CN108737291A - A kind of method and device that network flow indicates - Google Patents

A kind of method and device that network flow indicates Download PDF

Info

Publication number
CN108737291A
CN108737291A CN201810438595.7A CN201810438595A CN108737291A CN 108737291 A CN108737291 A CN 108737291A CN 201810438595 A CN201810438595 A CN 201810438595A CN 108737291 A CN108737291 A CN 108737291A
Authority
CN
China
Prior art keywords
network flow
network
predicate
flow
argument
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810438595.7A
Other languages
Chinese (zh)
Other versions
CN108737291B (en
Inventor
钱丽萍
王大伟
汪立东
王子厚
袁辰
张慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Civil Engineering and Architecture
National Computer Network and Information Security Management Center
Original Assignee
Beijing University of Civil Engineering and Architecture
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Civil Engineering and Architecture, National Computer Network and Information Security Management Center filed Critical Beijing University of Civil Engineering and Architecture
Priority to CN201810438595.7A priority Critical patent/CN108737291B/en
Publication of CN108737291A publication Critical patent/CN108737291A/en
Application granted granted Critical
Publication of CN108737291B publication Critical patent/CN108737291B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2475Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/279Recognition of textual entities
    • G06F40/284Lexical analysis, e.g. tokenisation or collocates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2408Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service

Abstract

The present invention provides a kind of method and device that network flow indicates, method includes:Using default predicate and its argument, the semanteme of network flow is indicated by scheduled event semantics method, and according to the semanteme of network flow, define the relationship between network flow and other network flows, further according to above-mentioned relation, the set that network flow is generated according to predetermined characteristic determines the operating condition of the corresponding communication agent of network flow finally according to the set of network flow.This method generates related predicate and argument by defining network flow, and semantic expressiveness is carried out to network flow using scheduled semantics method, the set of network flow is formed according to the semanteme of network flow and semantic relation to indicate the operating condition of communication agent, this method can accurately indicate network flow, and representation is relatively simple, solves problem of the prior art.

Description

A kind of method and device that network flow indicates
Technical field
The present invention relates to field of computer technology, the method and device indicated more particularly to a kind of network flow.
Background technology
Network flow detection refers to detecting specific net from the mixed traffic that multiple network applications generate in internet The flow that network application, network service or procotol generate, is network attack and Malicious Code Detection, network traffic engineering and road By the basis of the work such as management.The base unit of network flow detection is net packet or net stream, and wherein net stream is that have phase in network The net packet sequence of same five-tuple (source address, destination address, source port number, destination slogan, agreement).
Before carrying out network flow detection, need to be indicated network flow, existing presentation format mainly has two Kind:Raw data packets format and NetFlow net stream format, the former is packet level (data frame level) note directly obtained from network Record, the latter are the records for flowing grade.Both representations have its inconvenience, and the granularity that raw data packets format indicates is too Carefully, network flow detecting system is required for the whole process recombination by " data frame-layer-network layer-transport layer-application layer ", needs to consume Take a large amount of process performance;If not recording data packet, limited information can only be obtained from data packet head, and has recorded data Packet particular content then carries out not only needing to expend a large amount of storage when network flow detection, it is also possible to because of legal restriction and user The requirement of data-privacy protection, influences network flow detection result.The information of NetFlow format essential record stream grades, granularity phase It is detected with the network flow based on deep packet to relatively slightly, not supporting application layer to analyze.
The mode that above two is indicated network flow is all the numeric type representation using structuring, for For large-scale network system, it is carried out network flow detection scale it is big, if to detect specific network application, network service Or the flow that procotol generates, need to pre-set detected rule (for example, establishing index for specific fields, specific fields connect Connect, the streaming of specific fields statistics), if once monitoring, inquiry, analysis or statistical demand variation, needs to reset again Processing rule will even upgrade the entirety of network flow detecting system, not have versatility, and less efficient, operating cost It is higher.
Invention content
The present invention provides a kind of method and device that network flow indicates, to solve the problems, such as the as follows of the prior art:It is existing The representation method granularity of some network flows is improper.
In order to solve the above technical problems, the present invention provides a kind of method and device that network flow indicates, including:Using pre- If the argument of the argument of elementary predicates, default elementary predicates, default extension predicate and default extension predicate, by scheduled event language Adopted method indicates the semanteme of network flow;According to the semanteme of the network flow, the network flow and other networks are defined Semantic relation between flow;According to the language between the semantic and described network flow of the network flow and other network flows Adopted relationship generates the set of network flow according to predetermined characteristic;According to the set of the network flow, determine that network flow corresponds to Communication agent operating condition.
Optionally, the elementary predicates include:The five-tuple of the network flow, client host address, server-side master Network flow packet number that byte number that machine address, the network flow include, the network flow include, the network flow Time of occurrence, the network flow five-tuple establish connection, at the beginning of the network flow and terminate the time, wherein The five-tuple of the network flow includes:Source address, destination address, source port, destination interface and the transport layer association of network flow View;The argument of the elementary predicates indicates the messaging parameter in the network flow represented by the elementary predicates.
Optionally, the extension predicate includes:The interval time sequence for the network flow packet that the network flow includes The geography of a certain address in row, the length sequences of the network flow packet, the feature string of the network flow, the network flow The reset time of position, the network flow entropy in a predetermined direction, the network flow;The argument of the extension predicate, Indicate the messaging parameter in the network flow represented by the extension predicate.
Optionally, the scheduled event semantics method is Xin Daiweisen event semantics methods.
Optionally, the semantic relation between the network flow includes:It is suitable to hold relationship, concurrency relation, causality And conditional relationship.
In addition, to achieve the above object, the present invention also provides the devices that a kind of network flow indicates, including:Representation module, For using the argument of elementary predicates, default elementary predicates, the argument of default extension predicate and default extension predicate is preset, pressing Scheduled event semantics method indicates the semanteme of network flow;Definition module, for the semanteme according to the network flow, definition Semantic relation between the network flow and other network flows;Gather generation module, for according to the network flow Semantic relation between the semantic and described network flow and other network flows generates the collection of network flow according to predetermined characteristic It closes;Determining module determines the operating condition of the corresponding communication agent of network flow for the set according to the network flow.
Optionally, the elementary predicates include:The five-tuple of the network flow, client host address, server-side master Network flow packet number that byte number that machine address, the network flow include, the network flow include, the network flow Time of occurrence, the network flow five-tuple establish connection, at the beginning of the network flow and terminate the time, wherein The five-tuple of the network flow includes:Source address, destination address, source port, destination interface and the transport layer association of network flow View;The argument of the elementary predicates indicates the messaging parameter in the network flow represented by the elementary predicates.
Optionally, the extension predicate includes:The interval time sequence for the network flow packet that the network flow includes The geography of a certain address in row, the length sequences of the network flow packet, the feature string of the network flow, the network flow The reset time of position, the network flow entropy in a predetermined direction, the network flow;The argument of the extension predicate, Indicate the messaging parameter in the network flow represented by the extension predicate.
Optionally, the scheduled event semantics method is Xin Daiweisen event semantics methods.
Optionally, the semantic relation between the network flow includes:It is suitable to hold relationship, concurrency relation, causality And conditional relationship.
The method and device that network flow provided by the invention indicates, method include:Using default predicate and its argument, press Scheduled event semantics method indicates the semanteme of network flow, and according to the semanteme of network flow, define network flow with it is other Relationship between network flow generates the set of network flow according to predetermined characteristic, finally according to network further according to above-mentioned relation The set of flow determines the operating condition of the corresponding communication agent of network flow.This method has by defining network flow The predicate and argument of pass, and semantic expressiveness is carried out to network flow using scheduled semantics method, according to the language of network flow Justice and semantic relation form the set of network flow to indicate the operating condition of communication agent, this method can to network flow from Suitable particle size is accurately indicated, and representation is relatively simple, solves the problems, such as the as follows of the prior art:Existing net The representation method granularity of network flow is improper.
Description of the drawings
Fig. 1 is the flow chart for the method that network flow indicates in first embodiment of the invention;
Fig. 2 is the structural schematic diagram for the device that network flow indicates in second embodiment of the invention;
Fig. 3 is the flow chart for the method that network flow indicates in third embodiment of the invention.
Specific implementation mode
In order to solve the problems, such as the as follows of the prior art:The representation method granularity of existing network flow is improper.The present invention First embodiment provides a kind of method that network flow indicates, the flow chart of this method is as shown in Figure 1, extremely including step S102 S108:
S102, using default elementary predicates, the argument of default elementary predicates, default extension predicate and default extension predicate Argument, by scheduled event semantics method indicate network flow semanteme.
Predicate refers to the lexical item for describing or judging relationship between objectifiability, feature or object, is arranged in pairs or groups with predicate Noun be known as argument, in the present embodiment, for network flow, regard network flow as event, so that it may to define one Group predicate describes to generate the corresponding communication operation of this network flow, and describes to communicate accordingly in network flow with argument Parameter.
S104 defines the semantic relation between network flow and other network flows according to the semanteme of network flow.
It, can be according to the language of each network flow represented after a series of semanteme for indicating network flows Justice defines the relationship between network flow and other network flows.
S106, according to the semantic relation between the semanteme of network flow and network flow and other network flows, according to pre- Determine the set that feature generates network flow.
Include a series of network flows with semantic co-relation in the set of network flow.It is predetermined in the present embodiment Feature can be the time, can also be space, you can, can also root to generate set to the network flow within the scope of certain time Set is generated according to the corresponding territorial scope of IP address in network flow.
S108 determines the operating condition of the corresponding communication agent of network flow according to the set of network flow.
The network flow set that above-mentioned steps generate, it is different to be that a communication agent generates in varied situations The set that network flow is formed, therefore the set of the network flow according to generation, it may be determined that the corresponding communication master of network flow The operating condition of body.
In addition, also the predicate of network flow and argument are defined in the present embodiment, it is defined as follows:
Elementary predicates at least may include:Network flow corresponding five-tuple, client host address, service end main frame Network flow packet number, the time of occurrence of network flow, the network flow that byte number that location, network flow include, network flow include At the beginning of the five-tuple of amount establishes connection, network flow and terminate time, in the present embodiment, the five-tuple of network flow Including:Source address, destination address, source port, destination interface and the transport layer protocol of network flow.In addition, the opinion of elementary predicates Member indicates the messaging parameter in the network flow represented by elementary predicates.For example, the argument of client host address, is exactly having In the network flow that the user rs host end of body generates, the corresponding specific network address of client host.
In addition, other than elementary predicates, the extension predicate in the present embodiment includes at least:The network that network flow includes A certain address in the interval time sequence of flow packet, the length sequences of network flow packet, the feature string of network flow, network flow Geographical location, network flow entropy in a predetermined direction, network flow reset time.Wherein, network flow is exactly to have What the sequence of the network flow packet of identical five-tuple was formed, extension predicate is carried out for component part basic in network flow Definition, and in the present embodiment, the predetermined direction of network flow refer to by client to server-side or by server-side to The reset time of client, network flow refers to that network flow is at a time reset.The argument of predicate is extended, indicates extension The messaging parameter in network flow represented by predicate.
To keep the semantic expressiveness to network flow clear in structure, the event semantics method employed in the present embodiment is new Dai Weisen time semantics methods, this method correspond to a kind of predicate-argument structure, can clearly indicate the semanteme of network flow.
In addition, in the present embodiment, the semantic relation between network flow includes at least:Along hold relationship, concurrency relation, because Fruit relationship and conditional relationship.
The method that network flow provided in this embodiment indicates, using default predicate and its argument, by scheduled event semanteme Method indicates the semanteme of network flow, and according to the semanteme of network flow, defines between network flow and other network flows Relationship the set of network flow is generated according to predetermined characteristic further according to above-mentioned relation, finally according to the set of network flow, Determine the operating condition of the corresponding communication agent of network flow.This method generates related predicate and opinion by defining network flow Member, and semantic expressiveness is carried out to network flow using scheduled semantics method, according to the semanteme and semantic relation of network flow The set of network flow is formed to indicate that the operating condition of communication agent, this method can carry out accurate table to network flow Show, and representation is relatively simple solve the problems, such as the as follows of the prior art:The representation method granularity of existing network flow It is improper.
Second embodiment of the invention provides a kind of device that network flow indicates, structural schematic diagram such as Fig. 2 institutes of the device Show, including:Representation module 10, for using presetting the arguments of elementary predicates, default elementary predicates, default extension predicate and pre- If extending the argument of predicate, the semanteme of network flow is indicated by scheduled event semantics method;Definition module 20, with representation module 10 couplings define the semantic relation between network flow and other network flows for the semanteme according to network flow;Collect symphysis It at module 30, is coupled with definition module 20, for according between the semanteme and network flow and other network flows of network flow Semantic relation, according to predetermined characteristic generate network flow set;Determining module 40 is coupled with set generation module, is used for According to the set of network flow, the operating condition of the corresponding communication agent of network flow is determined.
In representation module, predicate refers to the word for describing or judging relationship between objectifiability, feature or object , the noun with predicate collocation is known as argument, in the present embodiment, for network flow, regards network flow as event, One group of predicate can be defined to describe to generate the corresponding communication operation of this network flow, and network flow is described with argument In corresponding messaging parameter.
It further, can be according to the expression of each network flow after a series of semanteme for indicating network flows The semanteme gone out, definition module are used in the relationship defined between network flow and other network flows.
Further, set generation module can be according between the semanteme and network flow and other network flows of network flow Semantic relation generates the set of network flow according to predetermined characteristic.Include one with semantic relation in the set of network flow Series of network flow.Predetermined characteristic in the present embodiment can be the time, can also be space, you can with to certain time range Interior network flow generates set, can also generate set according to the corresponding territorial scope of IP address in network flow.
Finally, determining module can determine the operation feelings of the corresponding communication agent of network flow according to the set of network flow Condition.The network flow set generated by gathering generation module, can be that a communication agent generates in varied situations The set that different network flows is formed, therefore the set of the network flow according to generation, it may be determined that network flow is corresponding The operating condition of communication agent.
In addition, also the predicate of network flow and argument are defined in the present embodiment, it is defined as follows:
Elementary predicates at least may include:Network flow corresponding five-tuple, client host address, service end main frame Network flow packet number, the time of occurrence of network flow, the network flow that byte number that location, network flow include, network flow include At the beginning of the five-tuple of amount establishes connection, network flow and terminate time, in the present embodiment, the five-tuple of network flow Including:Source address, destination address, source port, destination interface and the transport layer protocol of network flow.In addition, the opinion of elementary predicates Member indicates the messaging parameter in the network flow represented by elementary predicates.For example, the argument of client host address, is exactly having In the network flow that the user rs host end of body generates, the corresponding specific network address of client host.
In addition, other than elementary predicates, the extension predicate in the present embodiment includes at least:The network that network flow includes A certain address in the interval time sequence of flow packet, the length sequences of network flow packet, the feature string of network flow, network flow Geographical location, network flow entropy in a predetermined direction, network flow reset time.Wherein, network flow is exactly to have What the sequence of the network flow packet of identical five-tuple was formed, extension predicate is carried out for component part basic in network flow Definition, and in the present embodiment, the predetermined direction of network flow refer to by client to server-side or by server-side to The reset time of client, network flow refers to that network flow is at a time reset.The argument of predicate is extended, indicates extension The messaging parameter in network flow represented by predicate.
To keep the semantic expressiveness to network flow clear in structure, the event semantics method employed in the present embodiment is new Dai Weisen time semantics methods, this method correspond to a kind of predicate-argument structure, can clearly indicate the semanteme of network flow.
In addition, in the present embodiment, the semantic relation between network flow includes at least:Along hold relationship, concurrency relation, because Fruit relationship and conditional relationship.
The device that the network flow that second embodiment of the invention provides indicates, representation module is using default predicate and its opinion Member is indicated that the semanteme of network flow, definition module define network according to the semanteme of network flow by scheduled event semantics method Relationship between flow and other network flows, set generation module generate network flow according to above-mentioned relation, according to predetermined characteristic The set of amount, determining module finally according to the set of network flow, determine the operating condition of the corresponding communication agent of network flow. The device generates related predicate and argument by defining network flow, and using scheduled semantics method to network flow into Row semantic expressiveness forms the set of network flow to indicate the operation of communication agent according to the semanteme of network flow and semantic relation Situation, which can accurately indicate network flow, and representation is relatively simple, solves the prior art Following problem:Existing network flow indicates that device indicates that the granularity of network flow is improper.
Third embodiment of the invention provides a kind of method that network flow indicates, the flow chart of this method as shown in figure 3, Including step S302 to S308:
S302 indicates the semanteme of network flow.
In the present embodiment, using default elementary predicates, the argument of default elementary predicates, default extension predicate and default expansion The argument for opening up predicate is indicated the semanteme of network flow by scheduled event semantics method.
Wherein, predicate refers to the lexical item for describing or judging relationship between objectifiability, feature or object, with predicate The noun of collocation is known as argument, in the present embodiment, for network flow, regards network flow as event, so that it may with fixed Adopted one group of predicate describes to generate the corresponding communication operation of this network flow, and corresponding in network flow to describe with argument Messaging parameter.
The predicate of network flow and argument are defined in the present embodiment, are specifically defined as shown in table 1, elementary predicates Argument be elementary predicates unquote in part, particular content is related with specific network flow.
Table 1
Predicate (argument) Explanation
IP_ADDRsource(ip1) Source address ip1
IP_ADDRdest(ip1) Destination address ip1
PORTsource(pt1) Source port pt1
PORTdest(pt1) Destination interface pt1
PROTO(pr1) Agreement pr1
HOSTclient(ip) Client host ip
HOSTserver(ip) Service end main frame ip
COUNTbytes(cb1) Byte count cb1
COUNTpkts(cp1) Packet counts cp1
TIME(t1) The time of occurrence of net stream is t1
CONNECT(f1) Net stream f1It is established and is connected with corresponding five-tuple
TIME(f1,st1,et1) Net stream f1Beginning and ending time be respectively st1And et1
Elementary predicates at least may include:Network flow corresponding five-tuple, client host address, service end main frame Network flow packet number, the time of occurrence of network flow, the network flow that byte number that location, network flow include, network flow include At the beginning of the five-tuple of amount establishes connection, network flow and terminate time, in the present embodiment, the five-tuple of network flow Including:Source address, destination address, source port, destination interface and the transport layer protocol of network flow.In addition, the opinion of elementary predicates Member indicates the messaging parameter in the network flow represented by elementary predicates.For example, the argument of client host address, is exactly having In the network flow that the user rs host end of body generates, the corresponding specific network address of client host.
In addition, other than elementary predicates, the extension predicate in the present embodiment is as shown in table 2, extends the argument of predicate and is The part in the unquote of predicate is extended, particular content is related with specific network flow, includes at least:Network flow includes The interval time sequence of network flow packet, the length sequences of network flow packet, the feature string of network flow, certain in network flow The reset time of the geographical location of one address, network flow entropy in a predetermined direction, network flow.Wherein, network flow is just It is that there is the sequence of the network flow packet of identical five-tuple to be formed, extension predicate is for composition portion basic in network flow It point is defined, and in the present embodiment, the predetermined direction of network flow refers to by client to server-side or by taking End be engaged in client, the reset time of network flow refers to that network flow is at a time reset.Extend the argument of predicate, table Show the messaging parameter in the network flow represented by extension predicate.
Table 2
Further, to keep the semantic expressiveness to network flow clear in structure, the event semantics employed in the present embodiment Method is Xin Daiweisen time semantics methods, and this method corresponds to a kind of predicate-argument structure, can clearly indicate network flow The semanteme of amount.
For example, network flow realizes client sip establishes connection with tcp agreements, with the semantic expressiveness side of the present embodiment Method can be expressed as:
S304 defines the semantic relation between network flow according to the semanteme of network flow.
It, can be according to the language of each network flow represented after a series of semanteme for indicating network flows Justice defines the relationship between network flow and other network flows.
In the present embodiment, the semantic relation between network flow includes at least:It is closed along relationship of holding, concurrency relation, cause and effect System and conditional relationship.For indicating the relationship between network flow, specifically referred in the present embodiment:
The event e indicated for two network flows1And e2If e1In e in sequential2Occur before, then claims e1And e2 Between meet along holding relationship, be denoted as e1→e2
If e1And e2All occur in some specific time window W, then claims e1And e2Meet concurrency relation, is denoted as e1↑↑ e2
Exactly because if e1Occur, e2Just occur, then claims e1And e2Meet causality, is denoted as
If only e1Occur, can just lead to e2Occur, then claims e1And e2Meet conditional relationship, can remember in the present embodiment For e1↗e2
For example, setting network flow s1The event of expression is:The domain name that the client that IP address is sip is dip to IP address Server initiates DNS request, network flow s2The event of expression is:It is dip's that the client that IP address is sip, which receives IP address, The DNS responses that name server returns, then network flow s1It is expressed as: Network flow s2It is expressed as: And s1And s2Meet causality, is denoted as
For example, network flow s1It realizes the client that IP address is sip and accesses Web server dip, haveAlso network Flow s2While realizing dip and download Web page, while from another Web server dip2Some figure is downloaded with concurrent network flow Piece then has: And s1And s2Meet concurrency relation, is denoted as s1↑↑s2
S306 generates network according to the semantic relation between the semanteme and network flow of network flow according to predetermined characteristic The set of flow.
Include a series of network flows with semantic co-relation in the set of network flow.It is predetermined in the present embodiment Feature can be the time, can also be space, you can, can also root to generate set to the network flow within the scope of certain time Set is generated according to the corresponding territorial scope of IP address in network flow.
S308 determines the operating condition of the corresponding communication agent of network flow according to the set of network flow.
The network flow set that above-mentioned steps generate, it is different to be that a communication agent generates in varied situations The set that network flow is formed, therefore the set of the network flow according to generation, it may be determined that the corresponding communication master of network flow The operating condition of body.
For example, setting there are network flow set S, there is set What set T was indicated is the case where servicing the network flow that end main frame generates within certain time.
In addition, setting there are network flow set S, there is set Then set P services end main frame and is corresponded in its IP address Geographic range in generate network flow the case where.
The method that network flow provided in this embodiment indicates, using default predicate and its argument, by scheduled event semanteme Method indicates the semanteme of network flow, and according to the semanteme of network flow, defines between network flow and other network flows Relationship the set of network flow is generated according to predetermined characteristic further according to above-mentioned relation, finally according to the set of network flow, Determine the operating condition of the corresponding communication agent of network flow.This method generates related predicate and opinion by defining network flow Member, and semantic expressiveness is carried out to network flow using scheduled semantics method, according to the semanteme and semantic relation of network flow The set of network flow is formed to indicate that the operating condition of communication agent, this method can carry out accurate table to network flow Show, and representation is relatively simple solve the problems, such as the as follows of the prior art:The representation method granularity of existing network flow It is improper.
Although being example purpose, the preferred embodiment of the present invention is had been disclosed for, those skilled in the art will recognize Various improvement, increase and substitution are also possible, and therefore, the scope of the present invention should be not limited to the above embodiments.

Claims (10)

1. a kind of method that network flow indicates, which is characterized in that including:
Using default elementary predicates, the argument of the argument of default elementary predicates, default extension predicate and default extension predicate, press Scheduled event semantics method indicates the semanteme of network flow;
According to the semanteme of the network flow, the semantic relation between the network flow and other network flows is defined;
According to the semantic relation between the semantic and described network flow of the network flow and other network flows, according to predetermined Feature generates the set of network flow;
According to the set of the network flow, the operating condition of the corresponding communication agent of network flow is determined.
2. the method as described in claim 1, which is characterized in that
The elementary predicates include:It is the five-tuple of the network flow, client host address, server-side host address, described Byte number that network flow includes, the network flow packet number that the network flow includes, the time of occurrence of the network flow, institute The five-tuple for stating network flow establishes connection, at the beginning of the network flow and terminates the time, wherein the network flow Five-tuple include:Source address, destination address, source port, destination interface and the transport layer protocol of network flow;
The argument of the elementary predicates indicates the messaging parameter in the network flow represented by the elementary predicates.
3. the method as described in claim 1, which is characterized in that
The extension predicate includes:The interval time sequence for the network flow packet that the network flow includes, the network The geographical location of a certain address, the net in the length sequences of flow packet, the feature string of the network flow, the network flow The reset time of network flow entropy in a predetermined direction, the network flow;
The argument of the extension predicate indicates the messaging parameter in the network flow represented by the extension predicate.
4. the method as described in claim 1, which is characterized in that the scheduled event semantics method is Xin Daiweisen event languages Adopted method.
5. the method as described in claim 1, which is characterized in that the semantic relation between the network flow includes:It is suitable Hold relationship, concurrency relation, causality and conditional relationship.
6. the device that a kind of network flow indicates, which is characterized in that including:
Representation module, for using the argument, default extension predicate and default extension for presetting elementary predicates, default elementary predicates The argument of predicate is indicated the semanteme of network flow by scheduled event semantics method;
Definition module is defined for the semanteme according to the network flow between the network flow and other network flows Semantic relation;
Gather generation module, for according between the semantic and described network flow of the network flow and other network flows Semantic relation generates the set of network flow according to predetermined characteristic;
Determining module determines the operating condition of the corresponding communication agent of network flow for the set according to the network flow.
7. device as claimed in claim 6, which is characterized in that
The elementary predicates include:It is the five-tuple of the network flow, client host address, server-side host address, described Byte number that network flow includes, the network flow packet number that the network flow includes, the time of occurrence of the network flow, institute The five-tuple for stating network flow establishes connection, at the beginning of the network flow and terminates the time, wherein the network flow Five-tuple include:Source address, destination address, source port, destination interface and the transport layer protocol of network flow;
The argument of the elementary predicates indicates the messaging parameter in the network flow represented by the elementary predicates.
8. device as claimed in claim 6, which is characterized in that
The extension predicate includes:The interval time sequence for the network flow packet that the network flow includes, the network The geographical location of a certain address, the net in the length sequences of flow packet, the feature string of the network flow, the network flow The reset time of network flow entropy in a predetermined direction, the network flow;
The argument of the extension predicate indicates the messaging parameter in the network flow represented by the extension predicate.
9. device as claimed in claim 6, which is characterized in that the scheduled event semantics method is Xin Daiweisen event languages Adopted method.
10. device as claimed in claim 6, which is characterized in that the semantic relation between the network flow includes:It is suitable Hold relationship, concurrency relation, causality and conditional relationship.
CN201810438595.7A 2018-05-09 2018-05-09 Method and device for representing network flow Active CN108737291B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810438595.7A CN108737291B (en) 2018-05-09 2018-05-09 Method and device for representing network flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810438595.7A CN108737291B (en) 2018-05-09 2018-05-09 Method and device for representing network flow

Publications (2)

Publication Number Publication Date
CN108737291A true CN108737291A (en) 2018-11-02
CN108737291B CN108737291B (en) 2022-04-05

Family

ID=63938173

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810438595.7A Active CN108737291B (en) 2018-05-09 2018-05-09 Method and device for representing network flow

Country Status (1)

Country Link
CN (1) CN108737291B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070217435A1 (en) * 2006-03-15 2007-09-20 Crocker Ronald T Method and apparatus to provide network event messages
CN102045363A (en) * 2010-12-31 2011-05-04 成都市华为赛门铁克科技有限公司 Establishment, identification control method and device for network flow characteristic identification rule
CN102468987A (en) * 2010-11-08 2012-05-23 清华大学 NetFlow characteristic vector extraction method
US20140310808A1 (en) * 2009-03-13 2014-10-16 Danfeng YAO Detection of Stealthy Malware Activities with Traffic Causality and Scalable Triggering Relation Discovery
US8971217B2 (en) * 2006-06-30 2015-03-03 Microsoft Technology Licensing, Llc Transmitting packet-based data items
CN105162626A (en) * 2015-08-20 2015-12-16 西安工程大学 Network traffic depth identification system and method based on many-core processor
CN107733937A (en) * 2017-12-01 2018-02-23 广东奥飞数据科技股份有限公司 A kind of Abnormal network traffic detection method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070217435A1 (en) * 2006-03-15 2007-09-20 Crocker Ronald T Method and apparatus to provide network event messages
US8971217B2 (en) * 2006-06-30 2015-03-03 Microsoft Technology Licensing, Llc Transmitting packet-based data items
US20140310808A1 (en) * 2009-03-13 2014-10-16 Danfeng YAO Detection of Stealthy Malware Activities with Traffic Causality and Scalable Triggering Relation Discovery
CN102468987A (en) * 2010-11-08 2012-05-23 清华大学 NetFlow characteristic vector extraction method
CN102045363A (en) * 2010-12-31 2011-05-04 成都市华为赛门铁克科技有限公司 Establishment, identification control method and device for network flow characteristic identification rule
CN105162626A (en) * 2015-08-20 2015-12-16 西安工程大学 Network traffic depth identification system and method based on many-core processor
CN107733937A (en) * 2017-12-01 2018-02-23 广东奥飞数据科技股份有限公司 A kind of Abnormal network traffic detection method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CHUNYAN MU 等: ""Time-sensitive Information Flow Control in Timed Event-B"", 《2017 INTERNATIONAL SYMPOSIUM ON THEORETICAL ASPECTS OF SOFTWARE ENGINEERING (TASE)》 *
徐守志 等: "《网络信息与安全》", 31 March 2009 *
陶晓玲等: "基于本体的网络流量分类方法", 《计算机工程与设计》 *

Also Published As

Publication number Publication date
CN108737291B (en) 2022-04-05

Similar Documents

Publication Publication Date Title
EP2240854B1 (en) Method of resolving network address to host names in network flows for network device
Duffield et al. Predicting resource usage and estimation accuracy in an IP flow measurement collection infrastructure
CN107634848B (en) System and method for collecting and analyzing network equipment information
Kumar et al. Sketch Guided Sampling-Using On-Line Estimates of Flow Size for Adaptive Data Collection.
JP4471554B2 (en) Network usage monitoring apparatus and related method
US8601113B2 (en) Method for summarizing flow information from network devices
CN106101015A (en) A kind of mobile Internet traffic classes labeling method and system
US8179799B2 (en) Method for partitioning network flows based on their time information
US9042863B2 (en) Service classification of web traffic
US20120026914A1 (en) Analyzing Network Activity by Presenting Topology Information with Application Traffic Quantity
WO2012106861A1 (en) Terminal distribution information acquisition method, data acquisition device and communication system
CN106330584A (en) Identification method and identification device of business flow
WO2020228527A1 (en) Data stream classification method and message forwarding device
CN105787512A (en) Network browsing and video classification method based on novel characteristic selection method
CN108900374A (en) A kind of data processing method and device applied to DPI equipment
CN105828310A (en) Data service billing method, equipment and system
CN102938764A (en) Application identification processing method and device
CN110011860A (en) Android application and identification method based on network traffic analysis
CN109275045A (en) Mobile terminal encrypted video ad traffic recognition methods based on DFI
Luxemburk et al. CESNET-QUIC22: A large one-month QUIC network traffic dataset from backbone lines
CN102143085B (en) Multi-dimensional network situation awareness method, equipment and system
CN110691007A (en) Method for accurately measuring QUIC connection packet loss rate
US7266088B1 (en) Method of monitoring and formatting computer network data
CN107070700A (en) A kind of network service provider method of identity-based automatic identification
CN108737291A (en) A kind of method and device that network flow indicates

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant