CN109063745B - Network equipment type identification method and system based on decision tree - Google Patents

Network equipment type identification method and system based on decision tree Download PDF

Info

Publication number
CN109063745B
CN109063745B CN201810756175.3A CN201810756175A CN109063745B CN 109063745 B CN109063745 B CN 109063745B CN 201810756175 A CN201810756175 A CN 201810756175A CN 109063745 B CN109063745 B CN 109063745B
Authority
CN
China
Prior art keywords
equipment
decision tree
data
network
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810756175.3A
Other languages
Chinese (zh)
Other versions
CN109063745A (en
Inventor
陈丹伟
刘翔元
刘尚东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN201810756175.3A priority Critical patent/CN109063745B/en
Publication of CN109063745A publication Critical patent/CN109063745A/en
Application granted granted Critical
Publication of CN109063745B publication Critical patent/CN109063745B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computing Systems (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a network equipment type identification method and system based on a decision tree, and belongs to the technical field of network security. Collecting network equipment data traffic, preprocessing the network traffic, extracting HTTP data packets in the traffic, vectorizing text type feature data, classifying a decision tree-C45 by using the feature vectors, and finally identifying the type of the equipment; the invention can identify the type of the network equipment by adopting a decision tree-C45 algorithm based on the network traffic. The method is based on a passive method to detect the type of the unknown equipment, can not be captured by an intrusion detection system, can identify the type of the unknown equipment, can supplement the type of the unknown equipment into the system, and improves generalization capability.

Description

Network equipment type identification method and system based on decision tree
Technical Field
The invention relates to the technical field of network security and machine learning, in particular to a network equipment type identification method and system based on a decision tree.
Background
With the development of big data, internet of things, ioT (InternetofThings) technology and communication protocols among devices, more and more terminal devices in network space are available. A large number of wireless routers, network printers, voIP network telephones, network digital video cameras, and some industrial control devices all have public network IP addresses, and these devices and conventional hosts, servers, and routers together form the current network environment. According to statistics, the number of terminal devices accessing the network space is over 500 ten thousand except for common websites and hosts, and the number of the terminal devices is over 20 in large categories. The scale of terminal equipment in the current network space is huge, the type is complex, and meanwhile, the potential safety hazard is unprecedented.
The existing identification methods aim at identifying objects only by traditional Web server software, such as Apache, IIS, nginx, and the number of terminal devices in the network space is large, the types are complex and various, the implementation of the terminal device systems such as a wireless router, a network printer, a VoIP network telephone, a network digital video camera and the like is different, and the traditional identification methods cannot be well suitable for the current network environment. Therefore, there is a need for an improvement in the conventional recognition method to expand the applicable recognition object range, so as to achieve the recognition of the novel terminal device by using the conventional recognition method.
In addition, various terminal devices in the network space play an important role in daily life and offices, and stable operation of the terminal devices needs to be ensured while network fingerprint detection is performed. However, when detecting a network fingerprint, the conventional identification method often needs to send a plurality of meaningless detection messages or use abnormal malformation requests to heuristically identify objects, and such identification method easily causes buffer overflow to the identified objects to form a denial of service, which results in that the terminal equipment cannot operate normally. Therefore, the detection message used in the process of identifying the terminal equipment is similar to the normal request as far as possible, so that the safety and reliability of the detection process are ensured, and meanwhile, the abnormal flow alarm of equipment such as a firewall and the like is not caused, or the identification of the equipment type is completed by directly and passively detecting the data flow.
Disclosure of Invention
Aiming at the problems that various newly-appearing equipment to be identified and existing identification methods in the prior art are easy to detect intrusion behaviors, the invention provides a network equipment type identification method based on a decision tree. The method is based on passive detection of the type of the unknown equipment, can not be captured by an intrusion detection system, can identify the type of the unknown equipment, can supplement the type of the unknown equipment into the system, and improves generalization capability.
The aim of the invention is achieved by the following technical scheme:
a decision tree based network device type identification method, comprising:
s1, sample collection: capturing the network flow of the unknown equipment to obtain the response message information of the network protocol of the unknown equipment;
s2, data preprocessing: preprocessing response message information, and extracting HTTP data packets of unknown equipment;
s3, feature extraction: extracting information capable of reflecting characteristics of terminal equipment from an HTTP data packet as sample characteristics, and vectorizing characteristic data of a text type; extracting information capable of reflecting characteristics of terminal equipment from HTTP data packets obtained by filtering as sample characteristics, and removing redundant information so as to reduce calculation complexity and improve identification efficiency; preprocessing the extracted sample characteristics, and vectorizing the characteristic data of the text types by a statistical analysis method; the vectorization process for the features includes creating a word vector space using the TF-IDF method and mining potential semantic features inside the protocol message by the latent semantic analysis method LSA.
The step of S3 feature extraction further includes:
s31, vectorization of unknown device characteristic data: extracting characteristic information in HTTP data packets of unknown equipment, and vectorizing the characteristic data of text types;
s32 known device feature data vectorization: obtaining HTTP data packets of known equipment, and vectorizing characteristic information of the HTTP data packets; and respectively sending HTTP-GET requests to network equipment of known equipment types to obtain HTTP data packets, repeating the step 3, extracting characteristic information in the HTTP data packets, and vectorizing the characteristic data of the text types. These types of known devices can be detected by oshada, a charged network device search system.
S4, generating a model: generating a decision tree through a decision tree algorithm according to the vectorized characteristic information of the known equipment in the step S32;
s5, classifying: classifying the vectorized characteristic information of the unknown equipment obtained in the step S31 through the decision tree generated in the step S4 model generation, wherein the classification comprises tree traversal and tree node matching processes. Firstly judging whether a certain node of the decision tree is a leaf node, if yes, judging the type as the type corresponding to the equipment, if not, obtaining the corresponding attribute items of the equipment, comparing attribute values of the two attribute items, deciding which branch of the decision tree node is selected according to a comparison result, and entering the next node through the corresponding branch to continue the steps until the matching is finished.
Preferably, in the step of S1 sample collection, the WINPCAP is used to directly capture a data packet from the physical interface, and the data packet is stored in a cap file format. Firstly, capturing a data packet directly from a physical interface by using WINPCAP, and storing the data packet into a cap file format; the WINPCAP is then used to read the data packets from the offline stack, i.e., the stored file is opened using the WINPCAP function pcap_open_offset ().
Preferably, the preprocessing in the step of preprocessing S2 data includes processing the captured cap file using WINPCAP and setting filtering rules. The WINPCAP provides two functions, namely, pcap_command () and pcap_setfilter (), to filter the data packets, and after setting an accurate filtering expression, the WINPCAP can be used with the two functions to efficiently realize the function of filtering the data packets.
Preferably, in the step of generating the S4 model, the characteristic information of the HTTP data packet is trained through a decision tree-c 45 algorithm, so as to generate a decision tree.
A decision tree based network device type identification system, comprising:
the sample acquisition module is used for capturing network data packets for known and unknown network physical ports and obtaining response message information of a network protocol;
the data preprocessing module is used for analyzing the grabbed network data packet and obtaining an HTTP data packet by setting a filtering rule;
the characteristic extraction module is used for extracting information capable of reflecting characteristics of the terminal equipment from the HTTP data packet as sample characteristics and vectorizing the characteristic data of the text type;
the feature extraction module includes:
the unknown equipment characteristic data vectorization unit is used for extracting characteristic information in HTTP data packets of the unknown equipment and vectorizing the text type characteristic data;
the known equipment characteristic data vectorization unit is used for obtaining HTTP data packets of the known equipment and vectorizing the characteristic information of the HTTP data packets;
the model generation module is used for generating a decision tree;
and the classification module is used for classifying the unknown equipment.
Preferably, the sample acquisition module comprises:
and the data grabbing unit is used for directly grabbing the data packet from the physical interface by using the WINPCAP, and storing the data packet into a cap file format.
Preferably, the data preprocessing module includes:
and the preprocessing unit is used for directly grabbing the data packet from the physical interface by using the WINPCAP, and storing the data packet into a cap file format.
Preferably, the model generation module includes:
the decision tree generating unit is used for training the characteristic information of the HTTP data packet through a decision tree-c 45 algorithm to generate a decision tree.
Compared with the prior art, the invention has the advantages that:
(1) The existing network equipment identification technology mostly relies on an active method to scan a network, manually extract equipment fingerprints and conduct equipment identification process in a regular matching mode, so that the identification mode is time-consuming and labor-consuming, the identification accuracy is not guaranteed, and meanwhile, the technology is incapable of discovering and identifying unknown equipment and is easy to discover.
(2) The invention identifies the type of the network equipment based on a passive method, and only identifies the type of the network equipment by a network flow data packet, so that the network equipment cannot be captured by an intrusion detection system.
(3) According to the invention, the characteristic information of the known equipment is learned to generate the decision tree by an automatic machine learning method, and the type of the unknown equipment is judged by using the decision tree, so that the types of the identifiable equipment are increased, the types of the unknown equipment can be supplemented into the system, and the generalization capability is improved.
Drawings
FIG. 1 is an overall process flow diagram of the present invention;
fig. 2 is a system architecture diagram of the present invention.
Detailed Description
The invention will now be described in detail with reference to the drawings and the accompanying specific examples.
Example 1
According to the overall process flow diagram presented in fig. 1, the specific implementation of this embodiment is as follows:
1. known device packet processing
(1) Sample collection: and detecting the type and the IP address of the network equipment in the network through a charged network equipment searching system oshada, and respectively sending HTTP-GET requests to the known equipment to obtain HTTP data packets.
(2) And (3) data processing: extracting information capable of reflecting characteristics of terminal equipment from the HTTP data packet obtained by filtering as sample characteristics, namely counting the total number of header fields in the HTTP response packet, selecting 30 fields with highest occurrence frequency as characteristics 1 to 30, and vectorizing text type characteristic data through a TF-IDF algorithm;
(3) Data application: training HTTP data packet characteristic vectorization data through a decision tree-c 45 algorithm to generate a decision tree. The characteristic data of the HTTP data packet input as the known device is output as a decision tree. The process of generating the decision tree is a recursive process of a spanning tree function, the recursive stopping condition is that only one system type in the current subset is considered or the current attribute is considered completely but not divided, the former condition is judged by a function AllTheameLabel (), the function sequentially judges whether the current sample belongs to a certain type, if so, the record of the type is returned, the latter condition is judged by whether the size of the current attribute item is zero, if so, the type with the most current type is selected by the function MontCommonLable () function to judge the current type and return. The information gain rate of each item is calculated by a function ComputeGainRatio (), and the function comprises two steps of calculating information entropy and dividing the information entropy to obtain information gain, and then calculating split information to obtain information gain rate by comparison, wherein the information gain rate is respectively calculated by the functions computeen tropy (), computeSplit (). After the information gain rate of each option is calculated, the maximum attribute item is selected by comparison, the remaining samples are divided into subsets through the value of the attribute item, the remaining attribute item and the attribute value are required to be updated at the moment, the spanning tree function, namely the recursive spanning tree function, is continuously operated for each subset respectively, the steps are repeated until the recursive condition is met, the nodes are returned layer by layer, finally, the spanning tree function returns to the root node root address of the decision tree, the attribute value and all children of the nodes can be obtained through the data structure of the decision tree nodes, and the decision tree model is formed.
2. Unknown device packet processing
(1) Sample collection: the WINPCAP is used for directly capturing a data packet from the physical interface, and the data packet is stored into a cap file format; then, the WINPCAP is used for reading the data packet from the offline stack, and the stored file is opened by a function pcap_open_offset () of the instant WINPCAP; the WINPCAP provides two functions, namely, pcap_common () and pcap_setfilter (), to filter the data packet, and after setting an accurate filtering expression, the WINPCAP can be matched with the two functions to realize the function of filtering the data packet with high efficiency, and only the HTTP data packet is concerned in the invention, so that the filter rule is set into an expression of HTTP only by capturing the HTTP data packet;
(2) And (3) data processing: extracting information capable of reflecting characteristics of terminal equipment from the HTTP data packet obtained by filtering as sample characteristics, namely counting the total number of header fields in the HTTP response packet, selecting 30 fields with highest occurrence frequency as characteristics 1 to 30, and vectorizing text type characteristic data through a TF-IDF algorithm;
3 classifier classification
And performing algorithm matching on the data subjected to the vectorization of the unknown equipment characteristics by using a decision tree generated by the data subjected to the vectorization of the known equipment characteristics, so as to classify the unknown equipment. The process of classification is essentially a tree traversal and tree node matching process; firstly judging whether a certain node of the decision tree is a leaf node, if yes, judging the type as the type corresponding to the equipment, if not, obtaining the corresponding attribute items of the equipment, comparing attribute values of the two attribute items, deciding which branch of the decision tree node is selected according to a comparison result, and entering the next node through the corresponding branch to continue the steps until the matching is finished.
Fig. 2 is a system architecture diagram according to an embodiment of the present invention, which mainly includes:
sample collection process
1. The network device searching system oshada is used for collecting the types of the network devices and the number of each type as much as possible, so that the accuracy of identification is improved and the types of identification are increased.
2. Respectively sending HTTP-GET requests to the known devices to obtain HTTP data packets
3. The WINPCAP is used for directly capturing the data packet from the physical interface, and the HTTP data packet is obtained by setting the filtering rule
Data preprocessing process
1. Extracting information capable of reflecting characteristics of terminal equipment from the HTTP data packet obtained by filtering as sample characteristics, namely counting the total number of header fields in the HTTP response packet, and selecting 30 fields (without content-length fields) with highest occurrence frequency as characteristics 1 to 30; if there is header field in feature 1 to feature 30 in the HTTP response packet header, the value of the corresponding position is 1, and if there is no header field, the value is 0
2. And selecting the HTTP return state code as the feature 31, wherein the returned HTTP state code is marked as a certain value in 1-36 according to the index in the state code set S. The state code set S is:
S={ 200, 202, 203, 204, 205, 301, 302, 307, 400,
401, 402, 403, 404, 405, 406, 407, 408, 410,
412, 416, 451, 456, 461, 479, 500, 501, 502,
503, 504, 508, 510, 520, 534, 535, 550, 596}
3. the "content-length" field value is selected as the feature 32, if the header field "content-length" exists in the header of the HTTP response packet, the value of the feature 32 is a specific value of the "content-length" field, and if the header field does not exist, the value is 0.
4. Finally, converting the text characteristics of the original sample HTTP response packet into 32-dimensional characteristic vectors
Classification process
1. Training the text feature of the HTTP response packet of the known device through a decision tree-c 45 algorithm to convert the text feature into data of a 32-dimensional feature vector, and generating a decision tree. The characteristic data of the HTTP data packet input as the known device is output as a decision tree.
2. And performing algorithm matching on the data subjected to the vectorization of the unknown equipment characteristics by using a decision tree generated by the data subjected to the vectorization of the known equipment characteristics, so as to classify the unknown equipment.
The invention and its embodiments have been described above schematically, without limitation, and the actual construction is not limited to this, but is shown in the drawings as one of its embodiments. Therefore, if one of ordinary skill in the art is informed by this disclosure, a structural manner and an embodiment similar to the technical scheme are not creatively designed without departing from the gist of the present invention, and all the structural manners and the embodiment are considered to be within the protection scope of the present patent.

Claims (4)

1. The network equipment type identification method based on the decision tree is characterized by comprising the following steps:
s1, sample collection: capturing the network flow of the unknown equipment to obtain the response message information of the network protocol of the unknown equipment;
s2, data preprocessing: preprocessing response message information, and extracting HTTP data packets of unknown equipment;
the preprocessing comprises the steps of processing a captured cap file by using WINPCAP and setting filtering rules;
s3, feature extraction: extracting information capable of reflecting characteristics of terminal equipment from an HTTP data packet as sample characteristics, and vectorizing characteristic data of a text type;
the step of S3 feature extraction further includes:
s31, vectorization of unknown device characteristic data: extracting characteristic information in HTTP data packets of unknown equipment, and vectorizing the characteristic data of text types;
s32 known device feature data vectorization: obtaining HTTP data packets of known equipment, and vectorizing characteristic information of the HTTP data packets;
s4, generating a model: generating a decision tree through a decision tree algorithm according to the vectorized characteristic information of the known equipment in the step S32;
training HTTP data packet characteristic information through a decision tree-c 45 algorithm in the S4 model generation step to generate a decision tree;
s5, classifying: classifying the vectorized characteristic information of the unknown equipment obtained in the step S31 through the decision tree generated in the step S4 model generation, wherein the classification comprises tree traversal and tree node matching processes.
2. The decision tree based network device type identification method of claim 1, wherein: in the S1 sample collection step, WINPCAP is used for directly capturing a data packet from a physical interface, and the data packet is stored into a cap file format.
3. A decision tree based network device type identification system comprising:
the sample acquisition module is used for capturing network data packets for known and unknown network physical ports and obtaining response message information of a network protocol;
the data preprocessing module is used for analyzing the grabbed network data packet and obtaining an HTTP data packet by setting a filtering rule;
the data preprocessing module comprises: the preprocessing unit is used for directly capturing a data packet from the physical interface by using the WINPCAP, and storing the data packet into a cap file format;
the characteristic extraction module is used for extracting information capable of reflecting characteristics of the terminal equipment from the HTTP data packet as sample characteristics and vectorizing the characteristic data of the text type;
the feature extraction module includes:
the unknown equipment characteristic data vectorization unit is used for extracting characteristic information in HTTP data packets of the unknown equipment and vectorizing the text type characteristic data;
the known equipment characteristic data vectorization unit is used for obtaining HTTP data packets of the known equipment and vectorizing the characteristic information of the HTTP data packets;
the model generation module is used for generating a decision tree;
the model generation module comprises: the decision tree generating unit is used for training the characteristic information of the HTTP data packet through a decision tree-c 45 algorithm to generate a decision tree;
and the classification module is used for classifying the unknown equipment.
4. The decision tree based network device type identification system of claim 3, wherein the sample acquisition module comprises:
and the data grabbing unit is used for directly grabbing the data packet from the physical interface by using the WINPCAP, and storing the data packet into a cap file format.
CN201810756175.3A 2018-07-11 2018-07-11 Network equipment type identification method and system based on decision tree Active CN109063745B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810756175.3A CN109063745B (en) 2018-07-11 2018-07-11 Network equipment type identification method and system based on decision tree

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810756175.3A CN109063745B (en) 2018-07-11 2018-07-11 Network equipment type identification method and system based on decision tree

Publications (2)

Publication Number Publication Date
CN109063745A CN109063745A (en) 2018-12-21
CN109063745B true CN109063745B (en) 2023-06-09

Family

ID=64815825

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810756175.3A Active CN109063745B (en) 2018-07-11 2018-07-11 Network equipment type identification method and system based on decision tree

Country Status (1)

Country Link
CN (1) CN109063745B (en)

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109948650B (en) * 2019-02-13 2023-08-11 南京中一物联科技有限公司 Intelligent household equipment type judging method based on message characteristics
CN110022308B (en) * 2019-03-11 2020-05-29 中国科学院信息工程研究所 Internet of things equipment identification method and system, electronic equipment and storage medium
CN111931797B (en) * 2019-05-13 2023-09-08 中国移动通信集团湖南有限公司 Method, device and equipment for identifying network to which service belongs
CN110096013A (en) * 2019-05-24 2019-08-06 广东工业大学 A kind of intrusion detection method and device of industrial control system
CN110062013A (en) * 2019-06-04 2019-07-26 电子科技大学 A kind of detection system and its method for Malware HTTP flow
CN110348526B (en) * 2019-07-15 2021-05-07 武汉绿色网络信息服务有限责任公司 Equipment type identification method and device based on semi-supervised clustering algorithm
CN110602041A (en) * 2019-08-05 2019-12-20 中国人民解放军战略支援部队信息工程大学 White list-based Internet of things equipment identification method and device and network architecture
CN110445689B (en) * 2019-08-15 2022-03-18 平安科技(深圳)有限公司 Method and device for identifying type of equipment of Internet of things and computer equipment
CN113098832B (en) * 2019-12-23 2022-09-27 四川大学 Remote buffer overflow attack detection method based on machine learning
CN111367874B (en) * 2020-02-28 2023-11-14 绿盟科技集团股份有限公司 Log processing method, device, medium and equipment
CN112118259B (en) * 2020-09-17 2022-04-15 四川长虹电器股份有限公司 Unauthorized vulnerability detection method based on classification model of lifting tree
CN112115917B (en) * 2020-09-29 2024-05-28 深圳市汇顶科技股份有限公司 Fingerprint identification method, fingerprint identification device, electronic equipment and storage medium
CN114338064B (en) * 2020-09-30 2023-07-07 腾讯科技(深圳)有限公司 Method, device, system, equipment and storage medium for identifying network traffic type
WO2022083641A1 (en) * 2020-10-23 2022-04-28 华为技术有限公司 Device identification method, apparatus and system
CN112600793A (en) * 2020-11-23 2021-04-02 国网山东省电力公司青岛供电公司 Internet of things equipment classification and identification method and system based on machine learning
CN114785708A (en) * 2021-01-20 2022-07-22 华为技术有限公司 Method for judging type of terminal equipment and related equipment
CN113328985B (en) * 2021-04-07 2022-12-09 西安交通大学 Passive Internet of things equipment identification method, system, medium and equipment
CN112989256B (en) * 2021-05-08 2021-09-24 北京华云安信息技术有限公司 Method and device for identifying web fingerprint in response information
CN113625073A (en) * 2021-06-23 2021-11-09 国网浙江省电力有限公司营销服务中心 Feature library replacing method and monitoring method of non-invasive load monitoring system
WO2023004707A1 (en) * 2021-07-29 2023-02-02 西门子股份公司 Method and apparatus for device type identification
CN114615020B (en) * 2022-02-15 2023-05-26 中国人民解放军战略支援部队信息工程大学 Method and system for rapidly identifying network equipment based on feature reduction and dynamic weighting

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572486A (en) * 2016-10-17 2017-04-19 湖北大学 Handheld terminal traffic identification method and system based on machine learning
CN106850333A (en) * 2016-12-23 2017-06-13 中国科学院信息工程研究所 A kind of network equipment recognition methods and system based on feedback cluster
CN108259637A (en) * 2017-11-30 2018-07-06 湖北大学 A kind of NAT device recognition methods and device based on decision tree

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572486A (en) * 2016-10-17 2017-04-19 湖北大学 Handheld terminal traffic identification method and system based on machine learning
CN106850333A (en) * 2016-12-23 2017-06-13 中国科学院信息工程研究所 A kind of network equipment recognition methods and system based on feedback cluster
CN108259637A (en) * 2017-11-30 2018-07-06 湖北大学 A kind of NAT device recognition methods and device based on decision tree

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于C5.0决策树的NAT设备检测方法;石志凯等;《计算机科学》;20180615;第45卷(第6A期);第323-326页 *

Also Published As

Publication number Publication date
CN109063745A (en) 2018-12-21

Similar Documents

Publication Publication Date Title
CN109063745B (en) Network equipment type identification method and system based on decision tree
CN109960729B (en) Method and system for detecting HTTP malicious traffic
Shapira et al. FlowPic: A generic representation for encrypted traffic classification and applications identification
CN109450842B (en) Network malicious behavior recognition method based on neural network
CN111385297B (en) Wireless device fingerprint identification method, system, device and readable storage medium
CN113206860B (en) DRDoS attack detection method based on machine learning and feature selection
Barut et al. Netml: A challenge for network traffic analytics
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN111600919A (en) Web detection method and device based on artificial intelligence
CN111131260A (en) Mass network malicious domain name identification and classification method and system
CN113328985B (en) Passive Internet of things equipment identification method, system, medium and equipment
CN110768875A (en) Application identification method and system based on DNS learning
CN111262849A (en) Method for identifying and blocking network abnormal flow behaviors based on flow table information
CN110868404A (en) Industrial control equipment automatic identification method based on TCP/IP fingerprint
Khandait et al. IoTHunter: IoT network traffic classification using device specific keywords
CN112003869A (en) Vulnerability identification method based on flow
US11477225B2 (en) Pre-emptive computer security
Wu et al. Tdae: Autoencoder-based automatic feature learning method for the detection of dns tunnel
CN111464510A (en) Network real-time intrusion detection method based on rapid gradient lifting tree model
CN112565308B (en) Malicious application detection method, device, equipment and medium based on network traffic
CN116170227A (en) Flow abnormality detection method and device, electronic equipment and storage medium
CN111431872A (en) Two-stage Internet of things equipment identification method based on TCP/IP protocol characteristics
CN113382003B (en) RTSP mixed intrusion detection method based on two-stage filter
CN110574348B (en) Data processing apparatus and method
KR102526935B1 (en) Network intrusion detection system and network intrusion detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant