an adaptation by each protocol domain in order matched rule for a large amount of rules based on semanteme; Then each adaptation is mated successively in order; If current adaptation does not match, then forward next adaptation to and mate, until match an adaptation or all adaptations all check out.Matching speed is by the impact of protocol domain quantity in the quantity of rule/adaptation and specific rules.First rules all in Fig. 2 can divide according to their protocol domain, then can be merged into one based in the adaptation of DFA at the regular expression of same protocol domain; When an adaptation it fails to match or all adaptations all checked after system just stop the process of coupling.
The shortcoming of these two kinds of regular weaves is:
Value in rule combines the internal memory brought and to increase sharply the uncertain risk caused.
Spend additional space to preserve intermediate match result when each adaptation mates.The extra time also will be spent to merge middle matching result simultaneously, thus the rule finally matched.Along with rule and the increasing of protocol domain quantity, this problem can become more and more seriously, and greatly increase resource consumption, matching speed also can reduce.
Summary of the invention
In view of this, the object of the invention is for above-mentioned technical problem, a kind of rule-based traffic classification method and system is provided, guarantee that system, to the stability of resource consumption, improves the speed of traffic classification along with rule and the increasing of protocol domain quantity simultaneously.
The invention provides a kind of rule-based traffic classification method, comprising: pre-set rule set, and according to the rule construct rule level Match Tree in rule set, described regular level Match Tree comprises the first rules layer and Second Rule layer; When receiving packet, obtain domain name and the Uniform Resource Identifier of packet, the rule of coupling searched by adaptation in the first rules layer according to domain name, after determining to find the first rules layer matched rule, trigger next adaptation in the first rules layer matched rule, in Second Rule layer, search the rule of coupling according to Uniform Resource Identifier.
Further, the rule of described rule set comprises rule ID and domain name corresponding to Sum fanction ID and Uniform Resource Identifier.
Further, described according to the rule construct rule level Match Tree in rule set, be specially: according to domain name and Uniform Resource Identifier, by regular for the rule construct in rule set level Match Tree.
Further, described according to the rule construct rule level Match Tree in rule set, be specially: according to domain name, the rule classification in rule set is formed the first rules layer, wherein identical domain name is classified as a class, forms the sub-rule collection of the first rules layer; According to Uniform Resource Identifier, the classification of the sub-rule collection of the first rules layer is formed Second Rule layer.
Present invention also offers a kind of rule-based traffic classification device, comprise: module is set, for pre-setting rule set, and according to the rule construct rule level Match Tree in rule set, described regular level Match Tree comprises the first rules layer and Second Rule layer; Acquiring unit, for when receiving packet, obtains domain name and the Uniform Resource Identifier of packet; Adaptation, for searching the rule of coupling in the first rules layer according to domain name, after determining to find the first rules layer matched rule, trigger next adaptation in the first rules layer matched rule, in Second Rule layer, search the rule of coupling according to Uniform Resource Identifier.
Further, the rule of described rule set comprises rule ID and domain name corresponding to Sum fanction ID and Uniform Resource Identifier.
Further, the described module that arranges is according to the rule construct rule level Match Tree in rule set, be specially: arrange module, according to domain name, the rule classification in rule set is formed the first rules layer, wherein identical domain name is classified as a class, form the sub-rule collection of the first rules layer; According to Uniform Resource Identifier, the classification of the sub-rule collection of the first rules layer is formed Second Rule layer.
Compared to the prior art, beneficial effect of the present invention is: the present invention, when ensureing not reduce based on the matching speed of DFA adaptation, removes the overhead of intermediate object program when changing between adaptation, improves systematic function.In addition, adopt regular level Match Tree structure, next adaptation is determined by the matching result of current matching device, and like this, each adaptation is structured on a little rule set, thus reduces the risk that internal memory overflows.
Accompanying drawing explanation
Fig. 1 is a kind of schematic diagram for a large amount of rule match based on semanteme of the prior art.
Fig. 2 is the schematic diagram of another kind of the prior art for a large amount of rule match based on semanteme.
Fig. 3 is the schematic diagram for a large amount of rule match based on semanteme disclosed in this invention.
Fig. 4 is the schematic diagram of rule-based traffic classification method disclosed in this invention.
Fig. 5 is the schematic diagram of the rule set of the present invention's specific embodiment.
Embodiment
Describe the present invention below with reference to embodiment shown in the drawings; but these execution modes do not limit the present invention, the structure that those of ordinary skill in the art makes according to these execution modes, method or conversion functionally are all included in protection scope of the present invention.
Be compared to prior art, the present invention is divided into little sub-rule collection according to protocol domain whole large rule set, as shown in Figure 3, and is only needed by adaptation to preserve corresponding sub-rule collection.
Fig. 4 is the schematic diagram of rule-based traffic classification method disclosed in this invention.With reference to Fig. 3, comprising:
Step 401, pre-sets rule set.
In this step, each rule in rule set comprises rule ID, and the domain name that Sum fanction ID is corresponding (Host) and Uniform Resource Identifier (URI, UniformResourceIdentifier).
Following table 1 provides the example of a rule set, certainly also has other rule to arrange, does not limit at this.
Table 1
| RuleID | Filed==”Host” | Filed==”URI” |
| 1 | weibo.cn | gettimeline.php |
| 2 | weibo.cn | getnews.php |
| 3 | * | .jpg |
| 4 | 3g.qq.com | * |
| 5 | * | .css |
Step 402, according to the rule construct rule level Match Tree in rule set, this regular level Match Tree comprises the first rules layer and Second Rule layer.
In this step, the rule in rule set is set according to Host and URI formation rule multilevel matching.Particularly, according to Host, the rule classification in rule set is formed the first rules layer, wherein identical Host is classified as a class, forms sub-rule collection; According to URI, the classification of the sub-rule collection of the first rules layer is formed Second Rule layer.
Such as according to the rule construct rule level Match Tree in table 1, as shown in Figure 5.By rule set M
0,0in there is identical Hostweibo.cn regular R1 and R2 be classified as a class and form sub-rule collection, i.e. M
1,0comprising regular R1 and R2, Host is that the rule of 3g.qq.com and * is sorted out respectively, i.e. M
1,1comprise regular R4, M
1,2comprise regular R3 and R5, so form the first rules layer; Then, according to different URI, the first rules layer neutron rule set is classified further and forms Second Rule layer, be respectively R1, R2, R3, R4 and R5.
In addition, along with strictly all rules definition in rule set protocol domain and concentrate the increasing of protocol domain number, the level of regular level Match Tree also along with increase, can not limit at this.
Step 403, when receiving packet, obtain Host and URI of packet, the rule of coupling searched by adaptation in the first rules layer according to Host, and trigger in matched rule that next adaptation finds in the first rules layer, according to URI in the rule of searching coupling in Second Rule layer.
In this step, data are supposed to include protocol domain " Host " are " weibo.cn " and protocol domain " URI " to be that after "/ttt/gettimeline.php " enters system, first adaptation is at M
0,0search " Host " protocol domain of packet, select branch to activate next adaptation M
1,0then " URI " protocol domain in matched data bag, because M
1,0be last protocol domain, can show that R1 is last rule matched of this packet.
Present invention also offers a kind of rule-based traffic classification device, comprising:
Arrange module, for pre-setting rule set, and according to the rule construct rule level Match Tree in rule set, this regular level Match Tree comprises the first rules layer and Second Rule layer;
Acquiring unit, for receiving packet, obtains the content of the protocol domain field that rule defines in packet, such as Host and URI;
Adaptation, for searching the rule of coupling in the first rules layer according to Host, and triggers in matched rule that next adaptation finds in the first rules layer, according to URI in the rule of searching coupling in Second Rule layer.
Relevant technical details and the aforesaid rule-based traffic classification method of rule-based traffic classification device of the present invention are similar, therefore are not repeated herein.
Compared with existing best technique, the present invention, when ensureing not reduce based on the matching speed of DFA adaptation, removes the overhead of intermediate object program when changing between adaptation, improves systematic function.In addition, adopt regular level Match Tree structure, next adaptation is determined by the matching result of current matching device, and like this, each adaptation is structured on a little rule set, thus reduces the risk that internal memory overflows.
Although the present invention discloses as above with preferred embodiment, the present invention is not defined in this.Any those skilled in the art, without departing from the spirit and scope of the present invention, all can make various changes or modifications, and therefore protection scope of the present invention should be as the criterion with claim limited range.To those skilled in the art, obviously the invention is not restricted to the details of above-mentioned one exemplary embodiment, and when not deviating from spirit of the present invention or essential characteristic, the present invention can be realized in other specific forms.Therefore, no matter from which point, all should embodiment be regarded as exemplary, and be nonrestrictive, scope of the present invention is limited by claims instead of above-mentioned explanation, and all changes be therefore intended in the implication of the equivalency by dropping on claim and scope are included in the present invention.
Claims (7)
1. a rule-based traffic classification method, is characterized in that, comprising:
Pre-set rule set, and according to the rule construct rule level Match Tree in rule set, described regular level Match Tree comprises the first rules layer and Second Rule layer;
When receiving packet, obtain domain name and the Uniform Resource Identifier of packet, the rule of coupling searched by adaptation in the first rules layer according to domain name, after determining to find the first rules layer matched rule, trigger next adaptation in the first rules layer matched rule, in Second Rule layer, search the rule of coupling according to Uniform Resource Identifier.
2. rule-based traffic classification method as claimed in claim 1, is characterized in that, the rule of described rule set comprises rule ID and domain name corresponding to Sum fanction ID and Uniform Resource Identifier.
3. rule-based traffic classification method as claimed in claim 2, is characterized in that, described according to the rule construct rule level Match Tree in rule set, is specially:
According to domain name and Uniform Resource Identifier, by the rule construct rule level Match Tree in rule set.
4. rule-based traffic classification method as claimed in claim 3, is characterized in that, described according to the rule construct rule level Match Tree in rule set, is specially:
According to domain name, the rule classification in rule set is formed the first rules layer, wherein identical domain name is classified as a class, forms the sub-rule collection of the first rules layer; According to Uniform Resource Identifier, the classification of the sub-rule collection of the first rules layer is formed Second Rule layer.
5. a rule-based traffic classification device, is characterized in that, comprising:
Arrange module, for pre-setting rule set, and according to the rule construct rule level Match Tree in rule set, described regular level Match Tree comprises the first rules layer and Second Rule layer;
Acquiring unit, for when receiving packet, obtains domain name and the Uniform Resource Identifier of packet;
Adaptation, for searching the rule of coupling in the first rules layer according to domain name, after determining to find the first rules layer matched rule, trigger next adaptation in the first rules layer matched rule, in Second Rule layer, search the rule of coupling according to Uniform Resource Identifier.
6. rule-based traffic classification device as claimed in claim 5, is characterized in that, the rule of described rule set comprises rule ID and domain name corresponding to Sum fanction ID and Uniform Resource Identifier.
7. rule-based traffic classification device as claimed in claim 6, is characterized in that, the described module that arranges, according to the rule construct rule level Match Tree in rule set, is specially:
Arrange module, according to domain name, the rule classification in rule set is formed the first rules layer, wherein identical domain name is classified as a class, forms the sub-rule collection of the first rules layer; According to Uniform Resource Identifier, the classification of the sub-rule collection of the first rules layer is formed Second Rule layer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510698328.XA CN105357118A (en) | 2015-10-23 | 2015-10-23 | Rule based flow classifying method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510698328.XA CN105357118A (en) | 2015-10-23 | 2015-10-23 | Rule based flow classifying method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105357118A true CN105357118A (en) | 2016-02-24 |
Family
ID=55332991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510698328.XA Pending CN105357118A (en) | 2015-10-23 | 2015-10-23 | Rule based flow classifying method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105357118A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106534095A (en) * | 2016-10-27 | 2017-03-22 | 成都知道创宇信息技术有限公司 | Fast matching method for WAF security rules |
| CN107171876A (en) * | 2017-07-26 | 2017-09-15 | 成都科来软件有限公司 | A kind of access alarm method based on traffic statistics |
| CN108123872A (en) * | 2017-12-21 | 2018-06-05 | 国网浙江省电力有限公司电力科学研究院 | Traffic classification and retransmission method and system towards electric power Internet of Things |
| CN109639694A (en) * | 2018-12-20 | 2019-04-16 | 国云科技股份有限公司 | A kind of data packet matched algorithm of firewall of rule-based tree retrieval |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040243563A1 (en) * | 2001-08-29 | 2004-12-02 | Andreas Heiner | Method and system for classifying binary strings |
| CN101119321A (en) * | 2007-09-29 | 2008-02-06 | 杭州华三通信技术有限公司 | Network flux classification processing method and apparatus |
| CN101909079A (en) * | 2010-07-15 | 2010-12-08 | 北京迈朗世讯科技有限公司 | User online behavior data acquisition method in backbone link and system |
| CN102185762A (en) * | 2011-04-19 | 2011-09-14 | 北京网康科技有限公司 | Equipment for recognizing, extracting and processing user data sending behavior |
| CN103841096A (en) * | 2013-09-05 | 2014-06-04 | 北京科能腾达信息技术股份有限公司 | Intrusion detection method with matching algorithm automatically adjusted |
-
2015
- 2015-10-23 CN CN201510698328.XA patent/CN105357118A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040243563A1 (en) * | 2001-08-29 | 2004-12-02 | Andreas Heiner | Method and system for classifying binary strings |
| CN101119321A (en) * | 2007-09-29 | 2008-02-06 | 杭州华三通信技术有限公司 | Network flux classification processing method and apparatus |
| CN101909079A (en) * | 2010-07-15 | 2010-12-08 | 北京迈朗世讯科技有限公司 | User online behavior data acquisition method in backbone link and system |
| CN102185762A (en) * | 2011-04-19 | 2011-09-14 | 北京网康科技有限公司 | Equipment for recognizing, extracting and processing user data sending behavior |
| CN103841096A (en) * | 2013-09-05 | 2014-06-04 | 北京科能腾达信息技术股份有限公司 | Intrusion detection method with matching algorithm automatically adjusted |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106534095A (en) * | 2016-10-27 | 2017-03-22 | 成都知道创宇信息技术有限公司 | Fast matching method for WAF security rules |
| CN107171876A (en) * | 2017-07-26 | 2017-09-15 | 成都科来软件有限公司 | A kind of access alarm method based on traffic statistics |
| CN108123872A (en) * | 2017-12-21 | 2018-06-05 | 国网浙江省电力有限公司电力科学研究院 | Traffic classification and retransmission method and system towards electric power Internet of Things |
| CN108123872B (en) * | 2017-12-21 | 2020-09-04 | 国网浙江省电力有限公司电力科学研究院 | Traffic classification and forwarding method and system for power Internet of things |
| CN109639694A (en) * | 2018-12-20 | 2019-04-16 | 国云科技股份有限公司 | A kind of data packet matched algorithm of firewall of rule-based tree retrieval |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103297435B (en) | A kind of abnormal access behavioral value method and system based on WEB daily record | |
| CN104579974B (en) | The Hash Bloom Filter and data forwarding method of Name Lookup towards in NDN | |
| CN108768986A (en) | A kind of encryption traffic classification method and server, computer readable storage medium | |
| CN112541074A (en) | Log analysis method, device, server and storage medium | |
| WO2014107988A1 (en) | Method and system for discovering and analyzing micro-blog user group structure | |
| CN106874266A (en) | User's portrait method and the device for user's portrait | |
| CN105357118A (en) | Rule based flow classifying method and system | |
| CN105095075A (en) | Case generation method for semi-legalized fuzz test of network protocol based on finite-state machine | |
| CN107547671A (en) | A kind of URL matching process and device | |
| CN101605126A (en) | A kind of method and system of multi-protocol data Classification and Identification | |
| US8756312B2 (en) | Multi-tier message correlation | |
| CN105704259B (en) | A kind of domain name authority services source IP recognition methods and system | |
| CN103714086A (en) | Method and device used for generating non-relational data base module | |
| CN106021556A (en) | Address information processing method and device | |
| CN106844553A (en) | Data snooping and extending method and device based on sample data | |
| CN105429879A (en) | Flow table item querying method, flow table item querying equipment and flow table item querying system | |
| CN105681199B (en) | The processing method and processing device of message data in a kind of vehicle bus | |
| CN114153980A (en) | Knowledge graph construction method and device, inspection method and storage medium | |
| CN112256880A (en) | Text recognition method and device, storage medium and electronic equipment | |
| CN104809141A (en) | Matching system and method of hotel data | |
| CN104462347B (en) | The sorting technique and device of keyword | |
| CN105719072B (en) | System and method for associating multi-segment component transactions | |
| CN103036726A (en) | Method and device for network user management | |
| CN103036848A (en) | Reverse engineering method and system of protocol | |
| CN104424316A (en) | Data storage method, data searching method, related device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160224 |