CN105763479A - High-efficiency P2P application flow classification method and classification system - Google Patents
High-efficiency P2P application flow classification method and classification system Download PDFInfo
- Publication number
- CN105763479A CN105763479A CN201610206196.9A CN201610206196A CN105763479A CN 105763479 A CN105763479 A CN 105763479A CN 201610206196 A CN201610206196 A CN 201610206196A CN 105763479 A CN105763479 A CN 105763479A
- Authority
- CN
- China
- Prior art keywords
- stream
- application
- flow
- packet
- bag
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000004891 communication Methods 0.000 claims abstract description 23
- 239000000284 extract Substances 0.000 claims abstract description 13
- 230000008569 process Effects 0.000 claims description 12
- 238000002372 labelling Methods 0.000 claims description 10
- 239000003550 marker Substances 0.000 abstract 1
- 238000010801 machine learning Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 230000002085 persistent effect Effects 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 4
- 238000000605 extraction Methods 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- JOCBASBOOFNAJA-UHFFFAOYSA-N N-tris(hydroxymethyl)methyl-2-aminoethanesulfonic acid Chemical compound OCC(CO)(CO)NCCS(O)(=O)=O JOCBASBOOFNAJA-UHFFFAOYSA-N 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 238000003066 decision tree Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000004899 motility Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013139 quantization Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 210000003813 thumb Anatomy 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
Abstract
The invention discloses a high-efficiency P2P application flow classification method and a classification system. The method comprises steps: 1) a P2P classification server acquires quaternion information, protocol information and packet size information from each acquired data packet, the data packet is marked, and the information is stored in an information structure body; 2) the P2P classification server extracts N data packets for each specified flow from the information structure body, and the basic statistical characteristics of each flow are calculated; 3) the obtained basic statistical characteristics are classified, and according to the obtained result, communication attributes for each flow in a unit time window are calculated; and 4) according to the communication attributes for the same flow in the current window, the Chi-square statistic amount of the flow is calculated, if the amount exceeds a set threshold, the application classification marker of the flow is removed, if an unrecognized flow appears, the unrecognized flow is marked as a P2P application flow in the current window with the same IP and the port. The method and the system of the invention have high classification stability, and can meet online recognition requirements on most systems.
Description
Technical field
The present invention relates to P2P filed of network information security, be a kind of P2P network that can be applied to, the method and system of efficient identification P2P application traffic.
Background technology
Along with widely using of internet, applications, network application has presented a lot of classification, especially the exploding of P2P application traffic, and occupies the huge network bandwidth, is unfavorable for high-quality service, brings a lot of problem of management to Virtual network operator simultaneously.P2P is a kind of distributed network, the participant of network shares a part of hardware resource (disposal ability, storage capacity, network-connectivity etc.) that they have, and these resources can directly be accessed by other equity point peer and need not through intermediate entities.The P2P complicated network structure, network topology has dynamic, and most flows are encrypted in transmitting procedure, and in order to improve P2P application traffic classification accuracy rate and stability, scientific management planning network, all kinds of P2P application identification technology are arisen at the historic moment.
(1) based on the sorting technique of P2P port.In P2P network service process, no matter it is client or service end, or a Peer node, it is necessary to provide IP address and port and the opposing party to communicate.The method needs the five-tuple in data intercept packet header, and judges that whether port is the port of P2P network application.Recognition methods advantage based on port is simple, it is easy to realizing, classification performance is significantly high, has higher real-time, it is possible to be applied under high speed network environment.But P2P is applied, mostly have employed the technology of port-hopping, the shortcoming that the method is primarily present be constrained to registered port number identification limited amount and along with new network application to be on the increase its proportion that may identify which application more and more lower, classification accuracy is unstable.
(2) based on the P2P application class technology of payload.Specific character string (signing messages) is comprised in order to identify application by making a concrete analysis of in payload, identify that in payload, some consult fix information, such as type of message T, length field L, version field Version, all kinds of reserved fields etc., if coupling, be identified as the P2P application of correspondence.Classification based on P2P application load content has higher accuracy rate due to it, and the advantage of this sorting technique is to can apply to real-time stream classifying and identifying system, and has higher recognition accuracy.Shortcoming is to need the development and change of follow-up P2P application in time, and the feature extraction workload of new opplication is relatively big, and a lot of P2P flow is proprietary protocol and encryption flow, and a such as sudden peal of thunder just have employed proprietary protocol to transmit data, is difficult to excavate its load characteristic.So using the method still cannot effectively identify that P2P applies, it is impossible to guarantee effectiveness and the real-time of some features.
(3) the P2P application class technology of behavior Network Based.By the network behavior feature of mutual both sides, extract the communication feature of P2P network application, mainly include Flow continuity, application multi connectivity, the P2P application communication features such as agreement confusion, port discreteness and I/O traffic are harmonious, the P2P classifying different applies.The method advantage is to consider port numbers, and packet need not be carried out deep analysis, is effectively increased classification performance.Shortcoming is the classification P2P application that can not become more meticulous, and can only effectively judge P2P class flow, and also because P2P is applied in interaction, route has dynamic, causes the method classification stability not high, has its limitation, therefore Detection accuracy is also different because of system.
(4) based on the P2P application class technology of machine learning.Current study hotspot is mainly in the sorting technique based on machine learning, and different application network traffics have certain stream feature, stream feature extraction out and is trained with machine learning algorithm and sets up disaggregated model, then application on site flow is classified.Machine learning algorithm based on theory of statistics is more and more used in stream sort research owing to it is widely applied background and ripe theoretical frame.Although the statistical learning method of P2P application class has the theoretical model of maturation, but the method for machine learning compares dependence data set, different network environments may affect classification accuracy, and when calculating some stream features, need to calculate the feature of each bag in stream, under network traffics rise suddenly and sharply situation, the performance that application identifies declines to some extent, and classification accuracy is unstable.
Summary of the invention
For above-mentioned existing method Problems existing, the invention discloses a kind of multithread based on sliding time window and associate P2P application class method and system.
The invention discloses a kind of multithread based on sliding time window and associate P2P application class method, concrete steps include:
(1) initiation parameter: the structure flowAttr of P2P traffic statistics basic feature, is initialized as 0, four P2P traffic communication behaviors: port discreteness f1, it is initialized as 0;I/O traffic is than feature f2, it is initialized as 1;Big window seriality f3, it is initialized as 0;Wicket transience f4, it is initialized as 0;Polynary misrecognized stream statistics chi-square variable χ2, it is initialized as 1.S_attrRule, initializes 0, and card side travels through parameter, initializes 0.6 (threshold value can set, it is possible to config update threshold value according to demand) at initial phase;
(2) packet conversate restructuring and parsing are received: carry out catching of packet at the network interface card specified.The information such as the four-tuple of the packet currently caught, agreement, bag length being carried out labelling, and is stored in information structure flowAttr, the relevant information of current data packet will be carried out detailed data analysis according to label information by subsequent step;
(3) stream elementary statistics feature calculation: read data packet from specified structure body flowAttr, filter out every top n (N < 10 specifying stream, N of the present invention is 9) packet, packet data is carried out labor, calculate the elementary statistics feature flowAttr of every stream, here TCP and udp protocol add up different feature, and the feature of calculating includes:
1) the TCP statistical nature in P2P flow:
The most parcel of min_fpktl forward direction is long;Win_fbytes forward direction home window;To home window after win_bbytes;First_fpktl forward direction first bag is long;To minimum packet length after min_bpktl;Third_fpktl forward direction the 3rd bag is long;Max_fpktl maximum forward packet length;The backward average bag of mean_bpktl is long;Fpsh_cnt forward direction psh bag number;Duration flows the persistent period.
2) the UDP statistical nature in P2P flow:
Max_fpktl forward direction maximum packet length;To maximum packet length after max_bpktl;The average backward packet length of mean_bpktl;First_fpktl forward direction first bag is long;To second bag length after sec_bpktl;To the 3rd bag length after third_bpktl;The average forward direction packet length of mean_fpktl;Two-way first the packet length difference of first_diff;To minimum packet length after min_bpktl;Duration flows the persistent period.
(4) characteristic of division stream is used to carry out preliminary classification
According to the characteristic of division numerical value that off-line arrangement is good, network data flow is carried out detection to judge, first determine whether that current network data stream is Transmission Control Protocol or udp protocol, then use different rules to carry out tentatively classifying rapidly to the elementary statistics feature of online stream respectively for TCP or UDP, and by the classification results of every P2P application stream, and the agreement of every stream, five-tuple information, bag number, flow, application coding record are in daily record.
(5) classification of P2P application traffic
In each unit of time window, the result utilizing step (4) data to classify, it is calculated four P2P communication attributes of quantization respectively.
1) every port discreteness flowing each port is calculated: port discreteness records each stream client port ClientPort value, owing to P2P application communication port is generally relatively larger, for balancing the weight of each attribute, use hash function by client port hash to 0 to 1 interval.
f1=Hash (ClientPort)
2) the I/O traffic ratio of every stream is calculated: the input byte number fbytes that input/output flow-rate ratio uses every to flow quantifies divided by output word joint number bbytes;
3) every seriality flowing big window is calculated: big window connection attribute uses bag payload length in every stream to quantify more than the quantity big_wins and whole piece stream bag number flow_packets of the bag of initial window length;
4) transience of every stream wicket is calculated: quantity small_wins and whole piece stream bag number flow_packets that the of short duration attribute of wicket uses bag load in every stream long less than first three bag of stream quantify;
5) chi-square variable under continuous multiple time window unit is added up, the P2P stream of detection misrecognized;
EWiBeing the average being marked as same application i-th P2P communication attributes before current window in N-1 window, N is set to 4.In identification process, time window can constantly slide backward.If χ in certain time window2The stream of IF-ELSE key words sorting more than threshold value 0.6, is then considered as misrecognized and is removed by the application class labelling of this stream by statistic.Using multithread space time correlation in a unit of time window, the time refers on a time window, and space refers in this window IP and port PO RT in every stream.If on a time window, use the stream of same IP and port PO RT in IF-ELSE rule classification labelling result to have Unidentified stream, then this is failed to be sold at auction and be designated as corresponding IP and PORT identified stream.
(6) to the memory space zero setting needed for detection feature or initiation parameter, step (2) is forwarded to.
The present invention also discloses that a kind of multithread based on sliding time window associates P2P application class system simultaneously, and mainly by packet capture, data process and extract characteristic module, rule classification module and association and identify 4 module compositions.What system was run specifically comprises the following steps that
(1) system initialization: configuration management resolves user profile, is loaded into system storage by the configuration of P2P applies classification rules, and configuration includes specifying network card data to monitor configuration, data filtering rule configuration, data storage rule configuration etc.;Configuration loads after successfully, system monitoring and etc. data to be received;
(2) packet capture module: gather packet, certain filtration that the packet of non-interesting flow is carried out, packet is stored in structure, forward step (3) to;
(3) data process and extract characteristic module: receive a packet, packet data is carried out labor, process this message in accordance with the following steps:
(3.1) flow cleaning: this technical purpose is for P2P traffic classification, needs effectively to clear up flow before carrying out statistical flow characteristic extraction, mainly removes ad traffic, removes DNS flow, and divides the flow into TCP and UDP flow amount;
(3.2) extract the elementary statistics feature of every TCP flow: calculate the statistical flow characteristic of TCP, including the most parcel length of forward direction, forward direction home window, backward home window, forward direction first bag length, backward minimum packet length, forward direction the 3rd bag length, maximum forward packet length, backward average wrap length, forward direction psh bag number, flow the persistent period;
(3.3) the elementary statistics feature of every UDP flow is extracted: forward direction maximum packet length, backward maximum packet length, average backward packet length, forward direction first bag second bag long, backward 3rd bag length, average forward direction packet length, two-way first packet length difference, backward minimum packet length, stream persistent period long, backward.
(4) rule classification module: by off-line machine learning, utilize the decision tree training rules configured, carry out P2P traffic classification according to the statistical flow characteristic that step (3) calculates;
(5) association analysis identification module: carry out in the result of a P2P traffic classification in step (4), four P2P property values of the online point each time window of calculating in real time, time window is set to 5 minutes, processes the result of a subseries in accordance with the following steps:
(5.1) calculate every the P2P communication attributes flowed being identified as same P2P application under a time window, be the transience of port discreteness, I/O traffic window seriality harmonious, big and wicket respectively.Port discreteness uses hash function to process the client port of every stream, input/output flow-rate ratio uses every input byte number flowed divided by output word joint number, big window connection attribute use every stream in bag load more than the big parcel quantity of initial window divided by whole piece stream bag number, the of short duration attribute of wicket use every stream in bag load less than stream first three bag length quantity divided by whole piece stream bag number;
(5.2) the chi-square statistics amount χ under sliding time window is calculated2: the P2P communication attributes calculated according to (5.1), calculate the chi-square statistics amount under continuous four time windows:
If chi-square statistics amount is more than the threshold value arranged, then the flow label in a rule classification is removed;
(5.3) adopting space time correlation ONLINE RECOGNITION P2P application traffic: using multithread space time correlation in a unit of time window, time window is set to 5 minutes, space uses in this window IP and port PO RT in every stream.If on a time window, the stream of same IP and port PO RT has Unidentified stream, then this failed to be sold at auction and be designated as corresponding IP and PORT identified stream.
(6) step (2) is continued.
Compared with published method, present invention have the advantage that
1) P2P application recognition accuracy and recall rate sorting technique than ever wants height, and classification is stable, it is possible to meet the demand of most systems ONLINE RECOGNITION;
2) rule identified can be applied by Configuration Online P2P, it is possible to reflect the feature of current P2P application communication more accurately, identify the retractility of system;
3) this method and system can provide the more detailed descriptions such as P2P application recognition credibility, interaction parameter command, and key message can feed back to application system in time;
4) introduce multiparameter statistics to identify, statistical parameter had both been contained based on P2P Port detecting, based on P2P load contents detection method, also use the method for machine learning to analyze P2P application interbehavior feature and to identify P2P by multithread relevant parameter, while ensureing system effectiveness, improve the accuracy rate of system to greatest extent;
5) by the weight flexible allocation of multiple parts, fast and effeciently select P2P communication flows statistical nature, reduce the data set attribute dimension used in machine learning training, improve classification performance;
6) P2P application traffic statistical nature extracts and only need to consider stream top n packet (N < 10), conventional study general is to consider to extract statistical flow characteristic from whole piece stream, calculate, by reducing, the number of data packets that every stream starts, be effectively increased classification performance;
7) recognition mechanism has multiformity, motility, adopts sliding time window mechanism, it is possible to adapt to the P2P application environment-identification of change.
Accompanying drawing explanation
Fig. 1 is the flow chart that the multithread based on sliding time window associates P2P application class;
Fig. 2 is that the multithread based on sliding time window associates P2P application class system structure module map;
Fig. 3 is system deployment connection figure;
A () deployment way 1, P2P classified service device is connected with the router between intranet and extranet,
B () deployment way 2, P2P classified service device is connected with the switch between intranet and extranet,
C () deployment way 3, P2P classified service device is connected with interior network router,
D () deployment way 4, P2P classified service device is connected with Intra-Network switch.
Detailed description of the invention
Below, the present invention is described in detail in conjunction with specific embodiments.
Fig. 1 gives the flow process to P2P application traffic classification method provided by the invention, is embodied as step as follows:
(1) initiation parameter: the structure flowAttr of P2P traffic statistics basic feature, is initialized as 0, four P2P traffic communication behavior port discreteness f1, it is initialized as 0;I/O traffic is than feature f2, it is initialized as 1;Big window seriality f3, it is initialized as 0;Wicket transience f4, it is initialized as 0;Polynary misrecognized stream statistics chi-square variable χ2, it is initialized as 1.The configuration parameter of P2P applies classification rules, dependent thresholds (threshold value can set at initial phase, it is possible to descends config update threshold value according to demand);
(2) receive packet and resolve: configuring certain parameter, carry out catching of packet at the network interface card specified.Protocol assembly, obtains a network packet, and this packet carries out ICP/IP protocol reduction, obtains packet networks layer stem and transport layer header message, for instance source IP, purpose IP, source port, destination interface, agreement, bag length, TCP flag information etc..The relevant information of current data packet will be carried out detailed data analysis according to label information by subsequent module;
(3) data process and feature extraction: read data packet from specified structure body, the packet of specified protocol is filtered, store read data packet the Hash table with corresponding four-tuple mark the structure of packet to contrast from step (2), the packet extracting same stream carries out labor, calculates the statistical nature of every stream:
1) filter DNS flow: filtered out by the stream of 53 ports, judge if DNS message then carrys out labelling according to P2P server domain name applies and jump to step (2) accordingly according to DNS message format, then enter next step if not DNS message;
2) calculate TCP flow statistical nature: extract the elementary statistics feature of every front 9 packets of TCP flow: calculate the statistical flow characteristic of TCP, including the most parcel length of forward direction, forward direction home window, backward home window, forward direction first bag length, backward minimum packet length, forward direction the 3rd bag length, maximum forward packet length, backward average wrap length, forward direction psh bag number, flow the persistent period;
3) UDP flow statistical nature is calculated: extract the elementary statistics feature of every front 9 packets of UDP flow: forward direction maximum packet length, backward maximum packet length, average backward packet length, forward direction first bag second bag long, backward 3rd bag length, average forward direction packet length, two-way first packet length difference, backward minimum packet length, stream persistent period long, backward;
(4) the IF-ELSE rule classification of configuration is used: utilize the result that every statistical flow characteristic of step (3) extracts, compare one by one with the Decision Tree Rule of off-line learning, each condition meets the P2P application being then marked as correspondence, otherwise it is labeled as sky, any rule of foot with thumb down;
(5) the multithread association analysis of sliding time window: for the stream being categorized as same P2P application in a time window, calculate the P2P attribute of every stream, it is the transience of port discreteness, I/O traffic window seriality harmonious, big and wicket respectively, calculate chi-square statistics amount, remove the flow label of wrong report, then adopt space time correlation that Unidentified flow label is become identified stream;
(6) to the memory space zero setting needed for the statistical nature that above-mentioned every stream is involved or initialization, restart statistics, go to step (2).
The present invention also provides a kind of multithread based on sliding time window simultaneously and associates P2P application class system, and mainly by packet capture, data process and extract characteristic module, rule classification module and association and identify 4 module compositions.Its system structure module is as shown in Figure 2.Categorizing system can be deployed in the mirror image data of various environment, processing gateway or the routers such as enterprise gateway gateway, operator's couple in router or P, and it is disposed and connects as shown in Figure 3.
Claims (10)
1. an efficient P2P application traffic classification method, the steps include:
1) this packet is carried out labelling by P2P classified service device acquisition quaternary group information, protocol information, bag long message from each packet gathered, and is then stored in information structure by the packet of labelling;
2) P2P classified service device extracts every N number of packet specifying stream from information structure, and calculates the elementary statistics feature of every P2P application stream;
3) according to the good characteristic of division numerical value of off-line arrangement to step 2) the elementary statistics feature that obtains classifies;
4) according to step 3) communication attributes of every P2P application stream in the result unit of account time window that obtains;
5) the chi-square statistics amount χ of this P2P application stream is calculated according to the communication attributes of same P2P application stream in current window2;If chi-square statistics amount χ2Exceed setting threshold value, then remove the application class labelling of this P2P application stream;If there is Unidentified P2P application stream, then the P2P application stream being designated as in current window to have identical IP and port PO RT of this Unidentified P2P application being failed to be sold at auction.
2. the method for claim 1, it is characterised in that described communication attributes includes port discreteness f1, I/O traffic compare f2, big window seriality f3, wicket transience f4。
3. method as claimed in claim 2, it is characterised in that port discreteness f1=Hash (ClientPort), ClientPort are client port value;I/O traffic ratioFbytes is output word joint number for input byte number, bbytes;Big window serialityBig_wins is the bag payload length quantity more than the bag of initial window length, and flow_packets is the bag number of whole piece stream;Wicket transienceSmall_wins is the bag number that bag load is long less than first three bag of stream.
4. the method as described in claim 1 or 2 or 3, it is characterised in that chi-square statistics amountWherein, EWiBeing the average of the i-th communication attributes being marked as same P2P application stream before current window in N-1 window, n is communication attributes sum.
5. the method as described in claim 1 or 2 or 3, it is characterised in that the elementary statistics feature of every stream includes the TCP statistical nature in P2P flow and the UDP statistical nature in P2P flow.
6. the method for claim 1, it is characterized in that, described step 3) in, P2P classified service device is by the classification results of every P2P application stream, and the agreement of every P2P application stream, five-tuple information, bag number, flow, application coding information recorded in daily record.
7. the method as described in claim 1 or 2 or 3, it is characterised in that this N number of packet is the continuous top n packet of every stream.
8. an efficient P2P application traffic classification system, it is characterised in that include packet capture module, data process and extract characteristic module, rule classification module and associate identification module;Wherein,
Packet capture module, be used for gathering packet and from each packet, obtain quaternary group information, this packet is carried out labelling by protocol information, bag long message, then the packet of labelling is stored in information structure;
Data process and extract characteristic module, for extracting every N number of packet specifying stream from information structure, and calculate the elementary statistics feature of every P2P application stream;
Rule classification module, for according to the good characteristic of division numerical value of off-line arrangement to step 2) the elementary statistics feature that obtains classifies;
Association identification module, for the communication attributes of every P2P application stream in unit of account time window;And calculate the chi-square statistics amount χ of this P2P application stream according to the communication attributes of same P2P application stream in current window2;If chi-square statistics amount χ2Exceed setting threshold value, then remove the application class labelling of this P2P application stream;If there is Unidentified P2P application stream, then the P2P application stream being designated as in current window to have identical IP and port PO RT of this Unidentified P2P application being failed to be sold at auction.
9. the system described in claim 8, it is characterised in that described communication attributes includes port discreteness f1, I/O traffic compare f2, big window seriality f3, wicket transience f4。
10. system as claimed in claim 9, it is characterised in that port discreteness f1=Hash (ClientPort), ClientPort are client port value;I/O traffic ratioFbytes is output word joint number for input byte number, bbytes;Big window serialityBig_wins is the bag payload length quantity more than the bag of initial window length, and flow_packets is the bag number of whole piece stream;Wicket transienceSmall_wins is the bag number that bag load is long less than first three bag of stream;Chi-square statistics amountWherein, EWiBeing the average of the i-th communication attributes being marked as same P2P application stream before current window in N-1 window, n is communication attributes sum.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610206196.9A CN105763479B (en) | 2016-04-05 | 2016-04-05 | A kind of efficient P2P application traffic classification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610206196.9A CN105763479B (en) | 2016-04-05 | 2016-04-05 | A kind of efficient P2P application traffic classification method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105763479A true CN105763479A (en) | 2016-07-13 |
| CN105763479B CN105763479B (en) | 2019-04-30 |
Family
ID=56347230
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610206196.9A Expired - Fee Related CN105763479B (en) | 2016-04-05 | 2016-04-05 | A kind of efficient P2P application traffic classification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105763479B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741608A (en) * | 2008-11-10 | 2010-06-16 | 北京启明星辰信息技术股份有限公司 | Traffic characteristic-based P2P application identification system and method |
| US20120099465A1 (en) * | 2010-04-22 | 2012-04-26 | Yuefeng Ji | Method and its devices of network tcp traffic online identification using features in the head of the data flow |
| CN104657747A (en) * | 2015-01-30 | 2015-05-27 | 南京邮电大学 | Online game stream classifying method based on statistical characteristics |
-
2016
- 2016-04-05 CN CN201610206196.9A patent/CN105763479B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741608A (en) * | 2008-11-10 | 2010-06-16 | 北京启明星辰信息技术股份有限公司 | Traffic characteristic-based P2P application identification system and method |
| US20120099465A1 (en) * | 2010-04-22 | 2012-04-26 | Yuefeng Ji | Method and its devices of network tcp traffic online identification using features in the head of the data flow |
| CN104657747A (en) * | 2015-01-30 | 2015-05-27 | 南京邮电大学 | Online game stream classifying method based on statistical characteristics |
Non-Patent Citations (1)
| Title |
|---|
| 李晓歌等: "《基于统计特性的P2P流量识别方法研究》", 《内江科技》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105763479B (en) | 2019-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11025654B2 (en) | Machine learning-based traffic classification using compressed network telemetry data | |
| CN102271090B (en) | Transport-layer-characteristic-based traffic classification method and device | |
| Draper-Gil et al. | Characterization of encrypted and vpn traffic using time-related | |
| CN102739457B (en) | Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology | |
| CN104320304B (en) | A kind of core network user flow application recognition methods of the multimode fusion easily extended | |
| CN108881028B (en) | SDN network resource scheduling method for realizing application awareness based on deep learning | |
| Alshammari et al. | A flow based approach for SSH traffic detection | |
| KR101295708B1 (en) | Apparatus for capturing traffic and apparatus, system and method for analyzing traffic | |
| CN101599897B (en) | P2P network flow control method based on application layer detection | |
| CN101184000A (en) | Packet sampling and application signature based internet application flux identifying method | |
| CN112949739A (en) | Information transmission scheduling method and system based on intelligent traffic classification | |
| Vinayakumar et al. | Secure shell (ssh) traffic analysis with flow based features using shallow and deep networks | |
| CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
| CN111611280A (en) | Encrypted traffic identification method based on CNN and SAE | |
| CN108462707A (en) | A kind of mobile application recognition methods based on deep learning sequence analysis | |
| Aureli et al. | Going beyond diffserv in ip traffic classification | |
| Lu et al. | A heuristic-based co-clustering algorithm for the internet traffic classification | |
| Amaral et al. | Application aware SDN architecture using semi-supervised traffic classification | |
| CN101267353B (en) | A load-independent method for detecting network abuse | |
| CN113382039B (en) | Application identification method and system based on 5G mobile network flow analysis | |
| CN105812280A (en) | Classification method and electronic equipment | |
| Tavallaee et al. | Online classification of network flows | |
| Dener et al. | Rfse-gru: Data balanced classification model for mobile encrypted traffic in big data environment | |
| CN105763479A (en) | High-efficiency P2P application flow classification method and classification system | |
| CN115242724A (en) | High-speed network traffic service classification method based on two-stage clustering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190430 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |