CN107682189B - Method for identifying network requirements based on neural network and network equipment - Google Patents

Method for identifying network requirements based on neural network and network equipment Download PDF

Info

Publication number
CN107682189B
CN107682189B CN201710909475.6A CN201710909475A CN107682189B CN 107682189 B CN107682189 B CN 107682189B CN 201710909475 A CN201710909475 A CN 201710909475A CN 107682189 B CN107682189 B CN 107682189B
Authority
CN
China
Prior art keywords
information entropy
preset time
time interval
message
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710909475.6A
Other languages
Chinese (zh)
Other versions
CN107682189A (en
Inventor
林嘉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN201710909475.6A priority Critical patent/CN107682189B/en
Publication of CN107682189A publication Critical patent/CN107682189A/en
Application granted granted Critical
Publication of CN107682189B publication Critical patent/CN107682189B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method and network equipment for identifying network requirements based on a neural network, relates to the technical field of communication, can realize that each network equipment in a local area network can identify the network requirements by itself, and comprises the following steps: collecting messages in a first time period, and extracting at least one characteristic of each message in a first preset time interval; calculating the information entropy of at least one feature in each first preset time interval, and obtaining a first information entropy matrix of at least one feature of the message in the first time period according to the information entropy of at least one feature of the message in each first preset time interval; and inputting the elements in the first information entropy matrix into an application neural network model to obtain the network demand category corresponding to the first information entropy matrix. The application is used for identifying network requirements.

Description

Method for identifying network requirements based on neural network and network equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and a network device for identifying network requirements based on a neural network.
Background
The network requirements may vary across the coverage of different lans. For example, most network traffic in the coverage of a local area network in an enterprise is used for office data communications, while most network traffic in the coverage of a local area network in an internet cafe is used for video game-like applications. In order to meet network requirements in different locations, different configuration policies need to be selected for network devices (such as switches or routers) in a local area network according to the network requirements, so as to perform network optimization.
When network optimization is performed at present, messages of all network devices in a local area network can be analyzed through a Deep Packet Inspection (DPI) technology, a specific DPI technology can analyze a load part of a message to identify application software corresponding to the message and specific content of the message, then a network requirement of the local area network is judged manually (for example, by a network administrator) according to the application software corresponding to the message and the specific content of the message, and then a corresponding configuration policy is selected for all network devices in the local area network according to the network requirement, for example, when the network requirement is that most network traffic is used for video game applications, a configuration policy for improving priority of game messages can be selected for all network devices in the local area network.
However, many locations covered by the local area network include different areas, for example, a hospital includes an outpatient department and a residential department, and the difference of network requirements of different areas may be large, and in the above method for optimizing the network, a network administrator may select the same configuration policy for all network devices in the local area network, so that the configuration policy selected by the network administrator cannot adapt to the network requirements of each area in the local area network because the method cannot flexibly select different configuration policies for each network device.
Disclosure of Invention
The embodiment of the invention provides a method for identifying network requirements based on a neural network and network equipment, which can realize that each network equipment in a local area network can identify the network requirements.
In a first aspect, a method for identifying network requirements based on a neural network is provided, the method comprising:
collecting messages in a first time period, wherein the first time period is divided into a plurality of first preset time intervals;
extracting at least one feature of the message in each first preset time interval, and calculating the information entropy of the at least one feature in each first preset time interval;
obtaining a first information entropy matrix of at least one characteristic of the message in the first time period according to the information entropy of at least one characteristic of the message in each first preset time interval;
and inputting the elements in the first information entropy matrix into an application neural network model to obtain the network demand category corresponding to the first information entropy matrix.
Optionally, before collecting the message in the first time period, the method further includes:
the following steps are executed for the local area networks meeting the network requirements of different types, so as to obtain a second information entropy matrix of at least one characteristic of the message in a second time period in the local area networks meeting the network requirements of different types:
collecting messages in a second time period, wherein the second time period is divided into a plurality of second preset time intervals;
extracting at least one feature of the message in each second preset time interval, and calculating the information entropy of the at least one feature in each second preset time interval;
and obtaining a second information entropy matrix of at least one characteristic of the message in the second time period according to the information entropy of at least one characteristic of the message in each second preset time interval.
Optionally, the method further includes: the method comprises the following steps of sequentially executing the following steps aiming at local area networks meeting different types of network requirements to obtain an application neural network model;
and inputting the elements in the second information entropy matrix into the initial neural network model, taking the network demand category as a label, and training the initial neural network model according to a BP algorithm.
Optionally, the inputting the elements in the first information entropy matrix into the neural network model includes:
performing data dimension reduction on the first information entropy matrix to obtain a dimension-reduced first information entropy matrix; inputting elements in the first information entropy matrix after dimensionality reduction into an application neural network model;
inputting the elements in the second information entropy matrix into the initial neural network model comprises:
performing data dimension reduction on the second information entropy matrix to obtain a dimension-reduced second information entropy matrix; and inputting the elements in the reduced second information entropy matrix into the initial neural network model.
Optionally, the extracting at least one feature of the packet in each first preset time interval, and the calculating the information entropy of the at least one feature in each first preset time interval includes:
extracting at least one characteristic of the message of each first preset time interval; and counting the occurrence frequency of the result of at least one feature in each first preset time interval according to the extracted at least one feature of the message in each first preset time interval, and calculating the information entropy of the at least one feature in each first preset time interval according to the counting result.
Optionally, the extracting at least one feature of the packet in each second preset time interval, and calculating the information entropy of the at least one feature in each second preset time interval includes:
extracting at least one characteristic of the message of each second preset time interval; and counting the occurrence frequency of the result of at least one feature in each second preset time interval according to the extracted at least one feature of the message in each second preset time interval, and calculating the information entropy of the at least one feature in each second preset time interval according to the counting result.
In the method for identifying network requirements based on the neural network provided by the embodiment of the invention, the network equipment can collect messages in a first time period (namely, messages passing through the network equipment in the first time period), and extract at least one characteristic of the messages in each first preset time interval; then, calculating the information entropy of at least one feature in each first preset time interval, and obtaining a first information entropy matrix of at least one feature of the message in the first time period according to the information entropy of at least one feature of the message in each first preset time interval; then, the elements in the first information entropy matrix are input into the application neural network model to obtain the network requirement category corresponding to the first information entropy matrix, so that the network equipment can identify the network requirement category through the messages passing through the network equipment.
Optionally, in the method, after determining the network requirement category according to the applied neural network model, the network device may further select a configuration policy corresponding to the network requirement category to configure the network device, so that each network device may flexibly select different configuration policies to meet the network requirement of each area in the local area network.
In a second aspect, a network device is provided, including:
the acquisition module is used for acquiring messages in a first time period, and the first time period is divided into a plurality of first preset time intervals;
the processing module is used for extracting at least one feature of the message in each first preset time interval and calculating the information entropy of the at least one feature in each first preset time interval; obtaining a first information entropy matrix of at least one characteristic of the message in a first time period according to the information entropy of at least one characteristic of the message in each first preset time interval; and inputting the elements in the first information entropy matrix into an application neural network model to obtain the network demand category corresponding to the first information entropy matrix.
Optionally, for a local area network meeting different types of network requirements, the acquisition modules are all configured to acquire messages in a second time period, where the second time period is divided into a plurality of second preset time intervals;
the processing modules are all used for extracting at least one characteristic of the message of each second preset time interval; calculating the information entropy of at least one feature in each second preset time interval; obtaining a second information entropy matrix of at least one characteristic of the message in the second time period according to the information entropy of at least one characteristic of the message in each second preset time interval;
optionally, for the local area networks meeting different types of network requirements, the processing module is further configured to sequentially input elements in the second information entropy matrix into the initial neural network model, use the network requirement type as a label, and train the initial neural network model according to a BP algorithm.
Optionally, the processing module is specifically configured to perform data dimension reduction on the first information entropy matrix to obtain a dimension-reduced first information entropy matrix; inputting elements in the first information entropy matrix after dimensionality reduction into an application neural network model; performing data dimension reduction on the second information entropy matrix to obtain a dimension-reduced second information entropy matrix; and inputting the elements in the reduced second information entropy matrix into the initial neural network model.
Optionally, the processing module is specifically configured to extract at least one feature of the packet at each first preset time interval; and counting the occurrence frequency of the result of at least one feature in each first preset time interval according to the extracted at least one feature of the message in each first preset time interval, and calculating the information entropy of the at least one feature in each first preset time interval according to the counting result.
Optionally, the processing module is specifically configured to extract at least one feature of the packet at each second preset time interval; and counting the occurrence frequency of the result of at least one feature in each second preset time interval according to the extracted at least one feature of the message in each second preset time interval, and calculating the information entropy of the at least one feature in each second preset time interval according to the counting result.
For the technical effects of the second aspect or the alternative implementation manner thereof, reference may be specifically made to the description of the technical effects of the first aspect or the alternative implementation manner thereof, and details are not described herein again.
Drawings
FIG. 1 is a schematic diagram of a method for identifying network requirements based on a neural network according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a three-layer neural network model according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network device according to an embodiment of the present invention.
Detailed Description
The following describes a method and a network device for identifying network requirements based on a neural network according to embodiments of the present invention in detail with reference to the accompanying drawings.
In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
The terms "first" and "second", etc. in the embodiments of the present invention are used to distinguish different objects, not to describe a specific order. For example, the first information entropy matrix and the second information entropy matrix are specific sequences for distinguishing different information entropy matrices, rather than describing different information entropy matrices.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. The symbol "/" herein denotes a relationship in which the associated object is or, for example, a/B denotes a or B.
When network optimization is performed at present, messages of all network devices in a local area network can be analyzed through a DPI technology, a specific DPI technology can analyze and identify application software corresponding to the messages and specific contents of the messages through a load part of the messages, then a network administrator can judge network requirements of the local area network according to the application software corresponding to the messages and the specific contents of the messages, and then a configuration strategy corresponding to the network requirements is selected for all network devices in the local area network according to the network requirements. However, many locations covered by the local area network include different areas, for example, a hospital includes an outpatient department and a residential department, and the difference of network requirements of different areas may be large, and in the above method for optimizing the network, a network administrator may select the same configuration policy for all network devices in the local area network, so that the configuration policy selected by the network administrator cannot adapt to the network requirements of each area in the local area network because the method cannot flexibly select different configuration policies for each network device.
In order to solve the above problem, embodiments of the present invention provide a method for identifying a network requirement based on a neural network, in which a network device itself may identify a network requirement class according to a packet passing through the network device (i.e., a packet received and/or sent by the network device). Therefore, after the network equipment determines the network requirement type according to the application neural network model, the configuration strategy corresponding to the network requirement type can be further selected to configure the network equipment, so that each network equipment can flexibly select different configuration strategies to meet the network requirement of each area in the local area network.
In the embodiment of the invention, the execution subject of the method for identifying the network requirement based on the neural network can be network equipment in a local area network.
For example, the network device in the embodiment of the present invention may be a router or a switch in a local area network.
As shown in fig. 1, the method for identifying network requirements based on a neural network according to an embodiment of the present invention includes the following steps S101-S111.
The method for identifying the network requirement based on the neural network provided by the embodiment of the invention can comprise two stages. Wherein, the first stage is a training stage, and the second stage is an identification stage. The method for identifying network requirements based on a neural network provided by the embodiment of the invention will be described in the following two stages.
In the first stage: and (5) a training stage.
For example, the training phase in the embodiment of the present invention may be performed before the network device is deployed in the local area network, for example, before the network device is shipped from a factory.
Optionally, in the embodiment of the present invention, before the network device leaves a factory, a scenario in which the network device receives and sends a message in a local area network with different types of network requirements may be simulated.
Firstly, in this stage, the following steps S101 to S104 are required to be performed for the local area networks satisfying different types of network requirements, so as to obtain a second information entropy matrix of at least one feature of the packet in the second time period in the local area networks satisfying different types of network requirements.
Illustratively, there are, for example, 3 network demand classes, which may be denoted as class 1, class 2, and class 3, respectively. In the embodiment of the present invention, the network device may execute S101-S104 in the simulated category 1 local area network to obtain a second information entropy matrix of at least one feature of the packet in a second time period in the category 1 local area network; executing S101-S104 in the simulated local area network of the category 2 to obtain a second information entropy matrix of at least one characteristic of the message in a second time period in the local area network of the category 2; and performing S101-S104 in the simulated category 3 local area network to obtain a second information entropy matrix of at least one characteristic of the message in a second time period in the category 3 local area network.
S101, collecting messages in a second time period, and extracting at least one characteristic of each message in a second preset time interval.
The second time period may be divided into a plurality of second preset time intervals. Alternatively, the plurality of second preset time intervals may be consecutive.
Illustratively, the second time period may be a day time, i.e., 24 hours. Assuming that the second preset time interval is T, the second time period may be divided into S consecutive second preset time intervals of 24/T. For example, T is 1 hour and S is 24, i.e., 24 hours can be divided into 24 1 hour.
For example, the network device may collect messages passing through the network device within 24 hours, and then segment and collect all the messages passing through the network device within 24 hours according to the granularity of 1 hour for the messages passing through the network device within 24 hours, so as to obtain the messages passing through the network device within each hour. Or, for example, the network device may collect messages passing through it in units of 1 hour, and continuously collect messages for 24 hours.
For the above-mentioned messages passing through the network device in each hour, the network device may extract at least one feature of the messages in each hour.
It should be noted that, the second time period and the preset time interval may be set according to actual situations, and the present invention is not limited thereto. For example, the second time period may also be set to one week, so that the difference of the messages passing through the network device in different types of local area network scenes may be reflected, and the accuracy of scene identification is improved.
Since the proportion of TCP (transmission control Protocol) messages and UDP (User Datagram Protocol) messages in the local area network to the total messages exceeds 95%, the messages referred to in the embodiment of the present invention mainly refer to TCP messages and UDP messages.
The features of the messages in the embodiment of the present invention may be classified into two categories, one is based on the features of the messages, and the other is based on the features of the message streams.
Illustratively, the message-based features may include 2 features: the length of the message and the identity of the message. Wherein the identifier of the message may be a TCP identifier. For UDP packets, the feature of the identifier of the packet may not be extracted, and the feature is set to a null value.
Optionally, a message with the same source IP (internet protocol, chinese) address, destination IP address, source port, destination port, and protocol type may be referred to as a message flow. The message flow-based features may include 5 features: source IP address, destination IP address, source port, destination port, and protocol type of the flow.
Optionally, the extracting at least one feature of the packet of each second preset time interval in S101 may include:
extracting at least one characteristic from the message of each second preset time interval by taking the message as a unit;
and/or;
extracting at least one feature from the message of each second preset time interval by taking the message flow as a unit; wherein each message flow is all the extracted messages with the same at least one characteristic.
For example, in the embodiment of the present invention, the extracting at least one feature of the packet in each second preset time interval may be extracting at least one feature of the above 7 features (i.e., two packet-based features, 5 packet-flow-based features) of the packet in each second preset time interval.
The extracting of the at least one feature of the packet in each second preset time interval in S101 may be extracting at least one feature from a header of the packet in each second preset time interval.
Because the features of the message provided in the embodiment of the present invention can be extracted from the header of the message, compared with the prior art in which the load part of the message is analyzed by the DPI technology to obtain the features of the message (identifying the application software corresponding to the message and the specific content of the message), the complexity of obtaining is reduced, and snooping and disclosure of the privacy of the user can be avoided.
S102, counting the frequency of occurrence of the result of at least one characteristic in each second preset time interval according to the extracted at least one characteristic of the message in each second preset time interval.
In the embodiment of the present invention, each feature of the extracted packet in each second preset time interval may include multiple results, for example, there may be multiple possible results for the extracted packet length in the packet in each second preset time interval.
For example, assuming that the extracted feature X includes n results, the possible results of the feature X may be expressed as { X1, X2, … …, Xn }.
From the n possible results of the feature X, statistics are performed on the number of occurrences of each result of the feature X in each second preset time interval, for example, the number of occurrences of the above-mentioned X1, X2, … …, Xn in the second preset time interval may be expressed as { C1, C2, … Cn }.
S103, calculating the information entropy of at least one feature in each second preset time interval according to the statistical result.
S104, obtaining a second information entropy matrix of at least one characteristic of the message in a second time period according to the information entropy of at least one characteristic of the message in each second preset time interval.
The information entropy reflects the information quantity distribution of data in a set and is the embodiment of the dispersion degree of the data. The information entropy is extracted in the embodiment of the invention because the data sets of different characteristics in different network requirements are distributed differently. For example, in an office environment, the network requirement category is category 1, most of the source ports and the destination ports of the messages in the local area network are office software ports, while in an internet bar, the network requirement category is category 2, most of the source ports and the destination ports of the messages in the local area network are game application ports, and the port distribution reflects the difference between the source ports and the destination ports.
The information entropy of feature X in the above example is calculated: h (x) ═ SUM (p (Xi)) log2P (Xi), where p (Xi) ═ Ci/SUM (c), Ci denotes the number of times that the i-th result of the n possible results appears within the second preset time interval, and SUM (c) denotes the total number of times that the n possible results appear.
Optionally, the information entropy of the feature X may be normalized according to a formula h (X) ═ h (X)/log2(n), so as to obtain a normalized information entropy.
In the embodiment of the present invention, 7 features of each packet of the second preset time interval are extracted as an example. In each time preset interval, the information entropy of the 7 features can be obtained.
Assuming that a day (24 hours) can be equally divided into S segments by T duration, i.e., 24/T ═ S, the sequence of entropy information of the feature X in a day, H1(X), H2(X), … hs (X), is obtained chronologically. The characteristics of the messages in the scene of sending and receiving the messages by the network equipment in the local area network for constructing the network requirements of different categories of the characteristic entropy information time series change along with the time, and the change trend is different along with the scene.
According to the method for acquiring the information entropy sequence of the feature X, the information entropy sequences of the 7 features can be acquired.
The information entropy sequences of the above 7 features can be combined to construct a second information entropy matrix M, where each row is composed of information entropy sequences of one feature, and it is known that the second information entropy matrix M is a 7 × S dimensional matrix.
For example, the second information entropy matrix M may be represented as:
Figure GDA0002623732460000101
each row in the second information entropy matrix M represents an information entropy sequence of a feature.
After the above steps S101 to S104 are performed for the local area networks satisfying the network requirements of different categories, the following step S105 is performed for the local area networks satisfying the network requirements of different categories in sequence to obtain the application neural network model.
And S105, inputting the elements in the second information entropy matrix into the initial neural network model, taking the network demand category as a label, and training the initial neural network model according to a BP algorithm.
For example, for a local area network that meets different types of network requirements, the network devices may each obtain a second information entropy matrix as shown in M above. For example, for 3 categories of local area networks with network requirements (which may be respectively represented as category 1, category 2, and category 3), the network device may obtain the second information entropy matrix M1 corresponding to the category 1 local area network, the second information entropy matrix M2 corresponding to the category 2 local area network, and the second information entropy matrix M3 corresponding to the category 3 local area network.
According to the above example, the method for training the initial neural network model according to the BP algorithm by inputting the elements in the second information entropy matrices M1, M2 and M3 into the input layer nodes of the initial neural network model and using the network demand classes as labels to obtain the applied neural network model specifically may include the following steps 1-4.
1. The network device constructs an initial neural network model.
The network device constructs an initial neural network model. The number of input layer nodes of the initial neural network model is the same as the number of elements in the second information entropy matrix. For example, the second information entropy matrix is the 7 × S dimensional matrix M in the above example, the number of input layer nodes of the initial neural network model is 7 × S.
Alternatively, the number of output layer nodes of the initial neural network model may be 1.
The number of nodes in the intermediate layer of the initial neural network model is not limited in the embodiment of the invention.
According to kolmogorov theorem, it can be known that a 3-layer network is enough to complete any mapping from N dimension to M dimension, so that generally only 1 intermediate layer (also called hidden layer) is needed, and from the perspective of simplicity and practicality, it is also recommended to select 1 intermediate layer. Thus, embodiments of the present invention may build an initial neural network model with 3 layers, i.e., only one intermediate layer. Illustratively, the 3-layer neural network model may be as shown in fig. 2, with each circle in fig. 2 representing a node. In the embodiment of the present invention, when the neural network model shown in fig. 2 is used as the initial neural network model, assuming that the second information entropy matrix is the 7 × S dimensional matrix M in the above example, the number of input layer nodes in fig. 2 is 7 × S, the number of output layer nodes is 1 (i.e., network requirement category), and the number of intermediate layer nodes may be set according to an actual situation. Specifically, when the initial neural network model is trained, 7 × S pieces of information entropy data (i.e., elements in the matrix M) in the second information entropy matrix may be input as inputs and input into 7 × S input layer nodes of the initial neural network model shown in fig. 2 in a one-to-one correspondence manner, and then the initial neural network model is trained through a BP algorithm with the network requirement category as a label.
2. And inputting the elements in the M1 into the input layer nodes of the initial neural network model, and training the initial neural network model according to a BP algorithm by taking the class 1 as a label.
After the above 2 is performed, the following 3 is performed.
3. And inputting the elements in the M2 into the input layer nodes of the initial neural network model, and training the initial neural network model according to a BP algorithm by taking the class 2 as a label.
After the above 3 is performed, the following 4 is performed.
4. And inputting the elements in the M3 into the input layer nodes of the initial neural network model, taking the class 3 as a label, and training the initial neural network model according to a BP algorithm to obtain an application neural network model.
Thus, after the methods of 1-4 above, an applied neural network model can be obtained. The trained application neural network model may be set in the network device so that the network device may identify its own network demand class in an identification phase described below.
Optionally, in this embodiment of the present invention, in order to simplify the calculation, after the second information entropy matrix is obtained in S104, data dimensionality reduction may be performed on the second information entropy matrix to obtain a second information entropy matrix after dimensionality reduction, and then the above S105 is performed, so that the complexity of the initial neural network model may be reduced at this time, that is, the number of input layer nodes of the initial neural network model is the number of elements in the second information entropy matrix after dimensionality reduction.
For example, the process of performing data dimension reduction on the second information entropy matrix M in S104 may specifically include the following steps a to c.
a. The matrix M is reduced to 1 dimension resulting in a 7 x1 matrix T1.
Illustratively, can be
Figure GDA0002623732460000121
Reducing the vitamin content to obtain
Figure GDA0002623732460000122
b. Transpose matrix M to get matrix M ', then reduce M' to 1 dimension to get a S × 1 matrix T2.
Illustratively, transposing the matrix M results in
Figure GDA0002623732460000123
Then reducing the dimension of M' to obtain
Figure GDA0002623732460000124
c. The matrix T1 and the matrix T2 are combined to obtain a (S +7) × 1 second information entropy matrix.
After the second information entropy matrix of (S +7) × 1 after the dimensionality reduction is obtained, then the above-mentioned S105 is executed, so that the complexity of the initial neural network model can be reduced, that is, the number of input layer nodes of the initial neural network model at this time is the number of elements in the second information entropy matrix after the dimensionality reduction, that is, (S + 7).
It should be noted that, in this embodiment, the methods S101 to S105 in the training phase may be completed in a network device, or may be completed by both the network device and a learning machine. The learning machine can be a host device such as a server, a personal computer, and the like.
For example, the training phase may collect messages passing through the network device (e.g., S101 described above), then perform feature extraction on the messages by using a learning machine, and complete training of the initial neural network model by using the learning machine to obtain the application neural network model (e.g., S102-S104 described above). Finally, the trained application neural network model is set into the network equipment, so that the network equipment can execute the method of the following identification phase.
And a second stage: and (5) an identification phase.
For example, the identification phase in the embodiment of the present invention may be performed after the network device is deployed in the local area network.
S106, collecting the messages in the first time period, and extracting at least one characteristic of each message in the first preset time interval.
In the embodiment of the present invention, the time length of the second time period may be the same as that of the first time period. For example, the second time period may be one day (i.e., 24 hours) in the training phase, and the first time period may be one day in the recognition phase.
Optionally, in the embodiment of the present invention, the second time interval may be the same as the first time interval, that is, the second time period and the first time period may be divided by using a preset time interval with the same time length; of course, the second time interval may be different from the first time interval, and may be specifically set according to actual needs.
S107, counting the frequency of occurrence of the result of at least one characteristic in each first preset time interval according to the extracted at least one characteristic of the message in each first preset time interval.
Optionally, the extracting at least one feature of the packet of each first preset time interval may include:
extracting at least one characteristic from each message of a first preset time interval by taking the message as a unit;
and/or;
extracting at least one characteristic from the messages of each first preset time interval by taking the message flow as a unit; wherein each message flow is all the extracted messages with the same at least one characteristic.
Specifically, the method for extracting at least one feature of each packet in the first preset time interval is similar to the method for extracting at least one feature of each packet in the second preset time interval, and is not repeated here.
And S108, calculating the information entropy of at least one feature in each first preset time interval according to the statistical result.
S109, obtaining a first information entropy matrix of at least one characteristic of the message in the first time period according to the information entropy of at least one characteristic of the message in each first preset time interval.
For the descriptions of the above S106 to S109 in the embodiment of the present invention, reference may be specifically made to the above descriptions of S101 to S104, which are not described herein again.
In the embodiment of the present invention, the method for obtaining the first information entropy matrix is similar to the method for obtaining the second information entropy matrix in the above embodiment, and details are not repeated here.
It should be noted that the number of elements in the first information entropy matrix in the embodiment of the present invention needs to be the same as the number of elements in the second information entropy matrix. For example, when the second information entropy matrix is the above-mentioned 7 × S matrix, the first information entropy matrix is also a 7 × S matrix.
If the second information entropy matrix is subjected to data dimension reduction, the first information entropy matrix also needs to be subjected to data dimension reduction.
S110, inputting the elements in the first information entropy matrix into the application neural network model to obtain the network demand type corresponding to the first information entropy matrix.
And the number of the input layer nodes of the applied neural network model is equal to the number of the elements in the first information entropy matrix. The number of optional output layer nodes of the applied neural network model is 1.
Optionally, in this embodiment of the present invention, inputting the element in the first information entropy matrix into the input layer node of the application neural network model includes:
performing data dimension reduction on the first information entropy matrix to obtain a dimension-reduced first information entropy matrix; and inputting the elements in the first information entropy matrix after dimensionality reduction into input layer nodes of the application neural network model, wherein the number of the input layer nodes of the application neural network model is equal to the number of the elements in the first information entropy matrix after dimensionality reduction.
In the embodiment of the present invention, the description of the method for performing data dimension reduction on the second information entropy matrix in the above embodiment may be referred to as a method for performing data dimension reduction on the first information entropy matrix, and details are not repeated here.
In the method for identifying network requirements based on the neural network provided by the embodiment of the invention, the network equipment can collect messages in a first time period (namely, messages passing through the network equipment in the first time period), and extract at least one characteristic of the messages in each first preset time interval; then, calculating the information entropy of at least one feature in each first preset time interval, and obtaining a first information entropy matrix of at least one feature of the message in the first time interval according to the information entropy of at least one feature of the message in each first preset time interval; then, the elements in the first information entropy matrix are input into the application neural network model to obtain the network requirement category corresponding to the first information entropy matrix, so that the network equipment can identify the network requirement through the message passing through the network equipment.
And S111, selecting a corresponding configuration strategy according to the network requirement category.
Optionally, in the method, after determining the network requirement category according to the applied neural network model, the network device may further select a configuration policy corresponding to the network requirement category to configure the network device, so that each network device may flexibly select different configuration policies to meet the network requirement of each area in the local area network.
As shown in fig. 3, an embodiment of the present invention provides a network device, where the network device includes:
the system comprises an acquisition module 11, a processing module and a processing module, wherein the acquisition module is used for acquiring messages in a first time period, and the first time period is divided into a plurality of first preset time intervals;
a processing module 12, configured to extract at least one feature of each packet of the first preset time interval; calculating the information entropy of at least one feature in each first preset time interval according to the extracted at least one feature of the message in each first preset time interval; obtaining a first information entropy matrix of at least one characteristic of the message in a first time period according to the information entropy of at least one characteristic of the message in each first preset time interval; and inputting the elements in the first information entropy matrix into an application neural network model to obtain the network demand category corresponding to the first information entropy matrix.
And the number of the input layer nodes applying the neural network model is equal to the number of the elements in the first information entropy matrix.
Optionally, for a local area network meeting different types of network requirements, the acquisition modules are all configured to acquire messages in a second time period, where the second time period is divided into a plurality of second preset time intervals;
the processing modules 12 are all used for extracting at least one feature of the message of each second preset time interval; calculating the information entropy of at least one feature in each second preset time interval; obtaining a second information entropy matrix of at least one characteristic of the message in a second time period according to the information entropy of at least one characteristic of the message in each second preset time interval;
aiming at the local area networks meeting different types of network requirements, the processing module is further used for sequentially inputting elements in the second information entropy matrix into input layer nodes of the initial neural network model, using the network requirement types as labels, and training the initial neural network model according to a BP algorithm; the number of input layer nodes of the initial neural network model is equal to the number of elements in the second information entropy matrix.
Optionally, the processing module 12 is specifically configured to extract at least one feature from a header of the packet in each first preset time interval.
Optionally, the processing module 12 is specifically configured to extract at least one feature from each packet of the first preset time interval by using the packet as a unit;
and/or;
extracting at least one characteristic from the messages of each first preset time interval by taking the message flow as a unit; each packet flow is all packets with at least one characteristic being the same.
Optionally, the processing module 12 is specifically configured to extract at least one feature from a header of the packet in each second preset time interval.
Optionally, the processing module 12 is specifically configured to extract at least one feature from each packet of the second preset time interval by using the packet as a unit;
and/or;
extracting at least one feature from the message of each second preset time interval by taking the message flow as a unit; each packet flow is all packets with at least one characteristic being the same.
Optionally, the processing module 12 is specifically configured to perform data dimension reduction on the first information entropy matrix to obtain a dimension-reduced first information entropy matrix; inputting elements in the first information entropy matrix after dimensionality reduction into an application neural network model; performing data dimension reduction on the second information entropy matrix to obtain a dimension-reduced second information entropy matrix; and inputting the elements in the reduced second information entropy matrix into the initial neural network model.
The number of input layer nodes of the neural network model is equal to the number of elements in the first information entropy matrix after dimensionality reduction; and the number of the input layer nodes of the initial neural network model is equal to the number of the elements in the second information entropy matrix after dimensionality reduction.
Optionally, the processing module 12 is specifically configured to extract at least one feature of the packet at each first preset time interval; and counting the occurrence frequency of the result of at least one feature in each first preset time interval according to the extracted at least one feature of the message in each first preset time interval, and calculating the information entropy of at least one feature in each first preset time interval according to the counting result.
Optionally, the processing module 12 is specifically configured to extract at least one feature of the packet at each second preset time interval; and counting the occurrence frequency of the result of at least one feature in each second preset time interval according to the extracted at least one feature of the message in each second preset time interval, and calculating the information entropy of at least one feature in each second preset time interval according to the counting result.
The technical solutions provided in the embodiments of the present invention are essentially or partially contributed to by the prior art, or all or part of the technical solutions may be implemented by software programs, hardware, firmware, or any combination thereof. When implemented using a software program, the computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the flow or functions according to embodiments of the invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device including one or more available media integrated servers, data centers, and the like. The usable medium may be a magnetic medium (e.g., floppy disk, magnetic tape), an optical medium (e.g., Digital Video Disk (DVD)), or a semiconductor medium (e.g., Solid State Drive (SSD)), among others.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, only the division of the functional modules is illustrated, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions. For the specific working processes of the system, the apparatus and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A method for identifying network requirements based on a neural network is applied to network equipment in a local area network, and comprises the following steps:
collecting messages in a first time period, wherein the first time period is divided into a plurality of first preset time intervals;
extracting at least one feature of the message of each first preset time interval, and calculating the information entropy of the at least one feature in each first preset time interval;
obtaining a first information entropy matrix of at least one characteristic of the message in the first time period according to the information entropy of at least one characteristic of the message in each first preset time interval;
inputting elements in the first information entropy matrix into an application neural network model to obtain a network demand category corresponding to the first information entropy matrix;
wherein, the extracting at least one feature of the packet of each first preset time interval includes:
extracting at least one characteristic from each message of a first preset time interval by taking the message as a unit;
and/or;
extracting at least one characteristic from the messages of each first preset time interval by taking the message flow as a unit; wherein each message flow is all the extracted messages with the same at least one characteristic.
2. The method of claim 1, further comprising:
the following steps are executed for the local area networks meeting the network requirements of different types, so as to obtain a second information entropy matrix of at least one characteristic of the message in a second time period in the local area networks meeting the network requirements of different types:
collecting messages in a second time period, wherein the second time period is divided into a plurality of second preset time intervals;
extracting at least one characteristic of the message of each second preset time interval; calculating the information entropy of the at least one feature in each second preset time interval;
and obtaining a second information entropy matrix of at least one characteristic of the message in the second time period according to the information entropy of at least one characteristic of the message in each second preset time interval.
3. The method of claim 2, further comprising:
aiming at the local area networks meeting different types of network requirements, the following steps are sequentially executed to obtain the application neural network model:
inputting the elements in the second information entropy matrix into an initial neural network model, taking the network demand category as a label, and training the initial neural network model according to a BP algorithm.
4. The method of claim 2, wherein inputting the elements in the first information entropy matrix into an application neural network model comprises:
performing data dimension reduction on the first information entropy matrix to obtain a dimension-reduced first information entropy matrix;
inputting elements in the first information entropy matrix after dimensionality reduction into an application neural network model;
the inputting the elements in the second information entropy matrix into an initial neural network model comprises:
performing data dimension reduction on the second information entropy matrix to obtain a dimension-reduced second information entropy matrix; and inputting the elements in the reduced second information entropy matrix into an initial neural network model.
5. The method according to claim 1, wherein the extracting at least one feature of the packet in each first preset time interval, and the calculating the information entropy of the at least one feature in each first preset time interval comprises:
extracting at least one characteristic of the message of each first preset time interval;
counting the occurrence frequency of the result of at least one characteristic in each first preset time interval according to the extracted at least one characteristic of the message in each first preset time interval;
and calculating the information entropy of the at least one feature in each first preset time interval according to the statistical result.
6. A network device, wherein the network device is a network device in a local area network, comprising:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring messages in a first time period, and the first time period is divided into a plurality of first preset time intervals;
the processing module is used for extracting at least one feature of the message in each first preset time interval and calculating the information entropy of the at least one feature in each first preset time interval; obtaining a first information entropy matrix of at least one characteristic of the message in the first time period according to the information entropy of at least one characteristic of the message in each first preset time interval; inputting elements in the first information entropy matrix into an application neural network model to obtain a network demand category corresponding to the first information entropy matrix;
the processing module extracts at least one feature of the packet at each first preset time interval, and specifically includes: extracting at least one characteristic from each message of a first preset time interval by taking the message as a unit; and/or;
extracting at least one characteristic from the messages of each first preset time interval by taking the message flow as a unit; wherein each message flow is all the extracted messages with the same at least one characteristic.
7. The apparatus of claim 6,
aiming at local area networks meeting different types of network requirements, the acquisition modules are all used for acquiring messages in a second time period, and the second time period is divided into a plurality of second preset time intervals;
the processing modules are all used for extracting at least one characteristic of the message of each second preset time interval; calculating the information entropy of the at least one feature in each second preset time interval; and obtaining a second information entropy matrix of at least one characteristic of the message in the second time period according to the information entropy of at least one characteristic of the message in each second preset time interval.
8. The apparatus of claim 7,
and aiming at the local area networks meeting different types of network requirements, the processing module is also used for inputting the elements in the second information entropy matrix into an initial neural network model, using the network requirement types as labels, and training the initial neural network model according to a BP algorithm.
9. The apparatus of claim 7,
the processing module is specifically configured to perform data dimension reduction on the first information entropy matrix to obtain a dimension-reduced first information entropy matrix; inputting elements in the first information entropy matrix after dimensionality reduction into an application neural network model; performing data dimension reduction on the second information entropy matrix to obtain a dimension-reduced second information entropy matrix; and inputting the elements in the reduced second information entropy matrix into an initial neural network model.
10. The apparatus of claim 6,
the processing module is specifically configured to extract at least one feature of the packet at each first preset time interval; and counting the occurrence frequency of the result of at least one feature in each first preset time interval according to the extracted at least one feature of the message in each first preset time interval, and calculating the information entropy of at least one feature in each first preset time interval according to the counting result.
CN201710909475.6A 2017-09-29 2017-09-29 Method for identifying network requirements based on neural network and network equipment Active CN107682189B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710909475.6A CN107682189B (en) 2017-09-29 2017-09-29 Method for identifying network requirements based on neural network and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710909475.6A CN107682189B (en) 2017-09-29 2017-09-29 Method for identifying network requirements based on neural network and network equipment

Publications (2)

Publication Number Publication Date
CN107682189A CN107682189A (en) 2018-02-09
CN107682189B true CN107682189B (en) 2021-03-02

Family

ID=61138704

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710909475.6A Active CN107682189B (en) 2017-09-29 2017-09-29 Method for identifying network requirements based on neural network and network equipment

Country Status (1)

Country Link
CN (1) CN107682189B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10708363B2 (en) * 2018-08-10 2020-07-07 Futurewei Technologies, Inc. Artificial intelligence based hierarchical service awareness engine
CN109492749B (en) * 2018-10-12 2023-04-18 平安科技(深圳)有限公司 Method and device for realizing neural network model online service in local area network

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130126814A (en) * 2012-04-26 2013-11-21 한국전자통신연구원 Traffic flooding attack detection and in-depth analysis devices and method using data mining
CN103812700A (en) * 2014-02-18 2014-05-21 西南大学 Message classifying method based on rule information entropy
CN104144089B (en) * 2014-08-06 2017-06-16 山东大学 It is a kind of that flow knowledge method for distinguishing is carried out based on BP neural network
CN104602142B (en) * 2015-01-29 2018-10-26 太仓市同维电子有限公司 Business sorting technique based on neural network learning
US9465940B1 (en) * 2015-03-30 2016-10-11 Cylance Inc. Wavelet decomposition of software entropy to identify malware
CN106503146B (en) * 2016-10-21 2019-06-07 江苏理工学院 The feature selection approach of computer version
CN106453392B (en) * 2016-11-14 2019-04-09 中国人民解放军防空兵学院 Whole network exception stream recognition method based on traffic characteristic distribution
CN106375136B (en) * 2016-11-17 2019-01-25 北京智芯微电子科技有限公司 A kind of optical access network Business Stream cognitive method and device

Also Published As

Publication number Publication date
CN107682189A (en) 2018-02-09

Similar Documents

Publication Publication Date Title
EP3563554B1 (en) System and method for detecting unknown iot device types by monitoring their behavior
CN106982377B (en) Barrage management method and device
US20220174008A1 (en) System and method for identifying devices behind network address translators
Xu et al. The topology of dark networks
CN104301436A (en) Push method and device of content to be displayed, subscription method and device of content to be displayed and update method and device of content to be displayed
CN103078897A (en) System for implementing fine grit classification and management of Web services
Ma et al. Pinpointing hidden IoT devices via spatial-temporal traffic fingerprinting
CN107682189B (en) Method for identifying network requirements based on neural network and network equipment
He et al. Deep-feature-based autoencoder network for few-shot malicious traffic detection
CN116862012A (en) Machine learning model training method, business data processing method, device and system
CN106713290A (en) Method used for identifying primary user account and server
CN109451486A (en) WiFi acquisition system and WiFi terminal detection method based on probe request
CN107404459B (en) Method for acquiring fingerprint characteristics of network attack message and network equipment
CN106302666A (en) Data push method and device
CN115766242A (en) Environment-friendly management system based on safety isolation communication
CN108234217A (en) Networking equipment method of automatic configuration, electronic equipment and storage medium
CN108648017B (en) User requirement matching method, device, equipment and storage medium easy to expand
CN110795558A (en) Label acquisition method and device, storage medium and electronic device
CN111666501B (en) Abnormal community identification method, device, computer equipment and storage medium
CN106612300A (en) Message push method and push server
CN106850722A (en) A kind of method that passenger flow counting information is transmitted by HTTP
US20230038310A1 (en) Devices, Methods, and System for Heterogeneous Data-Adaptive Federated Learning
Herrera-Yagüe et al. Prediction of telephone user attributes based on network neighborhood information
CN104836700A (en) NAT (Network Address Translation) host number detection method based on IPID and probability statistics model
CN112396151B (en) Rumor event analysis method, rumor event analysis device, rumor event analysis equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant