CN106385402B - Application identification method and device, method for sending application session table and server - Google Patents

Application identification method and device, method for sending application session table and server Download PDF

Info

Publication number
CN106385402B
CN106385402B CN201610785121.0A CN201610785121A CN106385402B CN 106385402 B CN106385402 B CN 106385402B CN 201610785121 A CN201610785121 A CN 201610785121A CN 106385402 B CN106385402 B CN 106385402B
Authority
CN
China
Prior art keywords
application
current
tag group
data stream
session information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610785121.0A
Other languages
Chinese (zh)
Other versions
CN106385402A (en
Inventor
谷久宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201610785121.0A priority Critical patent/CN106385402B/en
Publication of CN106385402A publication Critical patent/CN106385402A/en
Application granted granted Critical
Publication of CN106385402B publication Critical patent/CN106385402B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides an application identification method and device, a method for sending an application session table and a server, wherein the application identification method is applied to the application identification device, and the application identification device comprises the following steps: an initial application session table and an application rule base; the initial application session table includes: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidences, the method comprising: in response to receiving a current data stream, acquiring current session information of the current data stream; and searching the current session information and the corresponding current application tag group in the initial application session table, and if the current session information and the corresponding current application tag group can be searched, respectively identifying which application the current data stream belongs to according to the sequence of the confidence degrees in the current application tag group from large to small according to the corresponding application rules in the application rule base. By adopting the embodiment of the application, the efficiency of application identification can be improved.

Description

Application identification method and device, method for sending application session table and server
Technical Field
The application relates to the technical field of internet data processing, in particular to an application identification method and application identification equipment, and a method for sending an application session table and a cloud server.
Background
With the continuous development of network technology, more and more applications, such as hundredths, search, etc., for providing network services to users appear. The user performs information interaction with the applications by using network flow, and can further acquire latest knowledge or information, thereby providing great convenience for the work and life of the user. However, the wide variety of network applications causes certain difficulties in network management, and the quality of the applications is varied, which also causes new threats to network security.
In the prior art, in order to manage applications on a network more conveniently and provide a user with safer network experience, users usually perform accurate identification on various types of applications when using network services provided by the applications, and further perform operations such as effective interception or speed limitation on data streams sent by the applications.
Disclosure of Invention
However, in the research process of the inventor, it is found that in the prior art, when application identification is performed, a method based on stream feature identification is generally used, and a method based on stream feature identification application can only identify an application with a certain type of features, but cannot accurately identify a certain application, so that the granularity of identification is rough, which may cause that effective control cannot be subsequently performed on data streams in a network. If accurate identification is needed, each data packet in the data stream needs to be analyzed packet by packet, and the number of the data packets in the data stream is massive, which leads to low identification efficiency and failure in meeting the requirement of network real-time. Therefore, how to accurately identify each application and improve the efficiency of application identification becomes an urgent problem in the prior art.
Based on the application identification method, the application identification efficiency is improved, meanwhile, the accuracy of identification of each application can be guaranteed, the network real-time requirement is guaranteed, and meanwhile, the network service experience of a user is improved.
The application also provides an application identification device, a cloud server and an application identification system, which are used for ensuring the realization and application of the method in practice.
In order to solve the above problem, the present application discloses an application identification method, which is applied to an application identification device, where the application identification device includes: an initial application session table and an application rule base; the initial application session table includes: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application; the application rule base comprises: a plurality of application identifications and corresponding application rules; the method comprises the following steps:
in response to receiving a current data stream, acquiring current session information of the current data stream;
and searching the current session information and the corresponding current application tag group in the initial application session table, and if the current session information and the corresponding current application tag group can be searched, respectively identifying which application the current data stream belongs to according to the sequence of the confidence degrees in the current application tag group from large to small according to the corresponding application rules in the application rule base.
Optionally, the session information of the data stream includes: a service end IP, a service end port and a transport layer protocol of the data stream; searching the current session information and the corresponding current application tag group in the initial application session table, wherein the searching comprises the following steps:
respectively searching a current server IP, a current server port and a current transport layer protocol included in current session information in the initial application session table;
and determining the application tag group corresponding to the searched session information as the current application tag group.
Optionally, the identifying, according to the sequence from the highest confidence level to the lowest confidence level in the current application tag group, which application the current data flow belongs to according to the corresponding application rule in the application rule base respectively includes:
determining the application with the maximum confidence level in the current application label group as the current application to be confirmed;
acquiring a current application rule corresponding to the current application from the application rule base;
and judging whether the content of the current data stream meets the current application rule, if so, determining that the current data stream belongs to the current application, and if not, determining the next application identifier in the current application tag group as the current application to be determined according to the sequence of confidence degrees from large to small until all application identifiers in the current application tag group are searched.
Optionally, the application tag group further includes: a counter corresponding to the application, the counter being for indicating a number of times the application is confirmed; after confirming that the current data flow belongs to the current application, the method further comprises:
and adding one to the value of the counter corresponding to the current application in the current application label group.
Optionally, if the current session information does not exist in the initial application session table, the method further includes:
and according to a default identification sequence, identifying which application the current data flow belongs to according to each corresponding application rule in the application rule base.
Optionally, the method further includes:
and adding the session information of the current data stream and the corresponding current application tag group into the application session table, wherein the confidence coefficient in the current application tag group is a preset initial value, and the value of the counter is increased by one.
Optionally, the method further includes:
and judging whether a preset updating time period is reached, and if so, sending the session information of the data stream added in the initial application session table and the corresponding application tag group to a cloud server.
Optionally, the method further includes:
receiving session information and updated confidence coefficient of the added data stream returned by a cloud server, and updating the confidence coefficient in the initial application session table according to the updated confidence coefficient;
and updating the value of the counter corresponding to the updated confidence coefficient to a preset initial value.
The embodiment of the application also discloses a method for sending the application session table, which is applied to a cloud server connected with a plurality of application identification devices, and the method comprises the following steps:
generating a plurality of initial application session tables for the plurality of application recognition devices, respectively, the initial application session tables including: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application;
and correspondingly sending the plurality of initial application session tables to the plurality of application identification devices respectively.
Optionally, the method further includes:
receiving session information of added data streams and an added application tag group which are sent by the plurality of application identification devices when a preset updating time period comes;
calculating the confidence corresponding to each application in the target application tag group corresponding to the target data stream according to the confidence and the counter included in the added application tag group; wherein the target data stream is: an initial data flow in an initial application session table, and, the added data flow;
and sending the updated confidence coefficient and the session information of the corresponding data stream to the corresponding application identification equipment.
The embodiment of the present application further discloses an application identification device, where the application identification device includes: an initial application session table and an application rule base; the initial application session table includes: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application; the application rule base comprises: a plurality of application identifications and corresponding application rules; the apparatus comprises:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for responding to the receiving of a current data stream and acquiring the current session information of the current data stream;
the searching unit is used for searching the current session information and the corresponding current application label group in the initial application session table;
and the first identification unit is used for identifying which application the current data stream belongs to according to the sequence of the confidence degrees in the current application tag group from large to small and the corresponding application rules in the application rule base respectively.
Optionally, the session information of the data stream includes: a service end IP, a service end port and a transport layer protocol of the data stream; the search unit includes:
a searching subunit, configured to search, in the initial application session table, a current server IP, a current server port, and a current transport layer protocol included in the current session information respectively;
and the first determining subunit is used for determining the application tag group corresponding to the searched session information as the current application tag group.
Optionally, the first identification unit includes:
the second determining subunit is configured to determine, as the current application to be confirmed, the application with the highest confidence level in the current application tag group;
an obtaining subunit, configured to obtain, from the application rule base, a current application rule corresponding to the current application;
a judging subunit, configured to judge whether the content of the current data stream satisfies the current application rule;
a determining subunit, configured to determine that the current data flow belongs to the current application if a result of the determining subunit is yes;
and the processing subunit is configured to, when the result of the judging subunit is negative, determine, according to a sequence from a large confidence level to a small confidence level, a next application identifier in the current application tag group as the current application to be confirmed until all application identifiers in the current application tag group are completely searched.
Optionally, the application tag group further includes: a counter corresponding to the application, the counter being for indicating a number of times the application is confirmed; after confirming that the current data flow belongs to the current application, the identifying unit further comprises:
and the counting subunit is used for adding one to the value of the counter corresponding to the current application in the current application label group.
Optionally, the method further includes:
and the second identification unit is used for identifying which application the current data flow belongs to according to the default identification sequence and the corresponding application rules in the application rule base.
Optionally, the method further includes:
and the adding unit is used for adding the session information of the current data stream and the corresponding current application tag group into the application session table, wherein the confidence coefficient in the current application tag group is a preset initial value, and the value of the counter is increased by one.
Optionally, the method further includes:
the judging unit is used for judging whether a preset updating time period is reached or not;
and the first sending unit is used for sending the session information of the data stream added in the initial application session table and the corresponding application tag group to a cloud server under the condition that the result of the judging unit is yes.
Optionally, the method further includes:
the first receiving unit is used for receiving the session information of the added data stream and the updated confidence coefficient returned by the cloud server and updating the confidence coefficient in the initial application session table according to the updated confidence coefficient;
and the updating unit is used for updating the value of the counter corresponding to the updated confidence coefficient to a preset initial value.
The embodiment of the application further discloses a cloud server, the cloud server is connected with a plurality of application identification devices, and the server includes:
a generating unit, configured to generate a plurality of initial application session tables for the plurality of application recognition devices, respectively, where the initial application session tables include: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application;
and a second sending unit, configured to correspondingly send the multiple initial application session tables to the multiple application identification devices, respectively.
Optionally, the method further includes:
a second receiving unit, configured to receive session information of the added data stream and the added application tag group, where the session information is sent by the multiple application identification devices and is added when a preset update time period comes;
a calculating unit, configured to calculate, according to the confidence and the counter included in the added application tag group, a confidence corresponding to each application in a target application tag group corresponding to a target data stream; wherein the target data stream is: an initial data flow in an initial application session table, and, the added data flow;
and the third sending unit is used for sending the updated confidence coefficient and the session information of the corresponding data stream to the corresponding application identification equipment.
The embodiment of the present application further discloses an application identification system, which includes: any one of the application recognition devices and any one of the cloud servers.
Compared with the prior art, the method has the following advantages:
in the embodiment of the application, the application identification device stores an initial application session table, in which the confidence degrees that each data stream may belong to a plurality of applications are recorded, and the application probability with a high confidence degree is high, so that the corresponding application rules are sequentially matched in the application rule base according to the sequence of the confidence degrees from high to low, the applications with a high confidence degree can be preferentially matched, and once an application is matched, the application identification process can be ended, thereby improving the efficiency of application identification. In addition, when the application identification is carried out, a full data packet detection mode can be adopted, and the accuracy of the application identification is also ensured.
Of course, it is not necessary for any product to achieve all of the above-described advantages at the same time for the practice of the present application.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
FIG. 1 is an application scenario architecture diagram of the present application;
FIG. 2 is a schematic diagram of the structure of an application session table of the present application;
FIG. 3 is a schematic diagram of the structure of the application rules of the present application;
FIG. 4 is a flow chart of an application identification method embodiment of the present application;
fig. 5 is a schematic diagram of an application session record stored in the cloud server according to the present application;
FIG. 6 is a flow diagram of an embodiment of a method of sending an application session table of the present application;
FIG. 7 is a block diagram of an embodiment of an application identification device of the present application;
fig. 8 is a block diagram of a cloud server according to an embodiment of the present disclosure;
fig. 9 is a block diagram of an embodiment of an application recognition system according to the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is a schematic diagram of a scene architecture in practical application of the embodiment of the present application. In fig. 1, the application recognition device 102 may be deployed separately in a separate network, or may generally reside in a border gateway of each network. For example, if a company has 3 local area networks, 3 application identification devices may be set for the 3 local area networks, and a cloud server 101 is set for the 3 application identification devices, where the cloud server 101 may be connected to the 3 application identification devices, and may send data to the 3 application identification devices, or receive data uploaded by the 3 application identification devices.
In the application recognition device 102, it may include: an initial application session table and an application rule base. The specific structure of the application session table is shown in fig. 2. The initial application session table may include session information of the data stream and a group of application tags in one-to-one correspondence with the session information. The left side of fig. 2 is session information of a data stream, which may include: the session information of the data stream is used to uniquely represent the characteristics of a data stream, and each data stream can be identified. While the application tag group on the right side of fig. 2 corresponds to the session information one to one, the application tag group may include: the method comprises the following steps that a plurality of applications (Appid [ i ]) and Confidence coefficients (Confidence [ i ]) corresponding to each application are provided, the Confidence coefficients are the probability that a data stream belongs to the application (Appid [ i ]) under the same service end IP, the same service end port and the same transmission layer protocol, and the probability that the corresponding data stream belongs to one application is represented. In addition, the application tag set may further include a counter (Count [ i ]), where the counter is in one-to-one correspondence with the application (Appid [ i ]), and is used to indicate the number of times the data stream is identified as the application within a period of time. The Confidence sum of each application in fig. 2 is 1, i.e., Confidence [0] + Confidence [1] + … + Confidence [ i ] ═ 1, and i is an integer greater than zero.
Wherein applying the rule base may include: a plurality of application identifications and corresponding application rules. In which, an application corresponds to at least one application Rule, and referring to fig. 3, an application (app id) corresponds to i rules (Rule) for a data structure diagram of an application session table in an application Rule base, that is, the content of a data stream needs to be determined to belong to the application only when the i rules are used. Wherein, the application rule can be realized by adopting a regular expression.
Referring to fig. 4, a flowchart of an embodiment of an application identification method applied to an application identification device according to the present application is shown, where the application identification device in this embodiment is any one of the application identification devices shown in fig. 1, and this embodiment may include the following steps:
step 401: and responding to the received current data flow, and acquiring the current session information of the current data flow.
In practical application, if the application identification device is deployed on a local area network, the application identification may obtain data packets sent to the outside by all user devices accessing the local area network and data packets sent to the user devices by the application, and further obtain session information of each data stream, for example, a server IP, a server port, and a transport layer protocol of a current data stream. Of course, the session information in this embodiment may be any other content capable of uniquely identifying the data stream. In this embodiment, an arbitrary data stream transmitted by an arbitrary application to an arbitrary user equipment is taken as an example for description. The application in this embodiment refers to a network server that generates network traffic, such as Baidu, Fox search video, or love art.
Step 402: and searching the current session information and the corresponding current application tag group in the initial application session table, and if the current session information and the corresponding current application tag group can be searched, entering step 203.
Because the application identification device stores the initial application session table, after the current session information of the current database is obtained, the current server IP, the current server port and the current transport layer protocol included in the current session information can be respectively searched in the initial application session table, if the current server IP, the current server port and the current transport layer protocol can be searched, the session of the current data stream is stored in the initial application session table, and the application tag group corresponding to the searched session information is determined as the current application tag group. Assume that there are 5 applications in the determined current application tag group and 5 confidences respectively corresponding to the 5 applications. Further, the counter values corresponding to the 5 applications can be included.
Step 403: and according to the sequence of the confidence degrees in the current application label group from large to small, respectively identifying which application the current data stream belongs to according to the corresponding application rule in the application rule base.
After determining the current application tag group, 5 confidences corresponding to 5 applications in the current application tag group have a magnitude order, for example, the magnitudes are respectively: (Baidu) 0.43, (fox search) 0.26, (Aichi art) 0.18, (Youko) 0.11 and (QQ) 0.02. In this step, the current data stream is identified to which of the 5 applications belongs according to the application rules corresponding to the Baidu, Fox, Aiqiyi, Youkou and QQ in the application rule base, respectively, in the order from the large confidence to the small confidence. The data flow finds the corresponding application tag group (Appid [0], Appid [1], … Appid [ i ]) by searching the application session table, and then confirms the correctness of the application identification tag by searching the corresponding application rule set in the application identification engine through each application tag. Without having to look up all the applied rules each time. And updating the counter information in the application session table in the application identification node according to the search result.
Specifically, the step may include steps a1 to a 5:
step A1: and determining the application with the maximum confidence level in the current application label group as the current application to be confirmed.
First, the application with the highest confidence, e.g., hundredths, is determined as the current application to be confirmed.
Step A2: and acquiring the current application rule corresponding to the current application from the application rule base.
And searching an application rule corresponding to the hundred degrees, namely a regular expression which needs to be satisfied when the data stream belongs to the hundred degrees, from the application rule base.
Step A3: and judging whether the content of the current data stream meets the current application rule, if so, entering the step A4, and if not, entering the step A5.
Further, it is determined whether the content of the current data stream satisfies the regular expression found in step a2, and if so, it may be determined that the current data stream is the data stream transmitted by hundred degrees.
Step A4: confirming that the current data flow belongs to the current application.
Step A5: and determining the next application identifier in the current application tag group as the current application to be confirmed according to the sequence of the confidence degrees from large to small until all the application identifiers in the current application tag group are searched.
And if the current data flow is not the data flow transmitted in hundred degrees, in this case, the 'search fox' is determined as the current application to be confirmed according to the sequence of the confidence degrees from large to small, and the step A2 is executed for confirmation until the current data flow is confirmed to belong to a certain application, or all application identifications in the current application label group are completely searched. It can be understood that, when all the application identifiers in the current application tag group are searched, and it is not yet determined which application the current data stream belongs to, all the remaining application rules that have not been matched in the application rule base need to be matched with the current data stream one by one according to the default identification order.
Specifically, in this step, data table matching may be performed by a method of Deep Packet Inspection (DPI) in this case. DPI is a basic application identification technology in various network products at present, and describes signature characteristics of application through a certain normative rule grammar, and performs packet-by-packet analysis and matching on load data of a data packet and a rule signature, thereby achieving the signature characteristic identification function. Of course, in this step, a method of parsing and matching a part of the data packets of the current data stream may also be adopted, and the recognition result can be more accurate regardless of which method is adopted.
In the case where the application tag group includes a counter corresponding to the application, after step a4, step a6 may be further included:
step A6: and adding one to the value of the counter corresponding to the current application in the current application label group.
If it is determined that the current data stream belongs to the current application in the current application tag group, for example, one hundred degrees, the value of a counter corresponding to one hundred degrees is incremented, and the value of the counter indicates the number of times the one hundred degrees is identified within a period of time (for example, within a preset time update period). For example, if the counter value is 3, it means that a total of 3 hundred degrees are recognized in the preset time update period, and it can also be understood that a total of 3 data streams are recognized as being transmitted by a total of 3 hundred degrees.
If there is no current session information in the initial application session table in step 402, after step 402, the method may further comprise:
step 404: and according to a default identification sequence, identifying which application the current data flow belongs to according to each corresponding application rule in the application rule base.
In this embodiment, if session information of the current data stream is stored in an initial application session table stored in the application identification device, the application rules corresponding to the applications in the application rule base need to be matched, so as to identify which application the current data stream belongs to. Of course, during the identification, the application rules in the application rule base may be matched one by one according to a preset default identification order. The default recognition order may be recognized in alphabetical order, for example, first recognizing the application rule corresponding to the application with the initial letter "a", then recognizing the application rule corresponding to the application with the initial letter "B", and so on. Of course, the identification can also be made in any other order set by the person skilled in the art.
Assuming that it is recognized in step 404 that the content of the current data stream completely matches the application rule of application "mango TV", the current data stream belongs to application "mango TV", and may further include:
step 405: and adding the session information of the current data stream and the corresponding current application tag group into the initial application session table, wherein the confidence coefficient in the current application tag group is a preset initial value, and the value of the counter is increased by one.
And respectively adding the session information of the current data stream and the corresponding application label group into an initial application session table. The confidence in the corresponding set of currently applied tags may be an initial value, which may be set to zero, and the value of the counter may be set to one.
The application recognition device may further include, while performing step 401 to step 405:
and B: and judging whether a preset updating time period is reached, if so, sending the session information of the data stream added in the initial application session table and the corresponding application tag group to a cloud server.
When a preset updating time period T comes, T can be set to be 5 seconds and the like, the application identification equipment can send newly added session information and the corresponding application tag group in the initial application session table to the cloud server in the T time period, and the cloud server recalculates the confidence coefficient of each application according to the numerical value of the counter corresponding to each application in the application tag group and the value of the confidence coefficient. Furthermore, the cloud server can also redistribute the updated confidence to each application recognition device. The format of the application identification session table in the cloud is shown in fig. 5. In fig. 5, assuming that there are i applications, i is an integer greater than zero, for application Appid [0], the total number of identification records of the counter before update is a0, the confidence level before update is a0/(a0+ a1+ … + Ai), and the confidence level recalculated by the cloud server is, assuming that the number of identification records of the counter after update is N0: (A0+ N0)/(A0+ A1+ … + Ai + N0+ N1 … + Ni), and so on, and the calculation way of the updated confidence of the ith application Appid [ i ] is given in FIG. 5.
It should be noted that, in practical applications, in order to ensure the recognition efficiency of the application recognition, each application recognition device may receive, according to a selection, a part of the application session table of the cloud server, for example, first several (for example, 1000) application session records of the recognition total number (the sum of the recognition total number before updating and the recognition number newly added) recorded by the counter, or only application session records with confidence greater than a preset value (for example, 0.8) are received, and so on.
In this step, if the preset time period T is not reached, the step may be continuously executed in real time to perform the determination.
After the application identification device in step B sends the initial application session table to the cloud server, the method may further include:
and C: receiving session information and updated confidence coefficient of the added data stream returned by the cloud server, updating the confidence coefficient in the initial application session table according to the updated confidence coefficient, and updating the value of a counter corresponding to the updated confidence coefficient to a preset initial value.
The application identification device receives the session information of the added data stream and the updated confidence coefficient returned by the cloud server, updates the confidence coefficient in the initial application session table stored by the application identification device according to the recalculated confidence coefficient of the cloud server, and updates the confidence coefficient to a preset initial value, such as zero, corresponding to the updated application.
Therefore, the application rule with higher confidence coefficient is matched in the application rule base in sequence according to the sequence from the highest confidence coefficient to the lowest confidence coefficient, the application identification process can be ended once a certain application is matched, and the application identification efficiency is improved. In addition, when the application identification is carried out, a full data packet detection mode can be adopted, and the accuracy of the application identification is also ensured.
Referring to fig. 6, a flowchart of an embodiment of a method for sending an application session table according to the present application is shown, where the embodiment may be applied to a cloud server connected to multiple application identification devices, and the embodiment may include the following steps:
step 601: a plurality of initial application session tables are generated for the plurality of application recognition devices, respectively.
In this embodiment, the initial application session table on the application identification device is generated by the cloud server. The initial application session table may include: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group may include: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application. For the introduction of the specific application session table, reference may be made to the embodiment shown in fig. 4, which is not described herein again.
In addition, in a possible implementation manner, the confidence and the initial value of the counter corresponding to each application in the initial application session table may be set to zero. In this case, when the preset time update period T comes, the cloud server may recalculate the confidence level according to the received and updated value of the counter. Alternatively, in another possible implementation, the initial value of the counter corresponding to each application in the initial application session table may be set to zero, and the initial value of the confidence may be calculated according to the historical identification data. For example, the cloud server may calculate an initial value of the confidence level corresponding to each application according to the number of times that each application is recognized in the past week in the manner shown in fig. 5. Of course, the present application can be implemented in any manner.
Step 602: and correspondingly sending the plurality of initial application session tables to the plurality of application identification devices respectively.
And the cloud server respectively sends the generated initial application session tables to the connected application identification devices.
After step 602, may further include:
step 603: and receiving the added session information of the data streams and the added application tag group which are sent by the plurality of application identification devices when a preset updating time period comes.
The cloud server and the application identification devices can jointly maintain an updating time period T, and when the T moment arrives, the cloud server can receive session information of data streams in an application session table newly added to each application identification device and corresponding added application tag groups, such as the numerical values of counters, in the T moment.
Step 604: and calculating the confidence corresponding to each application in the target application tag group corresponding to the target data stream according to the confidence and the counter included in the added application tag group.
In this way, the cloud server may recalculate the confidence of the initial data stream for each application in the initial application session table according to the manner shown in fig. 5, and calculate the confidence of the newly added data stream for each application in time T.
Step 605: and sending the updated confidence coefficient and the session information of the corresponding data stream to the corresponding application identification equipment.
And the cloud server sends the recalculated updated confidence coefficient and the session information of the corresponding data stream to each application identification device so that each application identification device can update the initial value of the confidence coefficient of each application in the initial application session table.
In this embodiment, the cloud server generates an initial application session table and sends the initial application session table to the application identification device for storage, where confidence levels that each data stream may belong to a plurality of applications are recorded, and the application probability with a high confidence level is high, so that the application rules corresponding to each data stream are sequentially matched in the application rule base according to the order of the confidence levels from large to small, so that the applications with high confidence levels are preferentially matched, and once an application is matched, the application identification process can be ended, thereby improving the efficiency of application identification. In addition, when the application identification is carried out, a full data packet detection mode can be adopted, and the accuracy of the application identification is also ensured.
For simplicity of explanation, the foregoing method embodiments are described as a series of acts or combinations, but those skilled in the art will appreciate that the present application is not limited by the order of acts, as some steps may occur in other orders or concurrently with other steps based on the disclosure herein. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Corresponding to the method provided by the above embodiment of the application identification method in the present application, referring to fig. 7, the present application further provides an embodiment of an application identification device, and in this embodiment, the application identification may include: an initial application session table and an application rule base; the initial application session table includes: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application; the application rule base comprises: a plurality of application identifications and corresponding application rules; the application recognition device may include:
an obtaining unit 701, configured to obtain current session information of a current data stream in response to receiving the current data stream.
A searching unit 702, configured to search the initial application session table for the current session information and the corresponding current application tag group.
Wherein the session information of the data stream includes: a service end IP, a service end port and a transport layer protocol of the data stream; the lookup unit 702 may include: a searching subunit, configured to search, in the initial application session table, a current server IP, a current server port, and a current transport layer protocol included in the current session information respectively; and the first determining subunit is used for determining the application tag group corresponding to the searched session information as the current application tag group.
A first identifying unit 703, configured to identify which application the current data flow belongs to according to the sequence from the highest confidence level to the lowest confidence level in the current application tag group, respectively, according to the corresponding application rule in the application rule base.
Wherein the first identifying unit 703 may include:
the second determining subunit is configured to determine, as the current application to be confirmed, the application with the highest confidence level in the current application tag group; an obtaining subunit, configured to obtain, from the application rule base, a current application rule corresponding to the current application; a judging subunit, configured to judge whether the content of the current data stream satisfies the current application rule; a determining subunit, configured to determine that the current data flow belongs to the current application if a result of the determining subunit is yes; and the processing subunit is configured to, when the result of the determining subunit is negative, determine, according to a sequence from a large confidence level to a small confidence level, a next application identifier in the current application tag group as the current application to be confirmed until all application identifiers in the current application tag group are completely searched.
Wherein, the application tag group may further include: a counter corresponding to the application, the counter being for indicating a number of times the application is confirmed; after confirming that the current data flow belongs to the current application, the identifying unit may further include: and the counting subunit is used for adding one to the value of the counter corresponding to the current application in the current application label group.
In practical applications, the application recognition device may further include:
a second identifying unit 704, configured to identify, according to a default identifying order, which application the current data flow belongs to according to each corresponding application rule in the application rule base, respectively.
And an adding unit 705, configured to add session information of a current data stream and a corresponding current application tag group to the application session table, where a confidence in the current application tag group is a preset initial value, and a value of the counter is incremented by one.
In practical applications, the application recognition device may further include:
the judging unit is used for judging whether a preset updating time period is reached or not; and the first sending unit is used for sending the session information of the data stream added in the initial application session table and the corresponding application tag group to a cloud server under the condition that the result of the judging unit is yes.
Or, in practical applications, the application identification device may further include:
the first receiving unit is used for receiving the session information of the added data stream and the updated confidence coefficient returned by the cloud server and updating the confidence coefficient in the initial application session table according to the updated confidence coefficient; and the updating unit is used for updating the value of the counter corresponding to the updated confidence coefficient to a preset initial value.
The application identification device of this embodiment stores an initial application session table, in which the confidence levels that each data stream may belong to a plurality of applications are recorded, and the application probability with a high confidence level is high, so that the application rules corresponding to each data stream are sequentially matched in the application rule base according to the order of the confidence levels from large to small, so that the applications with a high confidence level are preferentially matched, and once an application is matched, the application identification process can be ended, thereby improving the efficiency of application identification. In addition, when the application identification is carried out, a full data packet detection mode can be adopted, and the accuracy of the application identification is also ensured.
Referring to fig. 8, the present application further provides an embodiment of a cloud server, in this embodiment, the cloud server is connected to a plurality of application identification devices, and the cloud server includes:
a generating unit 801, configured to generate a plurality of initial application session tables for the plurality of application identification devices, respectively, where the initial application session tables include: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application.
A second sending unit 802, configured to correspondingly send the multiple initial application session tables to the multiple application identification devices, respectively.
Wherein, in practical application, the cloud server may further include:
a second receiving unit 803, configured to receive, when a preset update time period comes, the session information of the added data stream and the added application tag group that are sent by the multiple application identification devices.
A calculating unit 804, configured to calculate, according to the confidence and the counter included in the added application tag group, a confidence corresponding to each application in the target application tag group corresponding to the target data stream; wherein the target data stream is: an initial data flow in an initial application session table, and, the added data flow.
A third sending unit 805, configured to send the updated confidence level and the session information of the corresponding data stream to the corresponding application identification device.
The cloud server in this embodiment may send the initial application session table to each application recognition device for storage, where confidence levels that each data stream may belong to multiple applications are recorded, and the application probability that the confidence level is high, so that the application rules corresponding to each data stream are sequentially matched in the application rule base according to the order of the confidence levels from large to small, so that the applications with higher confidence levels are preferentially matched, and once an application is matched, the application recognition process may be ended, thereby improving the efficiency of application recognition. In addition, when the application identification is carried out, a full data packet detection mode can be adopted, and the accuracy of the application identification is also ensured.
Referring to fig. 9, the present application further provides an embodiment of an application identification system, and in this embodiment, the system may include a plurality of application identification devices 90 shown in fig. 7, and a cloud server 91 connected to the plurality of application identification devices. In this embodiment, the cloud server 91 is adopted to manage the plurality of application recognition devices 91, provide an initial application session table for the plurality of application recognition devices 91, and recalculate the confidence of each application and synchronize the confidence to the plurality of application recognition devices 91 after receiving the added application session records returned by the plurality of application recognition devices 91, so that when each application recognition device performs application recognition, the accuracy is higher.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The application identification method and device, the method for sending the application session table, and the server provided by the present application are introduced in detail above, and a specific example is applied in the present application to explain the principle and the implementation of the present application, and the description of the above embodiment is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (20)

1. An application identification method is applied to an application identification device, and the application identification device comprises the following steps: an initial application session table and an application rule base; the initial application session table includes: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application; the application rule base comprises: a plurality of application identifications and corresponding application rules; the method comprises the following steps:
in response to receiving a current data stream, acquiring current session information of the current data stream;
and searching the current session information and the corresponding current application tag group in the initial application session table, and if the current session information and the corresponding current application tag group can be searched, respectively identifying which application the current data stream belongs to according to the sequence of the confidence degrees in the current application tag group from large to small according to the corresponding application rules in the application rule base.
2. The method of claim 1, wherein the session information of the data stream comprises: a service end IP, a service end port and a transport layer protocol of the data stream; searching the current session information and the corresponding current application tag group in the initial application session table, wherein the searching comprises the following steps:
respectively searching a current server IP, a current server port and a current transport layer protocol included in current session information in the initial application session table;
and determining the application tag group corresponding to the searched session information as the current application tag group.
3. The method of claim 2, wherein the identifying, according to the order of decreasing confidence level in the current application tag group, which application the current data flow belongs to according to the corresponding application rule in the application rule base respectively comprises:
determining the application with the maximum confidence level in the current application label group as the current application to be confirmed;
acquiring a current application rule corresponding to the current application from the application rule base;
and judging whether the content of the current data stream meets the current application rule, if so, determining that the current data stream belongs to the current application, and if not, determining the next application identifier in the current application tag group as the current application to be determined according to the sequence of confidence degrees from large to small until all application identifiers in the current application tag group are searched.
4. The method of claim 3, wherein the set of application tags further comprises: a counter corresponding to the application, the counter being for indicating a number of times the application is confirmed; after confirming that the current data flow belongs to the current application, the method further comprises:
and adding one to the value of the counter corresponding to the current application in the current application label group.
5. The method according to any of claims 1 to 4, wherein if the current session information is not present in the initial application session table, the method further comprises:
and according to a default identification sequence, identifying which application the current data flow belongs to according to each corresponding application rule in the application rule base.
6. The method of claim 5, wherein the set of application tags further comprises: a counter corresponding to the application, the counter being for indicating a number of times the application is confirmed;
further comprising:
adding session information of a current data flow and a corresponding current application tag group into the application session table, wherein the confidence coefficient in the current application tag group is a preset initial value, and the value of a counter corresponding to an application to which the current data flow belongs in the current application tag group is set to be one.
7. The method of claim 6, further comprising:
and judging whether a preset updating time period is reached, and if so, sending the session information of the data stream added in the initial application session table and the corresponding application tag group to a cloud server.
8. The method of claim 7, further comprising:
receiving session information and updated confidence coefficient of the added data stream returned by a cloud server, and updating the confidence coefficient in the initial application session table according to the updated confidence coefficient;
and updating the value of the counter corresponding to the updated confidence coefficient to a preset initial value.
9. A method for sending an application session table, the method being applied to a cloud server connected to a plurality of application identification devices, the method comprising:
generating a plurality of initial application session tables for the plurality of application recognition devices, respectively, the initial application session tables including: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application;
correspondingly sending the plurality of initial application session tables to the plurality of application identification devices respectively; wherein the application recognition device further comprises an application rule base; the application rule base comprises: a plurality of application identifications and corresponding application rules; the application identification device is used for responding to the current data flow received and acquiring the current session information of the current data flow; and searching the current session information and the corresponding current application tag group in the initial application session table, and if the current session information and the corresponding current application tag group can be searched, respectively identifying which application the current data stream belongs to according to the sequence of the confidence degrees in the current application tag group from large to small according to the corresponding application rules in the application rule base.
10. The method of claim 9, further comprising:
receiving session information of added data streams and an added application tag group which are sent by the plurality of application identification devices when a preset updating time period comes;
calculating the confidence corresponding to each application in the target application tag group corresponding to the target data stream according to the confidence and the counter included in the added application tag group; wherein the target data stream is: an initial data flow in an initial application session table, and, the added data flow;
and sending the updated confidence coefficient and the session information of the corresponding data stream to the corresponding application identification equipment.
11. An application recognition device, characterized in that the application recognition device comprises: an initial application session table and an application rule base; the initial application session table includes: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application; the application rule base comprises: a plurality of application identifications and corresponding application rules; the apparatus comprises:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for responding to the receiving of a current data stream and acquiring the current session information of the current data stream;
the searching unit is used for searching the current session information and the corresponding current application label group in the initial application session table;
and the first identification unit is used for identifying which application the current data stream belongs to according to the sequence of the confidence degrees in the current application tag group from large to small and the corresponding application rules in the application rule base respectively.
12. The device of claim 11, wherein the session information of the data stream comprises: a service end IP, a service end port and a transport layer protocol of the data stream; the search unit includes:
a searching subunit, configured to search, in the initial application session table, a current server IP, a current server port, and a current transport layer protocol included in the current session information respectively;
and the first determining subunit is used for determining the application tag group corresponding to the searched session information as the current application tag group.
13. The apparatus according to claim 12, wherein the first recognition unit comprises:
the second determining subunit is configured to determine, as the current application to be confirmed, the application with the highest confidence level in the current application tag group;
an obtaining subunit, configured to obtain, from the application rule base, a current application rule corresponding to the current application;
a judging subunit, configured to judge whether the content of the current data stream satisfies the current application rule;
a determining subunit, configured to determine that the current data flow belongs to the current application if a result of the determining subunit is yes;
and the processing subunit is configured to, when the result of the judging subunit is negative, determine, according to a sequence from a large confidence level to a small confidence level, a next application identifier in the current application tag group as the current application to be confirmed until all application identifiers in the current application tag group are completely searched.
14. The apparatus of claim 13, wherein the set of application tags further comprises: a counter corresponding to the application, the counter being for indicating a number of times the application is confirmed; after confirming that the current data flow belongs to the current application, the identifying unit further comprises:
and the counting subunit is used for adding one to the value of the counter corresponding to the current application in the current application label group.
15. The apparatus of any one of claims 11 to 14, further comprising:
and the second identification unit is used for identifying which application the current data flow belongs to according to the default identification sequence and the corresponding application rules in the application rule base.
16. The apparatus of claim 15, wherein the set of application tags further comprises: a counter corresponding to the application, the counter being for indicating a number of times the application is confirmed;
further comprising:
and the adding unit is used for adding the session information of the current data stream and the corresponding current application tag group into the application session table, wherein the confidence coefficient in the current application tag group is a preset initial value, and the value of a counter corresponding to the application to which the current data stream belongs in the current application tag group is set to be one.
17. The apparatus of claim 16, further comprising:
the judging unit is used for judging whether a preset updating time period is reached or not;
and the first sending unit is used for sending the session information of the data stream added in the initial application session table and the corresponding application tag group to a cloud server under the condition that the result of the judging unit is yes.
18. The apparatus of claim 17, further comprising:
the first receiving unit is used for receiving the session information of the added data stream and the updated confidence coefficient returned by the cloud server and updating the confidence coefficient in the initial application session table according to the updated confidence coefficient;
and the updating unit is used for updating the value of the counter corresponding to the updated confidence coefficient to a preset initial value.
19. A cloud server, wherein the cloud server is connected to a plurality of application recognition devices, the server comprising:
a generating unit, configured to generate a plurality of initial application session tables for the plurality of application recognition devices, respectively, where the initial application session tables include: session information of a data stream and an application tag group corresponding to the session information one to one, wherein the application tag group comprises: a plurality of applications and corresponding confidence levels representing a likelihood that a corresponding data flow is attributed to an application;
a second sending unit, configured to correspondingly send the multiple initial application session tables to the multiple application identification devices, respectively; wherein the application recognition device further comprises an application rule base; the application rule base comprises: a plurality of application identifications and corresponding application rules; the application identification device is used for responding to the current data flow received and acquiring the current session information of the current data flow; and searching the current session information and the corresponding current application tag group in the initial application session table, and if the current session information and the corresponding current application tag group can be searched, respectively identifying which application the current data stream belongs to according to the sequence of the confidence degrees in the current application tag group from large to small according to the corresponding application rules in the application rule base.
20. The server of claim 19, further comprising:
a second receiving unit, configured to receive session information of the added data stream and the added application tag group, where the session information is sent by the multiple application identification devices and is added when a preset update time period comes;
a calculating unit, configured to calculate, according to the confidence and the counter included in the added application tag group, a confidence corresponding to each application in a target application tag group corresponding to a target data stream; wherein the target data stream is: an initial data flow in an initial application session table, and, the added data flow;
and the third sending unit is used for sending the updated confidence coefficient and the session information of the corresponding data stream to the corresponding application identification equipment.
CN201610785121.0A 2016-08-31 2016-08-31 Application identification method and device, method for sending application session table and server Active CN106385402B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610785121.0A CN106385402B (en) 2016-08-31 2016-08-31 Application identification method and device, method for sending application session table and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610785121.0A CN106385402B (en) 2016-08-31 2016-08-31 Application identification method and device, method for sending application session table and server

Publications (2)

Publication Number Publication Date
CN106385402A CN106385402A (en) 2017-02-08
CN106385402B true CN106385402B (en) 2021-07-30

Family

ID=57939385

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610785121.0A Active CN106385402B (en) 2016-08-31 2016-08-31 Application identification method and device, method for sending application session table and server

Country Status (1)

Country Link
CN (1) CN106385402B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110580256B (en) * 2018-05-22 2022-06-10 华为技术有限公司 Method, device and system for identifying application identification

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645892B (en) * 2009-08-26 2012-09-05 成都市华为赛门铁克科技有限公司 Flow detection method and equipment
CN102222199B (en) * 2011-06-03 2013-05-08 奇智软件(北京)有限公司 Method and system for identifying identification of application program
US9407751B2 (en) * 2012-09-13 2016-08-02 Intel Corporation Methods and apparatus for improving user experience
GB2508174B (en) * 2012-11-22 2015-04-08 F Secure Corp Detecting application behavior
CN104796406B (en) * 2015-03-20 2018-06-12 新华三技术有限公司 A kind of application and identification method and device
CN105591973B (en) * 2015-12-31 2019-12-20 杭州数梦工场科技有限公司 Application identification method and device

Also Published As

Publication number Publication date
CN106385402A (en) 2017-02-08

Similar Documents

Publication Publication Date Title
CN108092979B (en) Firewall policy processing method and device
CN106878262B (en) Message detection method and device, and method and device for establishing local threat information library
CN105591973B (en) Application identification method and device
CN107404408B (en) Virtual identity association identification method and device
CN109729183B (en) Request processing method, device, equipment and storage medium
CN108282414B (en) Data stream guiding method, server and system
CN110324327B (en) User and server IP address calibration device and method based on specific enterprise domain name data
US20150188879A1 (en) Apparatus for grouping servers, a method for grouping servers and a recording medium
CN111563560B (en) Data stream classification method and device based on time sequence feature learning
CN108322495B (en) Method, device and system for processing resource access request
CN110648172B (en) Identity recognition method and system integrating multiple mobile devices
CN110674362A (en) Search recommendation method and device, electronic equipment and readable storage medium
Shim et al. Application traffic classification using payload size sequence signature
CN112256880A (en) Text recognition method and device, storage medium and electronic equipment
CN106789147B (en) Flow analysis method and device
CN105701224A (en) Security information customized service system based on big data
CN106385402B (en) Application identification method and device, method for sending application session table and server
US20210158217A1 (en) Method and Apparatus for Generating Application Identification Model
CN111565124B (en) Topology analysis method and device
US20150058466A1 (en) Device for server grouping
CN104811340A (en) Checking method
CN108900566B (en) Method and device for determining position of IP (Internet protocol) equipment in network
CN114726776B (en) CDN scheduling method, device, equipment and medium for content delivery network
CN109492655B (en) Feature extraction method and device and terminal
CN111953552A (en) Data flow classification method and message forwarding equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant