CN108737291B - Method and device for representing network flow - Google Patents
Method and device for representing network flow Download PDFInfo
- Publication number
- CN108737291B CN108737291B CN201810438595.7A CN201810438595A CN108737291B CN 108737291 B CN108737291 B CN 108737291B CN 201810438595 A CN201810438595 A CN 201810438595A CN 108737291 B CN108737291 B CN 108737291B
- Authority
- CN
- China
- Prior art keywords
- network traffic
- network
- predicate
- semantics
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2475—Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/279—Recognition of textual entities
- G06F40/284—Lexical analysis, e.g. tokenisation or collocates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/30—Semantic analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2408—Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service
Abstract
The invention provides a method and a device for representing network flow, wherein the method comprises the following steps: the method comprises the steps of representing the semantics of network traffic by a preset predicate and argument thereof according to a predetermined event semantics method, defining the relation between the network traffic and other network traffic according to the semantics of the network traffic, generating a set of the network traffic according to the preset characteristics according to the relation, and finally determining the operation condition of a communication main body corresponding to the network traffic according to the set of the network traffic. The method generates related predicates and arguments by defining the network traffic, performs semantic representation on the network traffic by adopting a predetermined semantic method, and forms a network traffic set according to the semantics and semantic relations of the network traffic to represent the operation condition of a communication main body.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for representing network traffic.
Background
The network traffic detection refers to detecting traffic generated by a specific network application, network service or network protocol from mixed traffic generated by a plurality of network applications in the internet, and is the basis of network attack, malicious code detection, network traffic engineering, route management and other works. The basic unit of network traffic detection is a network packet or a network flow, wherein the network flow is a network packet sequence with the same five tuples (source address, destination address, source port number, destination port number, protocol) in the network.
Before network traffic detection is performed, network traffic needs to be represented, and the existing representation formats mainly include two types: the raw packet format, which is a packet-level (data frame-level) record obtained directly from the network, and the NetFlow network flow format, which is a flow-level record. Both the two expression modes have inconvenience, the granularity expressed by the original data packet format is too fine, and a network flow detection system needs to be recombined in the whole process of 'data frame layer-network layer-transmission layer-application layer', so that a large amount of processing performance needs to be consumed; if the data packet is not recorded, only limited information can be obtained from the data packet header, and the specific content of the data packet is recorded, a large amount of storage is consumed during network traffic detection, and the network traffic detection effect may be affected due to legal restrictions and the requirements of user data privacy protection. The NetFlow format mainly records flow-level information, has relatively coarse granularity, and does not support application-level analysis and deep packet-based network flow detection.
The two ways of representing network traffic are both structured numerical representation ways, for a large-scale network system, the scale of detecting network traffic is large, if the traffic generated by a specific network application, network service or network protocol is to be detected, a detection rule needs to be preset (for example, index is established for a specific field, connection of the specific field, and flow statistics of the specific field), and if the demand for monitoring, querying, analyzing or statistics changes, a processing rule needs to be reset, even the whole network traffic detection system needs to be upgraded, which has no universality, low efficiency and high operation cost.
Disclosure of Invention
The invention provides a method and a device for representing network flow, which are used for solving the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity.
To solve the above technical problem, the present invention provides a method and an apparatus for representing network traffic, including: expressing the semantics of the network traffic according to a predetermined event semantics method by adopting a preset basic predicate, an argument of the preset basic predicate, a preset extended predicate and an argument of the preset extended predicate; defining semantic relations between the network traffic and other network traffic according to the semantics of the network traffic; generating a network flow set according to the semantics of the network flow and the semantic relation between the network flow and other network flows and according to preset characteristics; and determining the operation condition of the communication main body corresponding to the network flow according to the set of the network flow.
Optionally, the basic predicate includes: the method comprises the following steps of five-tuple of the network flow, a client host address, a server host address, the number of bytes contained in the network flow, the number of network flow packets contained in the network flow, the occurrence time of the network flow, connection establishment of the five-tuple of the network flow, and the start time and the end time of the network flow, wherein the five-tuple of the network flow comprises: a source address, a destination address, a source port, a destination port, and a transport layer protocol of the network traffic; and the argument of the basic predicate expresses communication parameters in the network traffic expressed by the basic predicate.
Optionally, the extended predicate includes: the network traffic comprises an interval time sequence of the network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic location of an address in the network traffic, an entropy of the network traffic in a predetermined direction, and a reset time of the network traffic; and the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
Optionally, the predetermined event semantics method is a novidesson event semantics method.
Optionally, the semantic relationship between the network traffics includes: sequential, concurrent, causal and conditional.
In addition, to achieve the above object, the present invention further provides a device for representing network traffic, including: the expression module is used for expressing the semantics of the network traffic according to a predetermined event semantics method by adopting a preset basic predicate, arguments of the preset basic predicate, a preset extended predicate and arguments of the preset extended predicate; the definition module is used for defining the semantic relation between the network flow and other network flows according to the semantics of the network flow; the set generation module is used for generating a set of network traffic according to the semantics of the network traffic and the semantic relation between the network traffic and other network traffic and according to the preset characteristics; and the determining module is used for determining the operating condition of the communication main body corresponding to the network flow according to the set of the network flow.
Optionally, the basic predicate includes: the method comprises the following steps of five-tuple of the network flow, a client host address, a server host address, the number of bytes contained in the network flow, the number of network flow packets contained in the network flow, the occurrence time of the network flow, connection establishment of the five-tuple of the network flow, and the start time and the end time of the network flow, wherein the five-tuple of the network flow comprises: a source address, a destination address, a source port, a destination port, and a transport layer protocol of the network traffic; and the argument of the basic predicate expresses communication parameters in the network traffic expressed by the basic predicate.
Optionally, the extended predicate includes: the network traffic comprises an interval time sequence of the network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic location of an address in the network traffic, an entropy of the network traffic in a predetermined direction, and a reset time of the network traffic; and the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
Optionally, the predetermined event semantics method is a novidesson event semantics method.
Optionally, the semantic relationship between the network traffics includes: sequential, concurrent, causal and conditional.
The invention provides a method and a device for representing network flow, wherein the method comprises the following steps: the method comprises the steps of representing the semantics of network traffic by a preset predicate and argument thereof according to a predetermined event semantics method, defining the relation between the network traffic and other network traffic according to the semantics of the network traffic, generating a set of the network traffic according to the preset characteristics according to the relation, and finally determining the operation condition of a communication main body corresponding to the network traffic according to the set of the network traffic. The method generates related predicates and arguments by defining the network traffic, performs semantic representation on the network traffic by adopting a predetermined semantic method, and forms a network traffic set according to the semantics and semantic relations of the network traffic to represent the operation condition of a communication main body, can accurately represent the network traffic from proper granularity, has a simple representation form, and solves the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity.
Drawings
FIG. 1 is a flow chart of a method of network traffic representation in a first embodiment of the invention;
FIG. 2 is a schematic diagram of a second embodiment of the present invention illustrating the structure of a device for network traffic representation;
fig. 3 is a flow chart of a method of network traffic representation in a third embodiment of the present invention.
Detailed Description
In order to solve the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity. A first embodiment of the present invention provides a method for representing network traffic, and a flowchart of the method is shown in fig. 1, and includes steps S102 to S108:
and S102, representing the semantics of the network traffic according to a predetermined event semantics method by adopting a preset basic predicate, an argument of the preset basic predicate, a preset extended predicate and an argument of the preset extended predicate.
In this embodiment, for network traffic, regarding the network traffic as an event, a set of predicates may be defined to describe a communication action corresponding to the network traffic, and the argument may be used to describe a corresponding communication parameter in the network traffic.
And S104, defining the semantic relation between the network flow and other network flows according to the semantics of the network flow.
After the semantics of a series of network traffic are expressed, the relationship between the network traffic and other network traffic is defined according to the expressed semantics of each network traffic.
And S106, generating a network flow set according to the semantic of the network flow and the semantic relation between the network flow and other network flows and the preset characteristics.
The collection of network traffic includes a series of network traffic having semantic relationships. The predetermined feature in this embodiment may be time or space, that is, a set may be generated for network traffic within a certain time range, or a set may be generated according to a region range corresponding to an IP address in the network traffic.
And S108, determining the operation condition of the communication main body corresponding to the network flow according to the set of the network flow.
The network traffic set generated in the above step may be a set formed by different network traffic generated by one communication subject under different conditions, so that the operation condition of the communication subject corresponding to the network traffic may be determined according to the generated network traffic set.
In addition, in this embodiment, predicates and arguments of the network traffic are defined, which are specifically defined as follows:
the basic predicates can at least include: a quintuple corresponding to the network traffic, a client host address, a server host address, a byte number included in the network traffic, a network traffic packet number included in the network traffic, an occurrence time of the network traffic, a connection establishment of the quintuple of the network traffic, a start time and an end time of the network traffic, in this embodiment, the quintuple of the network traffic includes: source address, destination address, source port, destination port, and transport layer protocol of the network traffic. Furthermore, arguments of the basic predicate represent communication parameters in the network traffic represented by the basic predicate. For example, the argument of the client host address is a specific network address corresponding to the client host in the network traffic generated by the specific client host.
In addition, in addition to the basic predicate, the extended predicate in this embodiment at least includes: the network traffic comprises an interval time sequence of network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic position of a certain address in the network traffic, entropy of the network traffic in a preset direction, and reset time of the network traffic. In this embodiment, the predetermined direction of the network traffic refers to from the client to the server or from the server to the client, and the reset time of the network traffic refers to that the network traffic is reset at a certain time. And the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
In order to make the semantic representation structure of the network traffic clear, the event semantics method adopted in the embodiment is a new davison time semantics method, and the method corresponds to a predicate argument structure and can clearly represent the semantic of the network traffic.
Furthermore, in this embodiment, the semantic relationship between network traffic at least includes: sequential, concurrent, causal and conditional.
The method for representing network traffic provided by this embodiment adopts a preset predicate and its argument to represent the semantics of network traffic according to a predetermined event semantics method, defines the relationship between network traffic and other network traffic according to the semantics of network traffic, generates a set of network traffic according to a predetermined characteristic according to the relationship, and finally determines the operating condition of a communication subject corresponding to network traffic according to the set of network traffic. The method generates related predicates and arguments by defining the network traffic, performs semantic representation on the network traffic by adopting a predetermined semantic method, and forms a network traffic set according to the semantics and semantic relations of the network traffic to represent the operation condition of a communication main body, can accurately represent the network traffic, has a simple representation form, and solves the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity.
A second embodiment of the present invention provides an apparatus for representing network traffic, where a schematic structural diagram of the apparatus is shown in fig. 2, and the apparatus includes: the expression module 10 is configured to express semantics of network traffic according to a predetermined event semantics method by using a preset basic predicate, arguments of the preset basic predicate, a preset extended predicate, and arguments of the preset extended predicate; a defining module 20, coupled to the representing module 10, for defining a semantic relationship between the network traffic and other network traffic according to the semantics of the network traffic; a set generating module 30, coupled to the defining module 20, for generating a set of network traffic according to a predetermined characteristic according to the semantics of the network traffic and the semantic relationship between the network traffic and other network traffic; and the determining module 40 is coupled to the set generating module and configured to determine, according to the set of network traffic, an operating condition of the communication subject corresponding to the network traffic.
In the expression module, the predicate is a term used for describing or determining the property, feature, or relationship between objects, and a noun collocated with the predicate is called an argument.
Further, after representing the semantics of a series of network traffic, a definition module may be used to define the relationship between the network traffic and other network traffic based on the represented semantics of each network traffic.
Further, the set generating module generates a set of network traffic according to the semantic of the network traffic and the semantic relationship between the network traffic and other network traffic and according to the predetermined characteristics. The collection of network traffic includes a series of network traffic having semantic relationships. The predetermined feature in this embodiment may be time or space, that is, a set may be generated for network traffic within a certain time range, or a set may be generated according to a region range corresponding to an IP address in the network traffic.
And finally, the determining module determines the operation condition of the communication main body corresponding to the network flow according to the set of the network flow. The network traffic set generated by the set generating module may be a set formed by different network traffic generated by a communication subject under different conditions, and therefore, according to the generated network traffic set, the operating condition of the communication subject corresponding to the network traffic may be determined.
In addition, in this embodiment, predicates and arguments of the network traffic are defined, which are specifically defined as follows:
the basic predicates can at least include: a quintuple corresponding to the network traffic, a client host address, a server host address, a byte number included in the network traffic, a network traffic packet number included in the network traffic, an occurrence time of the network traffic, a connection establishment of the quintuple of the network traffic, a start time and an end time of the network traffic, in this embodiment, the quintuple of the network traffic includes: source address, destination address, source port, destination port, and transport layer protocol of the network traffic. Furthermore, arguments of the basic predicate represent communication parameters in the network traffic represented by the basic predicate. For example, the argument of the client host address is a specific network address corresponding to the client host in the network traffic generated by the specific client host.
In addition, in addition to the basic predicate, the extended predicate in this embodiment at least includes: the network traffic comprises an interval time sequence of network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic position of a certain address in the network traffic, entropy of the network traffic in a preset direction, and reset time of the network traffic. In this embodiment, the predetermined direction of the network traffic refers to from the client to the server or from the server to the client, and the reset time of the network traffic refers to that the network traffic is reset at a certain time. And the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
In order to make the semantic representation structure of the network traffic clear, the event semantics method adopted in the embodiment is a new davison time semantics method, and the method corresponds to a predicate argument structure and can clearly represent the semantic of the network traffic.
Furthermore, in this embodiment, the semantic relationship between network traffic at least includes: sequential, concurrent, causal and conditional.
In the apparatus for representing network traffic provided in the second embodiment of the present invention, the representing module uses a preset predicate and its argument to represent the semantics of the network traffic according to a predefined event semantics method, the defining module defines a relationship between the network traffic and other network traffic according to the semantics of the network traffic, the set generating module generates a set of the network traffic according to a predefined feature according to the relationship, and the determining module determines the operation condition of the communication subject corresponding to the network traffic according to the set of the network traffic. The device generates related predicates and arguments by defining the network traffic, performs semantic representation on the network traffic by adopting a predetermined semantic method, forms a network traffic set according to the semantics and semantic relations of the network traffic to represent the operation condition of a communication main body, can accurately represent the network traffic, has a simple representation form, and solves the following problems in the prior art: the existing means for representing network traffic indicate that the granularity of the network traffic is not suitable.
A third embodiment of the present invention provides a method for representing network traffic, where a flowchart of the method is shown in fig. 3, and includes steps S302 to S308:
s302, the semantics of the network flow is represented.
In this embodiment, the semantics of the network traffic are expressed by a predetermined event semantics method by using a preset basic predicate, an argument of the preset basic predicate, a preset extended predicate, and an argument of the preset extended predicate.
In this embodiment, for network traffic, regarding network traffic as an event, a set of predicates may be defined to describe a communication action corresponding to the network traffic, and the argument may be used to describe a corresponding communication parameter in the network traffic.
In this embodiment, predicates and arguments of network traffic are defined, and specifically defined as shown in table 1, the arguments of the basic predicate are the part in parentheses after the basic predicate, and the specific content of the arguments is related to the specific network traffic.
TABLE 1
| Predicate (argument) | Description of the invention |
| IP_ADDRsource(ip1) | Source address ip1 |
| IP_ADDRdest(ip1) | Destination address ip1 |
| PORTsource(pt1) | Source port pt1 |
| PORTdest(pt1) | Destination port pt1 |
| PROTO(pr1) | Protocol pr1 |
| HOSTclient(ip) | Client host ip |
| HOSTserver(ip) | Host ip of server |
| COUNTbytes(cb1) | Byte count cb1 |
| COUNTpkts(cp1) | Packet count cp1 |
| TIME(t1) | The network flow has a time t1 |
| CONNECT(f1) | Network flow f1Establishing connections in corresponding quintuple |
| TIME(f1,st1,et1) | Network flow f1Respectively, the start and stop time of1And et1 |
The basic predicates can at least include: a quintuple corresponding to the network traffic, a client host address, a server host address, a byte number included in the network traffic, a network traffic packet number included in the network traffic, an occurrence time of the network traffic, a connection establishment of the quintuple of the network traffic, a start time and an end time of the network traffic, in this embodiment, the quintuple of the network traffic includes: source address, destination address, source port, destination port, and transport layer protocol of the network traffic. Furthermore, arguments of the basic predicate represent communication parameters in the network traffic represented by the basic predicate. For example, the argument of the client host address is a specific network address corresponding to the client host in the network traffic generated by the specific client host.
In addition, in addition to the basic predicate, the extended predicate in this embodiment is shown in table 2, where arguments of the extended predicate are parts in parentheses after the extended predicate, and specific contents of the arguments are related to specific network traffic, and the specific contents at least include: the network traffic comprises an interval time sequence of network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic position of a certain address in the network traffic, entropy of the network traffic in a preset direction, and reset time of the network traffic. In this embodiment, the predetermined direction of the network traffic refers to from the client to the server or from the server to the client, and the reset time of the network traffic refers to that the network traffic is reset at a certain time. And the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
TABLE 2
Further, in order to make the semantic representation structure of the network traffic clear, the event semantics method adopted in the embodiment is a new davison time semantics method, and the method corresponds to a predicate argument structure and can clearly represent the semantic of the network traffic.
For example, the network traffic realizes that the client sip establishes the connection by the tcp protocol, and the semantic representation method of this embodiment may be represented as:
s304, defining semantic relation between the network traffic according to the semantics of the network traffic.
After the semantics of a series of network traffic are expressed, the relationship between the network traffic and other network traffic is defined according to the expressed semantics of each network traffic.
In this embodiment, the semantic relationship between network traffic at least includes: sequential, concurrent, causal and conditional. For representing the relationship between network traffic, this embodiment specifically means:
event e for two network traffic representations1And e2If e is1In time sequence at e2When it has occurred previously, it is called e1And e2Satisfy a sequential bearing relationship, and are denoted as e1→e2;
If e1And e2All occur within a certain time window W, then are called e1And e2Satisfy the concurrency relationship, and is marked as e1↑↑e2;
If it is e1Generation, e2If it happens, it is called e1And e2Satisfy the causal relationship, is recorded as
If only e1Happen to result in e2When it occurs, it is called e1And e2Satisfy the conditional relationship, which can be denoted as e in this embodiment1↗e2。
For example, let us say network traffic s1The events represented are: the client with the IP address sip initiates a DNS request to the domain name server with the IP address dip, and the network flow s2The events represented are: the client with the IP address sip receives the DNS response returned by the domain name server with the IP address dip, and then the network flow s1Expressed as:
network traffic s2Expressed as:
and s1And s2Satisfy the causal relationship, is recorded as
E.g. network traffic s1The client with the IP address sip accesses the Web server dip
And also network traffic s2The method realizes the dip of the Web page and simultaneously downloads the dip from another Web server2Downloading a picture by a concurrent network stream includes:
and s1And s2Satisfy the concurrency relationship, and is marked as s1↑↑s2。
S306, generating a network flow set according to the semantic relation between the network flow and the preset characteristics.
The collection of network traffic includes a series of network traffic having semantic relationships. The predetermined feature in this embodiment may be time or space, that is, a set may be generated for network traffic within a certain time range, or a set may be generated according to a region range corresponding to an IP address in the network traffic.
And S308, determining the operation condition of the communication main body corresponding to the network flow according to the set of the network flow.
The network traffic set generated in the above step may be a set formed by different network traffic generated by one communication subject under different conditions, so that the operation condition of the communication subject corresponding to the network traffic may be determined according to the generated network traffic set.
For example, suppose there is a set S of network traffic, there is a set
The set T represents the case of network traffic generated by the server host over a certain time frame.
In addition, it is assumed that there is a network traffic set S, with a set
The P server hosts are aggregated for the case of network traffic generated within the geographic range corresponding to their IP addresses.
The method for representing network traffic provided by this embodiment adopts a preset predicate and its argument to represent the semantics of network traffic according to a predetermined event semantics method, defines the relationship between network traffic and other network traffic according to the semantics of network traffic, generates a set of network traffic according to a predetermined characteristic according to the relationship, and finally determines the operating condition of a communication subject corresponding to network traffic according to the set of network traffic. The method generates related predicates and arguments by defining the network traffic, performs semantic representation on the network traffic by adopting a predetermined semantic method, and forms a network traffic set according to the semantics and semantic relations of the network traffic to represent the operation condition of a communication main body, can accurately represent the network traffic, has a simple representation form, and solves the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity.
Although the preferred embodiments of the present invention have been disclosed for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, and the scope of the invention should not be limited to the embodiments described above.
Claims (10)
1. A method of network traffic representation, comprising:
representing the semantics of network traffic by a predetermined event semantics method by adopting a preset basic predicate, an argument of the preset basic predicate, a preset extension predicate and an argument of the preset extension predicate, wherein the preset basic predicate and the preset extension predicate are defined to describe communication actions corresponding to the generated network traffic, the argument of the basic predicate represents communication parameters in the network traffic represented by the basic predicate, and the argument of the extension predicate represents communication parameters in the network traffic represented by the extension predicate;
defining semantic relations between the network traffic and other network traffic according to the semantics of the network traffic;
generating a network flow set according to the semantics of the network flow and the semantic relation between the network flow and other network flows and according to preset characteristics;
and determining the operation condition of the communication main body corresponding to the network flow according to the set of the network flow.
2. The method of claim 1,
the basic predicates comprise: the method comprises the following steps of five-tuple of the network flow, a client host address, a server host address, the number of bytes contained in the network flow, the number of network flow packets contained in the network flow, the occurrence time of the network flow, connection establishment of the five-tuple of the network flow, and the start time and the end time of the network flow, wherein the five-tuple of the network flow comprises: source address, destination address, source port, destination port, and transport layer protocol of the network traffic.
3. The method of claim 1,
the extended predicate includes: the network traffic comprises an interval time sequence of the network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic location of an address in the network traffic, an entropy of the network traffic in a predetermined direction, and a reset time of the network traffic.
4. The method of claim 1, wherein the predetermined event semantics method is a New Thewesson event semantics method.
5. The method of claim 1, wherein the semantic relationship between the network traffic comprises: sequential, concurrent, causal and conditional.
6. An apparatus for network traffic representation, comprising:
the system comprises a representation module, a processing module and a processing module, wherein the representation module is used for representing the semantics of network traffic according to a predetermined event semantics method by adopting a preset basic predicate, an argument of the preset basic predicate, a preset extension predicate and an argument of the preset extension predicate, wherein the preset basic predicate and the preset extension predicate are defined to describe communication actions corresponding to the generated network traffic, the argument of the basic predicate represents communication parameters in the network traffic represented by the basic predicate, and the argument of the extension predicate represents communication parameters in the network traffic represented by the extension predicate;
the definition module is used for defining the semantic relation between the network flow and other network flows according to the semantics of the network flow;
the set generation module is used for generating a set of network traffic according to the semantics of the network traffic and the semantic relation between the network traffic and other network traffic and according to the preset characteristics;
and the determining module is used for determining the operating condition of the communication main body corresponding to the network flow according to the set of the network flow.
7. The apparatus of claim 6,
the basic predicates comprise: the method comprises the following steps of five-tuple of the network flow, a client host address, a server host address, the number of bytes contained in the network flow, the number of network flow packets contained in the network flow, the occurrence time of the network flow, connection establishment of the five-tuple of the network flow, and the start time and the end time of the network flow, wherein the five-tuple of the network flow comprises: source address, destination address, source port, destination port, and transport layer protocol of the network traffic.
8. The apparatus of claim 6,
the extended predicate includes: the network traffic comprises an interval time sequence of the network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic location of an address in the network traffic, an entropy of the network traffic in a predetermined direction, and a reset time of the network traffic.
9. The apparatus of claim 6, in which the predetermined event semantics method is a New Thewesson event semantics method.
10. The apparatus of claim 6, wherein the semantic relationship between the network traffic comprises: sequential, concurrent, causal and conditional.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810438595.7A CN108737291B (en) | 2018-05-09 | 2018-05-09 | Method and device for representing network flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810438595.7A CN108737291B (en) | 2018-05-09 | 2018-05-09 | Method and device for representing network flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108737291A CN108737291A (en) | 2018-11-02 |
| CN108737291B true CN108737291B (en) | 2022-04-05 |
Family
ID=63938173
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810438595.7A Active CN108737291B (en) | 2018-05-09 | 2018-05-09 | Method and device for representing network flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108737291B (en) |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070217435A1 (en) * | 2006-03-15 | 2007-09-20 | Crocker Ronald T | Method and apparatus to provide network event messages |
| US8971217B2 (en) * | 2006-06-30 | 2015-03-03 | Microsoft Technology Licensing, Llc | Transmitting packet-based data items |
| AU2010223925A1 (en) * | 2009-03-13 | 2011-11-03 | Rutgers, The State University Of New Jersey | Systems and methods for the detection of malware |
| CN102468987B (en) * | 2010-11-08 | 2015-01-14 | 清华大学 | NetFlow characteristic vector extraction method |
| CN102045363B (en) * | 2010-12-31 | 2013-10-09 | 华为数字技术(成都)有限公司 | Establishment, identification control method and device for network flow characteristic identification rule |
| CN105162626B (en) * | 2015-08-20 | 2018-07-06 | 西安工程大学 | Network flow depth recognition system and recognition methods based on many-core processor |
| CN107733937A (en) * | 2017-12-01 | 2018-02-23 | 广东奥飞数据科技股份有限公司 | A kind of Abnormal network traffic detection method |
-
2018
- 2018-05-09 CN CN201810438595.7A patent/CN108737291B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN108737291A (en) | 2018-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11601351B2 (en) | Aggregation of select network traffic statistics | |
| JP4126707B2 (en) | Technology for analyzing the state of information systems | |
| US9210122B2 (en) | System and method for inspecting domain name system flows in a network environment | |
| JP5520231B2 (en) | ACL configuration method of network device based on flow information | |
| EP2240854B1 (en) | Method of resolving network address to host names in network flows for network device | |
| US7774456B1 (en) | Methods, apparatuses and systems facilitating classification of web services network traffic | |
| US7457870B1 (en) | Methods, apparatuses and systems facilitating classification of web services network traffic | |
| JP4479459B2 (en) | Packet analysis system | |
| US7623466B2 (en) | Symmetric connection detection | |
| US8601113B2 (en) | Method for summarizing flow information from network devices | |
| JP2020113924A (en) | Monitoring program, programmable device, and monitoring method | |
| US8645532B2 (en) | Methods and computer program products for monitoring the contents of network traffic in a network device | |
| US9331919B2 (en) | Method for summarizing flow information of network devices | |
| WO2014187238A1 (en) | Application type identification method and network device | |
| WO2018094654A1 (en) | Vpn transmission tunnel scheduling method and device, and vpn client-end server | |
| US20120026914A1 (en) | Analyzing Network Activity by Presenting Topology Information with Application Traffic Quantity | |
| WO2017185912A1 (en) | Method and apparatus for collecting statistics about terminal device information based on hash node | |
| US7907543B2 (en) | Apparatus and method for classifying network packet data | |
| WO2022105691A1 (en) | Method for preventing ipfix message loss, application thereof, and asic chip | |
| WO2022100581A1 (en) | Method for processing ipfix message, storage medium, network switching chip and asic chip | |
| WO2022183794A1 (en) | Traffic processing method and protection system | |
| CN110691007A (en) | Method for accurately measuring QUIC connection packet loss rate | |
| CN108737291B (en) | Method and device for representing network flow | |
| AU2018253491B2 (en) | Adaptive event aggregation | |
| WO2024060408A1 (en) | Network attack detection method and apparatus, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |