CN108667747A - The method, apparatus and computer readable storage medium of network flow application type identification - Google Patents

The method, apparatus and computer readable storage medium of network flow application type identification Download PDF

Info

Publication number
CN108667747A
CN108667747A CN201810407503.9A CN201810407503A CN108667747A CN 108667747 A CN108667747 A CN 108667747A CN 201810407503 A CN201810407503 A CN 201810407503A CN 108667747 A CN108667747 A CN 108667747A
Authority
CN
China
Prior art keywords
network
feature
flow
packet
data flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810407503.9A
Other languages
Chinese (zh)
Inventor
孔令晶
黄国伟
邬可可
叶建锋
汪卫明
周莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Institute of Information Technology
Original Assignee
Shenzhen Institute of Information Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Institute of Information Technology filed Critical Shenzhen Institute of Information Technology
Priority to CN201810407503.9A priority Critical patent/CN108667747A/en
Publication of CN108667747A publication Critical patent/CN108667747A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of network flow application types to know method for distinguishing, including:Real-time reception network packet according to the network data flow that the feature extraction of the network packet is to be identified, and extracts the feature of the network data flow to be identified;According to the application type of network data flow to be identified described in the feature of the network data flow to be identified and preset application class Model Identification, the application class model trains to obtain according to the feature of the network data flow received;Wherein, the feature of the network data flow includes data packet length feature, packet time feature and data packet service type feature.The invention also discloses a kind of network flow application type identification device and computer readable storage mediums.The present invention realizes without the content of detection network data packet by the statistics and analysis of the behavioural characteristic to network data flow and identifies network flow application type, is particularly suitable for the identification of encrypted network data stream.

Description

The method, apparatus and computer readable storage medium of network flow application type identification
Technical field
The present invention relates to field of computer technology more particularly to a kind of network flow application type to know method for distinguishing, network flow The device and computer readable storage medium of application type identification.
Background technology
Network flow identification technology is the key technology of current network flow management, service quality and security protection.It can lead to The application type for crossing data flow in identification network, is filtered flow according to management strategy, can also be according to the row of network flow To show, there is aggressive flow in detection network stream, network is effectively protected.
The network stream recognition method of earliest period is a kind of recognition methods based on port, that is to say, that the end according to network flow Slogan is applied to type and is judged, for example, the ports of HTTP flows is that the port of 80, SSL port flows is 443 etc..But It is that have used dynamic port (for example P2P network flows), the method be difficult accurately to network flow for current most of network applications Amount is identified.Hereafter the DPI (Deep Packets Inspection, deep-packet detection) occurred is also once in industrial quarters It is widely used.It identifies its application type by the payload content of partial data packet in detection network stream.This Kind of mode requires payload content right and wrong that are high, and being transmitted by refined net stream not only for manpower and time cost Transparent, it is difficult to be identified.
The above is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that the above is existing skill Art.
Invention content
The main purpose of the present invention is to provide a kind of network flow application types to know method for distinguishing, network flow application type is known Other device and computer readable storage medium, it is intended to solve effectively identify the application class of refined net stream in the prior art The technical issues of type.
To achieve the above object, the present invention provides a kind of network flow application type knowledge method for distinguishing, the network flow application Kind identification method includes the following steps:
Real-time reception network packet, according to the network data flow that the feature extraction of the network packet is to be identified, and Extract the feature of the network data flow to be identified;
According to be identified described in the feature of the network data flow to be identified and preset application class Model Identification The application type of network data flow, the application class model train to obtain according to the feature of the network data flow received;
Wherein, the feature of the network data flow includes data packet length feature, packet time feature and data packet clothes Service type feature.
Preferably, the feature of the network data flow includes:
The data packet length feature include the maximum data packet length of the network data flow, minimum data packet length, Average data packet length and data packet length variance;
The packet time feature includes that the data packet of the network data flow reaches the largest interval time, data packet arrives It is lasting up to minimum time interval, data packet arrival Mean Time Between Replacement, data packet interarrival time variance and data levelling Time, data packet Transmission time and data packet transmit free time;
The data packet services type feature includes data packet services type identification bit number, carries service type identification The data packet number of data packet number and each service type identification.
Preferably, the real-time reception network packet, according to the feature of the network packet from the network data Network data flow to be identified is extracted in packet, and is also wrapped before the step of extracting the feature of the network data flow to be identified It includes:
Identified network data flow is obtained, and extracts the feature of the identified network data flow;
According to the feature of the identified network data flow train application class model, and will training finish described in answer Use disaggregated model as default application class model.
Preferably, described the step of training application class model according to the feature of the identified network data flow, wraps It includes:
When there is the identified network data flow of preset number, the application class model of corresponding training includes State preset number classification function.
Preferably, described the step of training application class model according to the feature of the identified network data flow, wraps It includes:
By the Feature Conversion of the identified network data flow at feature vector;
Application class model is trained according to described eigenvector.
Preferably, described the step of training application class model according to described eigenvector, includes:
The dimension of described eigenvector is increased with kernel function;
Described eigenvector after being increased according to dimension trains application class model.
Preferably, after described the step of training application class model according to the feature of the identified network data flow Further include:
Receive test network data flow;
According to the application type of test network data flow described in the application class Model Identification, and obtain the application point The recognition correct rate of class model;
The parameter of the application class model is adjusted according to the recognition correct rate.
Preferably, include after the real-time reception network packet step:
The number of the network packet of real-time reception is obtained, and it is pre- to judge whether the network packet number is more than If number;
When the network packet number is more than preset number, execute according to the feature of the network packet from described Network data flow to be identified is extracted in network packet, and extracts the step of the feature of the network data flow to be identified Suddenly.
In addition, to achieve the above object, the present invention also provides the device of network flow application type identification, the device packets It includes:The network flow application type that memory, processor and being stored in can be run on the memory and on the processor is known Other processing routine, the network flow application type identifying processing program realize network as described above when being executed by the processor The step of stream application kind identification method.
In addition, to achieve the above object, the present invention also proposes a kind of computer readable storage medium, which is characterized in that institute It states and is stored with network flow application type identifying processing program on computer readable storage medium, the network flow application type identification The step of network flow application type recognition methods as described above is realized when processing routine is executed by processor.
A kind of method, apparatus for network flow application type identification that the embodiment of the present invention proposes and readable computer storage are situated between Matter, real-time reception network packet according to the network data flow that the feature extraction of the network packet is to be identified, and extract institute State the feature of network data flow to be identified;According to the feature of the network data flow to be identified and preset application class mould Type identifies the application type of the network data flow to be identified, and the application class model is according to the network data flow received Feature train to obtain;Wherein, the feature of the network data flow includes data packet length feature, packet time feature sum number According to packet service type feature.The present invention is realized by the statistics and analysis of the behavioural characteristic to network data flow without detection The content of network packet and identify network flow application type, be particularly suitable for the identification of encrypted network data stream.
Description of the drawings
Fig. 1 is the terminal structure schematic diagram for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of inventive network stream application kind identification method first embodiment;
Fig. 3 is the flow diagram of inventive network stream application kind identification method second embodiment;
Fig. 4 is the flow diagram of inventive network stream application kind identification method 3rd embodiment;
Fig. 5 is the flow diagram of inventive network stream application kind identification method fourth embodiment.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific implementation mode
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
The primary solutions of the embodiment of the present invention are:Real-time reception network packet, according to the network packet Feature extraction network data flow to be identified, and extract the feature of the network data flow to be identified;According to described to be identified Network data flow feature and preset application class Model Identification described in network data flow to be identified application type, institute Application class model is stated to train to obtain according to the feature of the network data flow received;Wherein, the feature of the network data flow Including data packet length feature, packet time feature and data packet service type feature.
Due to being to identify its application by the payload content of partial data packet in detection network stream in the prior art Type, this mode require payload that is high, and being transmitted by refined net stream not only for manpower and time cost Content is nontransparent, it is difficult to be identified.
The present invention provides a solution, by the statistics and analysis of the behavioural characteristic to network data flow, realizes Network flow application type is identified without the content of detection network data packet, is particularly suitable for the knowledge of encrypted network data stream Not.
As shown in Figure 1, the terminal structure schematic diagram for the hardware running environment that Fig. 1, which is the embodiment of the present invention, to be related to.
Terminal of the embodiment of the present invention is network flow application type identification device.
As shown in Figure 1, the device may include:Processor 1001, such as CPU, communication bus 1002, memory 1003. Wherein, communication bus 1002 is for realizing the connection communication between these components.Memory 1003 can be high-speed RAM storage Device can also be stable memory (non-volatile memory), such as magnetic disk storage.Memory 1003 is optional It can also be the storage device independently of aforementioned processor 1001.
It will be understood by those skilled in the art that the restriction of the not structure paired terminal of terminal structure shown in Fig. 1, can wrap It includes than illustrating more or fewer components, either combines certain components or different components arrangement.
As shown in Figure 1, as may include operating system and network in a kind of memory 1003 of computer storage media Stream application type identification processing routine.
In device shown in Fig. 1, processor 1001 can be used for calling the network flow application stored in memory 1003 Type identification processing routine, and execute following operation:
Real-time reception network packet, according to the network data flow that the feature extraction of the network packet is to be identified, and Extract the feature of the network data flow to be identified;
According to be identified described in the feature of the network data flow to be identified and preset application class Model Identification The application type of network data flow, the application class model train to obtain according to the feature of the network data flow received;
Wherein, the feature of the network data flow includes data packet length feature, packet time feature and data packet clothes Service type feature.
Further, processor 1001 can call the network flow application type identifying processing journey stored in memory 1003 Sequence also executes following operation:
The data packet length feature include the maximum data packet length of the network data flow, minimum data packet length, Average data packet length and data packet length variance;
The packet time feature includes that the data packet of the network data flow reaches the largest interval time, data packet arrives It is lasting up to minimum time interval, data packet arrival Mean Time Between Replacement, data packet interarrival time variance and data levelling Time, data packet Transmission time and data packet transmit free time;
The data packet services type feature includes data packet services type identification bit number, carries service type identification The data packet number of data packet number and each service type identification.
Further, processor 1001 can call the network flow application type identifying processing journey stored in memory 1003 Sequence also executes following operation:
Identified network data flow is obtained, and extracts the feature of the identified network data flow;
According to the feature of the identified network data flow train application class model, and will training finish described in answer Use disaggregated model as default application class model.
Further, processor 1001 can call the network flow application type identifying processing journey stored in memory 1003 Sequence also executes following operation:
When there is the identified network data flow of preset number, the application class model of corresponding training includes State preset number classification function.
Further, processor 1001 can call the network flow application type identifying processing journey stored in memory 1003 Sequence also executes following operation:
By the Feature Conversion of the identified network data flow at feature vector;
Application class model is trained according to described eigenvector.
Further, processor 1001 can call the network flow application type identifying processing journey stored in memory 1003 Sequence also executes following operation:
The dimension of described eigenvector is increased with kernel function;
Described eigenvector after being increased according to dimension trains application class model.
Further, processor 1001 can call the network flow application type identifying processing journey stored in memory 1003 Sequence also executes following operation:
Receive test network data flow;
According to the application type of test network data flow described in the application class Model Identification, and obtain the application point The recognition correct rate of class model;
The parameter of the application class model is adjusted according to the recognition correct rate.
Further, processor 1001 can call the network flow application type identifying processing journey stored in memory 1003 Sequence also executes following operation:
The number of the network packet of real-time reception is obtained, and it is pre- to judge whether the network packet number is more than If number;
When the network packet number is more than preset number, execute according to the feature of the network packet from described Network data flow to be identified is extracted in network packet, and extracts the step of the feature of the network data flow to be identified Suddenly.
With reference to Fig. 2, first embodiment of the invention provides a kind of network flow application type knowledge method for distinguishing, the method packet It includes:
Step S10, real-time reception network packet, according to the network number that the feature extraction of the network packet is to be identified According to stream, and extract the feature of the network data flow to be identified.
When receiving multiple independent network packets, the feature according to network packet is needed to determine different networks These network packets are distinguished and belong to different network sessions by session, each network session here is equal to Each network data flow to be identified.Specifically, five-tuple information is identified from the header information of each network packet, That is source IP address, purpose IP address, source port number, destination slogan and protocol type.Possess the net of same five-tuple information Network data packet belongs to same network session, i.e., network data flow to be identified.
It should be noted that the same network session often possesses the data packet of transmitted in both directions, that is, include transmitting terminal to connecing The bi-directional data packet of receiving end, receiving terminal to transmitting terminal belongs to source IP address and source of the transmitting terminal to the data packet of receiving terminal at this time Port numbers are respectively to belong to receiving terminal to the purpose IP address and destination slogan of the data packet of transmitting terminal, they are thought also to recognize To be the data packet for possessing same five-tuple information, belong to the same network data flow.
Step S20, according to the feature of the network data flow to be identified and preset application class Model Identification The application type of network data flow to be identified, the application class model are trained according to the feature of the network data flow received It obtains.
Network packet is distinguished and is belonged to after different network data flows to be identified, each network data is extracted The feature of stream inputs the feature of each network data flow in preset application class model, and the output result of model running is For the application type of corresponding each network data flow.
The feature of network data flow includes that data packet length feature, packet time feature and data packet service type are special Sign.Specifically, data packet length feature includes the maximum data packet length, minimum data packet length, average of network data flow According to packet length and data packet length variance;When packet time feature includes that the data packet of network data flow reaches largest interval Between, data packet reaches minimum time interval, data packet reaches Mean Time Between Replacement, data packet interarrival time variance and data It flows average duration, data packet Transmission time and data packet and transmits free time;Data packet services type feature includes Data packet services type identification bit number, carry service type identification data packet number and each service type identification data Packet quantity.
Wherein the Transmission time refers to being transmitted from the same transmission direction continuing to exceed preset number data packet, And the time for the data packet for coming from another transmission direction is not received, which is preferably set as 3;Free time is It is more than preset time that refer to does not have data packet transmission and duration in any one transmission direction, which preferably sets It is set to two seconds.
In addition, the feature of network data flow further includes source port number and destination slogan.
The realization method of network flow application type method is illustrated below by way of citing.
Network Recognition equipment can intercept the network packet transmitted in a network in real time, and parse network packet Header information.
Network Recognition equipment a plurality of mutually independent waits knowing firstly the need of extracting from numerous network packets of reception Other network data flow, preferably simultaneously, the identification of a new network data flow is from obtaining the first of a network data flow The data packet of a transmission starts.Network packet due to belonging to same network data flow is sequential delivery, can be from net The timestamp or serial number carried in the header information of network data packet identifies first network number of affiliated network data flow According to packet.
Network Recognition equipment establishes network data flow information list, whenever first transmission of the network data flow from identification It is corresponding in the list to increase a network to be identified newly when getting new five-tuple information in the header information of network packet Traffic flow information records.During the follow-up new data packet for constantly receiving and being transmitted in network, when according to network packet Five-tuple information when judging that the network packet belongs to existing network data flow to be identified in list, extract the network Packet information is simultaneously recorded in the information record of belonging network data flow, and packet information includes transmission direction, transmission Serial number, data packet length, data packet arrival time and data packet service type identification information.
It is above-mentioned according to what is acquired when the packet information of the network data flow to be identified of acquisition meets preset condition Packet information calculates the feature of the network data flow.Such as filtered out from multiple data packet lengths maximum data packet length and Minimum data packet length, and calculate average data packet length and data packet length variance;Such as it is reached according to each data packet Time calculates the arrival time interval of data packet adjacent two-by-two, and maximum time interval and most is filtered out according to the time interval Small time interval, and calculate average time interval and time interval variance;Such as transmission direction and data according to data packet The arrival time of packet judges whether there is Transmission situation or transmission free time, and Transmission time or transmission are calculated if having Free time.
Wherein preset condition could be provided as preset time, and time of network packet to receive first transmission is Starting;Or it is set as preset number network data package informatin;Or it is set as judging that the network data flow terminates.
In the present embodiment, it by the statistics and analysis of the behavioural characteristic to network data flow, realizes without detection network The content of network data packet and identify network flow application type, be particularly suitable for the identification of encrypted network data stream.
Further, with reference to Fig. 3, second embodiment of the invention is based on first embodiment and provides a kind of network flow application type Know method for distinguishing, the present embodiment further includes before step S10:
Step S30 obtains identified network data flow, and extracts the feature of the identified network data flow.
There are many methods for obtaining identified network data flow:One is independent structure networks, and start known applications Transmitting terminal and receiving terminal, obtain transmission in network packet;Or the transmitting terminal of known applications is placed in existing network With receiving terminal, the relevant net of the known applications is identified from the numerous data packets transmitted in network by setting specific mark Network data packet;Or directly acquire network data package informatin disclosed in known applications.
By the Feature Conversion of identified network data flow at feature vector, to train application class mould according to feature vector Type.Specifically, it is assumed for example that each data flow corresponds to a feature set, and feature set includes 12 features, each Characteristic value must be numerical value, with " index value:The format of characteristic value ", and being ranked sequentially from small to large according to index value, it is as follows Shown in the table 1 in face.
Table 1
0:0 1:0 2:0 3:0
4:0 5:181 6:54 7:0
8:0 9:0 10:0 11:0
Step S40 trains application class model according to the feature of the identified network data flow, and training is finished The application class model as presetting application class model.
Network flow identification model is trained using SVM (support vector machine method) in the present embodiment.Training network flow is known During other model, object function is first determined, which is the classification function for including parameter to be estimated;Then it will use It is input in trained identified NetFlow characteristic vector and obtains identifying the network flow application type in the classification function Predicted value;Build the corresponding loss function of classification function again, due to loss function be for classification of assessment function predicted value with The input of the inconsistent degree of actual value, the loss function is preset value and known network stream application type identification value;Finally lead to It crosses and minimizes the loss function to obtain optimal parameter to be estimated, to obtain corresponding classification function.
Since SVM is two-value sorting technique, the NetFlow characteristic vector for belonging to some classification is classified as one successively when training Class, the NetFlow characteristic vectors of remaining other classifications are uniformly classified as another kind of, this two classes NetFlow characteristic vector is input to In classification function to be trained, it is binary result to obtain corresponding output result, you can whether to distinguish network flow to be identified Belong to this classification.
When there is the identified network data flow of preset number, the application class model of corresponding training includes present count Mesh classification function trains corresponding classification function, Mei Gefen one by one that is, to each identified network flow application type Class function distinguishes a class with other classes.By trained application class model network flow application type for identification When, each network data flow feature to be identified is inputted as a category feature, other remaining network datas to be identified Stream feature is inputted collectively as another category feature, is separately input to preset number classification function and is obtained preset number classification Value, the application type that the maximum corresponding classification function of classification value provides is the application type finally identified.
With SVM methods obtain classification function be based on object to be sorted be linear separability it is assumed that be sorted When object is linearly inseparable, in involved network data flow application type identification in the present embodiment, generally require first to use Kernel function increases the dimension of network data flow feature vector, and the network data flow feature vector training after being increased further according to dimension is answered Use disaggregated model.Available kernel function includes linear kernel function, Polynomial kernel function and gaussian kernel function etc..
In the present embodiment, application class model is trained by the feature of identified network data flow, is real network In the identification of network flow application type provide disaggregated model, to reach the recognition effect of efficiently and accurately.
Further, with reference to Fig. 4, third embodiment of the invention is based on second embodiment and provides a kind of network flow application type Know method for distinguishing, the present embodiment further includes after the step s 40:
Step S50 receives test network data flow.
The application type of test network data flow be it is known that but its included data packet sample necessarily different from for instructing Practice the data packet sample that the identified network data flow of network application disaggregated model is included.
Step S60 according to the application type of test network data flow described in the application class Model Identification, and obtains institute State the recognition correct rate of application class model.
Extract the feature of test network data flow, including data packet length feature, packet time feature and data packet clothes These features are input in trained application class model by service type feature, and the network for obtaining the identification of corresponding output is answered Use type.The identification for calculating the application class model according to the network application type of identification and known network application type is correct Rate, i.e., by identifying that correct number and the radiometer of identification total degree calculate recognition correct rate.
Step S70 adjusts the parameter of the application class model according to the recognition correct rate.
Obtained recognition correct rate is compared with default recognition correct rate threshold value, when recognition correct rate is known less than default When other accuracy threshold value, the parameter of application class model is adjusted.Adjustable parameter includes to be estimated in each classification function Parameter, the type and parameter of the parameter in loss function or kernel function.
In the present embodiment, by the test with test data to the classification accuracy of trained application class model, It is obstructed out-of-date to being modified using disaggregated model in the classification accuracy tested out, it ensure that the accurate of application class model Property.
Further, with reference to Fig. 5, fourth embodiment of the invention is based on the first or second or 3rd embodiment provides a kind of net The method of network stream application type identification, the present embodiment further include after the real-time reception network packet step of step S10:
Step S80, obtains the number of the network packet of real-time reception, and judges that the network packet number is It is no to be more than preset number.
Step S90 executes the spy according to the network packet when the network packet number is more than preset number Sign extracts network data flow to be identified from the network packet, and extracts the spy of the network data flow to be identified The step of sign.
Since the recognition methods of the present invention is not necessarily to the content of detection network data packet, but from network packet transport behavior Carry out the extraction of feature, statistics and analysis, and the feature of the network data flow of required extraction after beginning transmission several Embodiment is can be obtained by a data packet, so the range of statistics can be only limitted to network flow and start several data after transmission Packet, can be correspondingly arranged the preset number of a data packet to be identified.If acquired network flow starts the data after transmission Packet sum is less than preset number, then carries out statistics and feature extraction according to true data packet, if data packet sum is more than pre- If number, then extraction feature is begun to when can reach preset number used in the number of the data packet received.The data packet of statistics Transmission direction includes bi-directional data packet of the transmitting terminal to receiving terminal and receiving terminal to transmitting terminal.
The setting of the preset number of data packet to be identified can be with depending on the number selected by training application class model. Can be that different data flows sets different preset data packet crawl numbers, to be extracted when training pattern Each data flow feature accuracy.In the application type of application training Model Identification network data flow, number to be identified Maximum value, average value or the median in preset data packet crawl number are can be used as according to the preset number of packet.
In the present embodiment, whether preset number is more than by the network packet number for judging to receive, when more than default The feature of network packet is extracted when number to carry out network flow application type identification, is improved identification network data flow in real time and is answered With the recognition efficiency of type.
The present invention also provides a kind of network application type identification device, which includes:It memory, processor and is stored in On the memory and the network application type identification processing routine that can run on the processor, the network application type The step of network application kind identification method is realized when identifying processing program is executed by the processor.
In addition, the embodiment of the present invention also proposes a kind of computer readable storage medium, the computer readable storage medium On be stored with network application type identification processing routine, it is real when the network application type identification processing routine is executed by processor Now the step of network application kind identification method.
It should be noted that herein, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that process, method, article or system including a series of elements include not only those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including this There is also other identical elements in the process of element, method, article or system.
The embodiments of the present invention are for illustration only, can not represent the quality of embodiment.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical scheme of the present invention substantially in other words does the prior art Going out the part of contribution can be expressed in the form of software products, which is stored in one as described above In storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions use so that a station terminal equipment (can be mobile phone, Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
It these are only the preferred embodiment of the present invention, be not intended to limit the scope of the invention, it is every to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of network flow application type knows method for distinguishing, which is characterized in that the network flow application type knows method for distinguishing packet Include following steps:
Real-time reception network packet according to the network data flow that the feature extraction of the network packet is to be identified, and is extracted The feature of the network data flow to be identified;
According to network to be identified described in the feature of the network data flow to be identified and preset application class Model Identification The application type of data flow, the application class model train to obtain according to the feature of the network data flow received;
Wherein, the feature of the network data flow includes data packet length feature, packet time feature and data packet services class Type feature.
2. network flow application type as described in claim 1 knows method for distinguishing, which is characterized in that the spy of the network data flow Sign includes:
The data packet length feature includes the maximum data packet length of the network data flow, minimum data packet length, is averaged Data packet length and data packet length variance;
The packet time feature includes that the data packet of the network data flow reaches the largest interval time, data packet reaches most Closely-spaced time, data packet arrival Mean Time Between Replacement, data packet interarrival time variance and data levelling equal duration, Data packet Transmission time and data packet transmit free time;
The data packet services type feature includes data packet services type identification bit number, carries the data of service type identification The data packet number of packet quantity and each service type identification.
3. network flow application type as described in claim 1 knows method for distinguishing, which is characterized in that the real-time reception network number According to packet, network data flow to be identified is extracted from the network packet according to the feature of the network packet, and carry Further include before the step of taking the feature of the network data flow to be identified:
Identified network data flow is obtained, and extracts the feature of the identified network data flow;
The application point trained application class model according to the feature of the identified network data flow, and training is finished Class model is as default application class model.
4. network flow application type as claimed in claim 3 knows method for distinguishing, which is characterized in that identified described in the basis Network data flow feature training application class model the step of include:
When there is the identified network data flow of preset number, the application class model of corresponding training includes described pre- If number classification function.
5. network flow application type as claimed in claim 3 knows method for distinguishing, which is characterized in that identified described in the basis Network data flow feature training application class model the step of include:
By the Feature Conversion of the identified network data flow at feature vector;
Application class model is trained according to described eigenvector.
6. network flow application type as claimed in claim 5 knows method for distinguishing, which is characterized in that it is described according to the feature to Measuring the step of training application class model includes:
The dimension of described eigenvector is increased with kernel function;
Described eigenvector after being increased according to dimension trains application class model.
7. as claim 3 to 6 any one of them network flow application type knows method for distinguishing, which is characterized in that the basis Further include after the step of feature training application class model of the identified network data flow:
Receive test network data flow;
According to the application type of test network data flow described in the application class Model Identification, and obtain the application class mould The recognition correct rate of type;
The parameter of the application class model is adjusted according to the recognition correct rate.
8. as claim 1 to 6 any one of them network flow application type knows method for distinguishing, which is characterized in that described real-time Include after receiving network data packet step:
The number of the network packet of real-time reception is obtained, and judges whether the network packet number is more than present count Mesh;
When the network packet number is more than preset number, execute according to the feature of the network packet from the network Network data flow to be identified is extracted in data packet, and the step of extracting the feature of the network data flow to be identified.
9. a kind of device of network flow application type identification, which is characterized in that described device includes:It memory, processor and deposits Store up the processing routine for the network flow application type identification that can be run on the memory and on the processor, the network Such as net described in any item of the claim 1 to 8 is realized when the processing routine of stream application type identification is executed by the processor The step of network stream application kind identification method.
10. a kind of computer readable storage medium, which is characterized in that be stored with network flow on the computer readable storage medium The processing routine of the processing routine of application type identification, the network flow application type identification is realized when being executed by processor as weighed Profit requires the step of network flow application type recognition methods described in any one of 1 to 8.
CN201810407503.9A 2018-04-28 2018-04-28 The method, apparatus and computer readable storage medium of network flow application type identification Pending CN108667747A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810407503.9A CN108667747A (en) 2018-04-28 2018-04-28 The method, apparatus and computer readable storage medium of network flow application type identification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810407503.9A CN108667747A (en) 2018-04-28 2018-04-28 The method, apparatus and computer readable storage medium of network flow application type identification

Publications (1)

Publication Number Publication Date
CN108667747A true CN108667747A (en) 2018-10-16

Family

ID=63781506

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810407503.9A Pending CN108667747A (en) 2018-04-28 2018-04-28 The method, apparatus and computer readable storage medium of network flow application type identification

Country Status (1)

Country Link
CN (1) CN108667747A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109299742A (en) * 2018-10-17 2019-02-01 深圳信息职业技术学院 Method, apparatus, equipment and the storage medium of automatic discovery unknown network stream
CN109327479A (en) * 2018-12-14 2019-02-12 锐捷网络股份有限公司 Encrypt recognition methods and the device of stream
CN109474598A (en) * 2018-11-19 2019-03-15 西安交通大学 A kind of malice encryption flow analysis feature extracting method based on package time sequence
CN109698798A (en) * 2018-12-14 2019-04-30 北京锐安科技有限公司 A kind of recognition methods of application, device, server and storage medium
CN110048962A (en) * 2019-04-24 2019-07-23 广东工业大学 A kind of method of net flow assorted, system and equipment
CN110460488A (en) * 2019-07-01 2019-11-15 华为技术有限公司 Business stream recognition method and device, model generating method and device
CN110781950A (en) * 2019-10-23 2020-02-11 新华三信息安全技术有限公司 Message processing method and device
CN110995769A (en) * 2020-02-27 2020-04-10 上海飞旗网络技术股份有限公司 Deep data packet detection method and device and readable storage medium
CN111355670A (en) * 2018-12-24 2020-06-30 中移(杭州)信息技术有限公司 Traffic identification method and device, electronic equipment and storage medium
CN111385342A (en) * 2018-12-29 2020-07-07 中国移动通信集团北京有限公司 Internet of things industry identification method and device, electronic equipment and storage medium
CN112511457A (en) * 2019-09-16 2021-03-16 华为技术有限公司 Data stream type identification method and related equipment
CN112532466A (en) * 2019-09-17 2021-03-19 华为技术有限公司 Flow identification method and device and storage medium
CN113037749A (en) * 2021-03-08 2021-06-25 中国科学院信息工程研究所 C & C channel discrimination method and system
WO2021169308A1 (en) * 2020-02-28 2021-09-02 华为技术有限公司 Data stream type identification model updating method and related device
CN114666398A (en) * 2020-12-07 2022-06-24 深信服科技股份有限公司 Application classification method, device, equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101695035A (en) * 2009-10-21 2010-04-14 成都市华为赛门铁克科技有限公司 Flow rate identification method and device thereof
CN102271090A (en) * 2011-09-06 2011-12-07 电子科技大学 Transport-layer-characteristic-based traffic classification method and device
CN102724317A (en) * 2012-06-21 2012-10-10 华为技术有限公司 Network data flow classification method and device
CN102984131A (en) * 2012-11-09 2013-03-20 华为技术有限公司 Information recognition method and device
CN105046270A (en) * 2015-06-19 2015-11-11 上海卓悠网络科技有限公司 Application classification model constructing method and system and application classification method and system
CN105160402A (en) * 2015-05-27 2015-12-16 刘利强 SF6 electrical device fault diagnosis method
CN106709511A (en) * 2016-12-08 2017-05-24 华中师范大学 Urban rail transit panoramic monitoring video fault detection method based on depth learning

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101695035A (en) * 2009-10-21 2010-04-14 成都市华为赛门铁克科技有限公司 Flow rate identification method and device thereof
CN102271090A (en) * 2011-09-06 2011-12-07 电子科技大学 Transport-layer-characteristic-based traffic classification method and device
CN102724317A (en) * 2012-06-21 2012-10-10 华为技术有限公司 Network data flow classification method and device
CN102984131A (en) * 2012-11-09 2013-03-20 华为技术有限公司 Information recognition method and device
CN105160402A (en) * 2015-05-27 2015-12-16 刘利强 SF6 electrical device fault diagnosis method
CN105046270A (en) * 2015-06-19 2015-11-11 上海卓悠网络科技有限公司 Application classification model constructing method and system and application classification method and system
CN106709511A (en) * 2016-12-08 2017-05-24 华中师范大学 Urban rail transit panoramic monitoring video fault detection method based on depth learning

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
丁里: "《中国优秀硕士学位论文全文数据库信息科技辑》", 15 March 2015 *
李尧 等: "加密网络流量类型识别研究", 《计算机应用》 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109299742A (en) * 2018-10-17 2019-02-01 深圳信息职业技术学院 Method, apparatus, equipment and the storage medium of automatic discovery unknown network stream
CN109474598A (en) * 2018-11-19 2019-03-15 西安交通大学 A kind of malice encryption flow analysis feature extracting method based on package time sequence
CN109327479A (en) * 2018-12-14 2019-02-12 锐捷网络股份有限公司 Encrypt recognition methods and the device of stream
CN109698798A (en) * 2018-12-14 2019-04-30 北京锐安科技有限公司 A kind of recognition methods of application, device, server and storage medium
CN111355670A (en) * 2018-12-24 2020-06-30 中移(杭州)信息技术有限公司 Traffic identification method and device, electronic equipment and storage medium
CN111385342A (en) * 2018-12-29 2020-07-07 中国移动通信集团北京有限公司 Internet of things industry identification method and device, electronic equipment and storage medium
CN111385342B (en) * 2018-12-29 2023-04-07 中国移动通信集团北京有限公司 Internet of things industry identification method and device, electronic equipment and storage medium
CN110048962A (en) * 2019-04-24 2019-07-23 广东工业大学 A kind of method of net flow assorted, system and equipment
CN110460488A (en) * 2019-07-01 2019-11-15 华为技术有限公司 Business stream recognition method and device, model generating method and device
WO2021000874A1 (en) * 2019-07-01 2021-01-07 华为技术有限公司 Service flow identification method and apparatus, and model generation method and apparatus
CN114465962A (en) * 2019-09-16 2022-05-10 华为技术有限公司 Data stream type identification method and related equipment
CN112511457B (en) * 2019-09-16 2021-12-28 华为技术有限公司 Data stream type identification method and related equipment
CN112511457A (en) * 2019-09-16 2021-03-16 华为技术有限公司 Data stream type identification method and related equipment
CN114465962B (en) * 2019-09-16 2024-01-05 华为技术有限公司 Data stream type identification method and related equipment
WO2021052379A1 (en) * 2019-09-16 2021-03-25 华为技术有限公司 Data stream type identification method and related devices
US11838215B2 (en) 2019-09-16 2023-12-05 Huawei Technologies Co., Ltd. Data stream classification method and related device
CN112532466A (en) * 2019-09-17 2021-03-19 华为技术有限公司 Flow identification method and device and storage medium
CN110781950A (en) * 2019-10-23 2020-02-11 新华三信息安全技术有限公司 Message processing method and device
CN110781950B (en) * 2019-10-23 2023-06-30 新华三信息安全技术有限公司 Message processing method and device
CN110995769B (en) * 2020-02-27 2020-06-05 上海飞旗网络技术股份有限公司 Deep data packet detection method and device
CN110995769A (en) * 2020-02-27 2020-04-10 上海飞旗网络技术股份有限公司 Deep data packet detection method and device and readable storage medium
WO2021169308A1 (en) * 2020-02-28 2021-09-02 华为技术有限公司 Data stream type identification model updating method and related device
EP4087202A4 (en) * 2020-02-28 2023-07-05 Huawei Technologies Co., Ltd. Data stream type identification model updating method and related device
CN114666398A (en) * 2020-12-07 2022-06-24 深信服科技股份有限公司 Application classification method, device, equipment and storage medium
CN114666398B (en) * 2020-12-07 2024-02-23 深信服科技股份有限公司 Application classification method, device, equipment and storage medium
CN113037749A (en) * 2021-03-08 2021-06-25 中国科学院信息工程研究所 C & C channel discrimination method and system

Similar Documents

Publication Publication Date Title
CN108667747A (en) The method, apparatus and computer readable storage medium of network flow application type identification
EP1764951B1 (en) Statistical trace-based method, apparatus, node and system for real-time traffic classification
US8797901B2 (en) Method and its devices of network TCP traffic online identification using features in the head of the data flow
CN1652519B (en) Communication measuring system and its communication analyzing method
CN100563168C (en) application traffic statistical method and device
CN110233769A (en) A kind of flow rate testing methods and flow detection device
CN103905261B (en) Protocol characteristic storehouse online updating method and system
US11558769B2 (en) Estimating apparatus, system, method, and computer-readable medium, and learning apparatus, method, and computer-readable medium
CN101505237B (en) Network quality determination method, apparatus and communication system
CN106549878A (en) A kind of service shunting method and device
CN110324210A (en) The detection method and device of private communication channel communication are carried out based on ICMP agreement
CN102984269B (en) A kind of point-to-point method for recognizing flux and device
CN104283699A (en) Method and device for determining service types
CN109299742A (en) Method, apparatus, equipment and the storage medium of automatic discovery unknown network stream
CN103475537A (en) Method and device for message feature extraction
CN108028807A (en) Method and system for on-line automatic identification Model of network traffic
Charisma et al. Analysis Quality of Service (QoS) on 4G Telkomsel Networks In Soreang
CN108234345A (en) A kind of traffic characteristic recognition methods of terminal network application, device and system
CN106535240A (en) Mobile APP centralized performance analysis method based on cloud platform
CN108401263A (en) A kind of appraisal procedure and device of voice quality
CN101447934B (en) Business flow-recognizing method and system thereof and business flow charging method and system thereof
CN104883705B (en) A kind of the problem of data service is complained localization method and device
CN104734905A (en) Data flow detection method and device
CN108537043A (en) The risk control method and system of mobile terminal
CN106257867A (en) A kind of business recognition method encrypting flow and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181016

RJ01 Rejection of invention patent application after publication