CN112866275B - Flow sampling method, device and computer readable storage medium - Google Patents
Flow sampling method, device and computer readable storage medium Download PDFInfo
- Publication number
- CN112866275B CN112866275B CN202110142710.8A CN202110142710A CN112866275B CN 112866275 B CN112866275 B CN 112866275B CN 202110142710 A CN202110142710 A CN 202110142710A CN 112866275 B CN112866275 B CN 112866275B
- Authority
- CN
- China
- Prior art keywords
- data
- flow
- sampling
- linked list
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Abstract
The embodiment of the application discloses a flow sampling method, a device and a medium, which are used for dividing an obtained original flow packet into a plurality of IP flow groups; and storing the data packet sent by the source end in the IP flow group into a first linked list and storing the data packet sent by the destination end in the IP flow group into a second linked list according to the IP layer data and the application layer data of each IP flow group. Each IP flow group is provided with a corresponding first linked list and a second linked list, and the complete information of all back-and-forth sessions of one IP data flow is stored in the first linked list and the second linked list. And sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampled data. The original flow packets are divided into a plurality of IP flow groups, and the IP data flow is restored according to the IP layer data and the application layer data, so that the flow can be directionally sampled based on the IP flow during sampling, and the integrity of the data flow is kept to the greatest extent during sampling.
Description
Technical Field
The present application relates to the field of security detection technologies, and in particular, to a method and an apparatus for sampling traffic, and a computer-readable storage medium.
Background
In a scenario of performing traffic safety detection on metro network outlet traffic, because the metro network outlet traffic is very large, basically above TB/s level, and is limited by software and hardware of network safety detection equipment, full traffic collection and detection cannot be used. And the use of flow sampling detection has become an important method in large-flow safety detection.
Common traffic sampling methods include periodic sampling, random sampling, and hierarchical sampling. Periodic sampling is a sampling method using a fixed time interval, which is relatively simple, but has poor measurement performance. The random sampling is to determine the sampling start point and the sampling interval according to a predefined random process, and the samples are independent from each other by the method, so that the synchronization influence caused by periodic sampling is avoided. Hierarchical sampling is the division of an overall element into subsets according to hierarchical characteristics. And then, the method for extracting the samples from the subsets can reduce the cost of the sampling process and obtain higher measurement accuracy under the condition of the same sample capacity. Current sampling methods are based on packet sampling, but packet-based sampling may result in less than complete information for all round-trip sessions of a data stream due to sampling device performance issues.
It can be seen that how to preserve the integrity of the data stream to the maximum extent during sampling is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the application aims to provide a flow sampling method, a flow sampling device and a computer readable storage medium, which can preserve the integrity of a data stream to the maximum extent in the sampling process.
In order to solve the foregoing technical problem, an embodiment of the present application provides a flow sampling method, including:
the obtained original flow packets are divided into a plurality of IP flow groups;
storing data packets sent by a source end in the IP flow groups to a first linked list and storing data packets sent by a destination end in the IP flow groups to a second linked list according to IP layer data and application layer data of each IP flow group;
and sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampled data.
Optionally, the splitting the obtained original traffic packet into multiple IP traffic groups includes:
analyzing the IP layer data of each flow data in the original flow packet;
performing hash operation on the data of each IP layer to obtain a hash value of each flow data; and taking the traffic data with the same hash value as an IP traffic group.
Optionally, after sampling the data packets stored in the first linked list and the second linked list according to the set sampling rule to obtain sampled data, the method further includes:
and storing the sampled data to a preset buffer space.
Optionally, after sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampled data, the method further includes:
analyzing the sampled data according to an analysis rule corresponding to the application layer data of the sampled data to obtain analyzed flow data;
judging whether the analyzed flow data is matched with a rule in a preset IDS rule base or not;
and if the flow data matched with the rules in the IDS rule base exists, carrying out alarm prompt.
Optionally, before the splitting the obtained original traffic packet into a plurality of IP traffic groups, the method further includes:
and discarding the data packets which do not conform to the standard format of the message in the original flow packets.
The embodiment of the application also provides a flow sampling device, which comprises a shunting unit, a storage unit and a sampling unit;
the flow dividing unit is used for dividing the acquired original flow packets into a plurality of IP flow groups;
the storage unit is used for storing the data packet sent by the source end in the IP flow group to a first linked list and storing the data packet sent by the destination end in the IP flow group to a second linked list according to the IP layer data and the application layer data of each IP flow group;
and the sampling unit is used for sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampling data.
Optionally, the shunting unit includes an analyzing subunit, a calculating subunit, and a serving subunit;
the analysis subunit is configured to analyze the IP layer data of each piece of traffic data in the original traffic packet;
the calculating subunit is configured to perform a hash operation on each IP layer data to obtain a hash value of each traffic data;
the sub-unit is used for using the traffic data with the same hash value as an IP traffic group.
Optionally, the system further comprises a cache unit;
the buffer unit is used for storing the sampling data to a preset buffer space.
Optionally, the system further comprises an analysis unit, a judgment unit and a prompt unit;
the analysis unit is used for analyzing the sampled data according to an analysis rule corresponding to the application layer data of the sampled data to obtain analyzed flow data;
the judging unit is used for judging whether the analyzed flow data is matched with a rule in a preset IDS rule base or not;
and the prompting unit is used for giving an alarm if the flow data matched with the rule in the IDS rule base exists.
Optionally, a discarding unit is further included;
and the discarding unit is used for discarding the data packet which does not conform to the standard format of the message in the original flow packet.
An embodiment of the present application further provides a flow sampling device, including:
a memory for storing a computer program;
a processor for executing said computer program to implement the steps of the traffic sampling method as described in any one of the above.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the traffic sampling method are implemented as in any one of the above.
According to the technical scheme, the acquired original flow packets are divided into a plurality of IP flow groups; and storing the data packet sent by the source end in the IP flow group to a first linked list and storing the data packet sent by the destination end in the IP flow group to a second linked list according to the IP layer data and the application layer data of each IP flow group. The processing modes of all IP flow groups are the same, each IP flow group is provided with a corresponding first linked list and a corresponding second linked list, and complete information of all back-and-forth conversations of one IP data stream is stored in the first linked list and the second linked list. And sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampled data. In the technical scheme, the original flow packets are divided into a plurality of IP flow groups, and the IP data flow is restored according to the IP layer data and the application layer data, so that the flow sampling can be performed based on the IP flow, the integrity of the data flow is reserved to the greatest extent in the sampling process, and the accuracy and the effectiveness of the subsequent safety detection are guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings required for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a traffic sampling method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a flow sampling device according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of a hardware structure of a traffic sampling device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings.
Next, a flow sampling method provided in an embodiment of the present application is described in detail. Fig. 1 is a flowchart of a traffic sampling method provided in an embodiment of the present application, where the method includes:
s101: and splitting the acquired original traffic packet into a plurality of IP traffic groups.
In view of the fact that in the prior art, packet-based sampling may result in the fact that complete information of all round-trip sessions of one IP flow cannot be extracted due to the performance problem of the sampling device, in the embodiment of the present application, a manner of IP offloading an original traffic packet is proposed.
In specific implementation, the IP layer data of each traffic data in the original traffic packet can be analyzed; performing hash operation on the data of each IP layer to obtain a hash value of each flow data; and taking the traffic data with the same hash value as an IP traffic group.
The IP layer data may include a source IP address, a destination IP address, a source port, and a destination port, among others.
In order to distinguish different sessions, hash operations may be performed on IP layer data, and traffic data corresponding to the same session has the same hash value, so in the implementation of the present application, traffic data having the same hash value may be used as one IP traffic group. An IP traffic group contains the complete information of all round-trip sessions of an IP flow.
In this embodiment of the present application, in order to perform normalization processing on an obtained original traffic packet, before splitting the obtained original traffic packet into multiple IP traffic groups, a data packet that does not conform to a standard format of a packet in the original traffic packet may be discarded. In specific implementation, the original flow packet can be segmented according to the standard format of the IP packet, so that the data packet which does not conform to the standard format of the IP packet is discarded
S102: and storing the data packet sent by the source end in the IP flow group into a first linked list and storing the data packet sent by the destination end in the IP flow group into a second linked list according to the IP layer data and the application layer data of each IP flow group.
The application layer data includes application layer Protocol information, such as HyperText Transfer Protocol (HTTP) or Domain Name System (DNS). Different types of application layer protocols have their respective corresponding protocol numbers.
After the IP traffic groups are obtained, the IP traffic groups may be sorted and the IP data streams may be restored. In specific implementation, five-element groups of a source IP address, a destination IP address, a source port, a destination port, and a protocol number of an IP session may be used as keys, hash values are calculated by performing xor operation on the above five parameters, session hash tables corresponding to IPV4 and IPV6 are respectively created, a node of the hash table is an IP session, an IP session includes two linked lists, which are respectively a first linked list and a second linked list, and the first linked list is used to store a data packet sent by a source end in an IP traffic group; the first linked list is used for storing data packets sent by a destination end in the IP flow group, and the data packets in each linked list are reordered according to the sequence numbers and the confirmation numbers.
S103: and sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampled data.
Conventional sampling approaches include periodic sampling, random sampling, and hierarchical sampling. The sampling rule may include any one or a combination of a plurality of sampling modes, and is not particularly limited herein.
In the embodiment of the present application, after the sample data is obtained, in order to facilitate querying the sample data, the sample data may be stored in a preset cache space.
According to the technical scheme, the acquired original flow packets are divided into a plurality of IP flow groups; and storing the data packet sent by the source end in the IP flow group to a first linked list and storing the data packet sent by the destination end in the IP flow group to a second linked list according to the IP layer data and the application layer data of each IP flow group. The processing modes of all IP flow groups are the same, each IP flow group is provided with a corresponding first linked list and a corresponding second linked list, and complete information of all back-and-forth conversations of one IP data stream is stored in the first linked list and the second linked list. And sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampled data. In the technical scheme, the original flow packets are divided into a plurality of IP flow groups, and the IP data flow is restored according to the IP layer data and the application layer data, so that the flow sampling can be performed based on the IP flow, the integrity of the data flow is reserved to the greatest extent in the sampling process, and the accuracy and the effectiveness of the subsequent safety detection are guaranteed.
In the embodiment of the application, in order to ensure the security of the sampled data, the sampled data may be analyzed according to an analysis rule corresponding to the application layer data of the sampled data, so as to obtain analyzed flow data; and judging whether the analyzed flow data is matched with a rule in a preset IDS rule base.
The IDS rule base contains the data types and data formats that pose security risks.
If the flow data matched with the rules in the IDS rule base exists, the analyzed flow data have safety risks, and at the moment, alarm prompt can be carried out, so that managers can check the data with risks in time, and the influence caused by the risk data is reduced.
Fig. 2 is a schematic structural diagram of a flow sampling device provided in an embodiment of the present application, including a shunting unit 21, a storage unit 22, and a sampling unit 23;
a splitting unit 21, configured to split the acquired original traffic packet into multiple IP traffic groups;
the storage unit 22 is configured to store, according to the IP layer data and the application layer data of each IP flow group, a data packet sent by a source end in the IP flow group in a first linked list, and store a data packet sent by a destination end in the IP flow group in a second linked list;
and the sampling unit 23 is configured to sample the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampled data.
Optionally, the shunting unit includes an analyzing subunit, a calculating subunit, and a serving subunit;
the analysis subunit is used for analyzing the IP layer data of each flow data in the original flow packet;
the calculating subunit is used for carrying out hash operation on the data of each IP layer to obtain a hash value of each flow data;
and the sub-unit is used for treating the traffic data with the same hash value as an IP traffic group.
Optionally, the system further comprises a cache unit;
and the cache unit is used for storing the sampled data to a preset cache space.
Optionally, the system further comprises an analysis unit, a judgment unit and a prompt unit;
the analysis unit is used for analyzing the sampled data according to an analysis rule corresponding to the application layer data of the sampled data to obtain analyzed flow data;
the judging unit is used for judging whether the analyzed flow data is matched with a rule in a preset IDS rule base;
and the prompting unit is used for giving an alarm if the flow data matched with the rules in the IDS rule base exists.
Optionally, a discarding unit is further included;
and the discarding unit is used for discarding the data packet which does not conform to the standard format of the message in the original flow packet.
The description of the features in the embodiment corresponding to fig. 2 may refer to the related description of the embodiment corresponding to fig. 1, and is not repeated here.
According to the technical scheme, the obtained original traffic packets are divided into a plurality of IP traffic groups; and storing the data packet sent by the source end in the IP flow group into a first linked list and storing the data packet sent by the destination end in the IP flow group into a second linked list according to the IP layer data and the application layer data of each IP flow group. The processing modes of all IP flow groups are the same, each IP flow group is provided with a corresponding first linked list and a second linked list, and the complete information of all back-and-forth conversations of one IP data stream is stored in the first linked list and the second linked list. And sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampled data. In the technical scheme, the original flow packets are divided into a plurality of IP flow groups, and the IP data flow is restored according to the IP layer data and the application layer data, so that the flow sampling can be performed based on the IP flow, the integrity of the data flow is reserved to the greatest extent in the sampling process, and the accuracy and the effectiveness of the subsequent safety detection are guaranteed.
Fig. 3 is a schematic hardware structure diagram of a traffic sampling device 30 according to an embodiment of the present disclosure, including:
a memory 31 for storing a computer program;
a processor 32 for executing a computer program for implementing the steps of the traffic sampling method as described in any of the embodiments above.
The embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, and when being executed by a processor, the computer program implements the steps of the traffic sampling method according to any of the embodiments.
A traffic sampling method, a traffic sampling device, and a computer-readable storage medium according to embodiments of the present application are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, without departing from the principle of the present application, the present application can also make several improvements and modifications, and those improvements and modifications also fall into the protection scope of the claims of the present application.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Claims (8)
1. A method of sampling a flow, comprising:
dividing the obtained original flow packets into a plurality of IP flow groups;
storing a data packet sent by a source end in each IP flow group to a first linked list and storing a data packet sent by a destination end in each IP flow group to a second linked list according to the IP layer data and the application layer data of each IP flow group;
sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampling data;
the splitting of the acquired original traffic packets into a plurality of IP traffic groups includes:
analyzing the IP layer data of each flow data in the original flow packet;
performing hash operation on the data of each IP layer to obtain a hash value of each flow data; and taking the traffic data with the same hash value as an IP traffic group.
2. The traffic sampling method according to claim 1, further comprising, after sampling the packets stored in the first linked list and the second linked list according to the set sampling rule to obtain sampled data:
and storing the sampled data to a preset buffer space.
3. The traffic sampling method according to claim 1, further comprising, after sampling the packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampled data:
analyzing the sampled data according to an analysis rule corresponding to the application layer data of the sampled data to obtain analyzed flow data;
judging whether the analyzed flow data is matched with a rule in a preset IDS rule base or not;
and if the flow data matched with the rules in the IDS rule base exists, carrying out alarm prompt.
4. The traffic sampling method according to any one of claims 1 to 3, further comprising, before said splitting the acquired original traffic packets into a plurality of IP traffic groups:
and discarding the data packet which does not accord with the standard format of the message in the original flow packet.
5. A flow sampling device is characterized by comprising a shunting unit, a storage unit and a sampling unit;
the flow distribution unit is used for distributing the acquired original flow packets into a plurality of IP flow groups;
the storage unit is used for storing the data packet sent by the source end in the IP flow group to a first linked list and storing the data packet sent by the destination end in the IP flow group to a second linked list according to the IP layer data and the application layer data of each IP flow group;
the sampling unit is used for sampling the data packets stored in the first linked list and the second linked list according to a set sampling rule to obtain sampling data;
the shunting unit comprises an analysis subunit, a calculation subunit and a sub-unit;
the analysis subunit is configured to analyze the IP layer data of each piece of traffic data in the original traffic packet;
the calculating subunit is configured to perform a hash operation on each IP layer data to obtain a hash value of each traffic data;
the sub-unit is used for using the traffic data with the same hash value as an IP traffic group.
6. The flow sampling device according to claim 5, further comprising a parsing unit, a judging unit, and a prompting unit;
the analysis unit is used for analyzing the sampled data according to an analysis rule corresponding to the application layer data of the sampled data to obtain analyzed flow data;
the judging unit is used for judging whether the analyzed flow data is matched with a rule in a preset IDS rule base;
and the prompting unit is used for performing alarm prompting if the flow data matched with the rules in the IDS rule base exists.
7. A flow sampling device, comprising:
a memory for storing a computer program;
a processor for executing said computer program to implement the steps of the flow sampling method of any one of claims 1 to 4.
8. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the traffic sampling method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110142710.8A CN112866275B (en) | 2021-02-02 | 2021-02-02 | Flow sampling method, device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110142710.8A CN112866275B (en) | 2021-02-02 | 2021-02-02 | Flow sampling method, device and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112866275A CN112866275A (en) | 2021-05-28 |
| CN112866275B true CN112866275B (en) | 2022-07-15 |
Family
ID=75986239
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110142710.8A Active CN112866275B (en) | 2021-02-02 | 2021-02-02 | Flow sampling method, device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112866275B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301960B (en) * | 2021-12-15 | 2024-03-15 | 山石网科通信技术股份有限公司 | Processing method and device for cluster asymmetric traffic, electronic equipment and storage medium |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119246B (en) * | 2007-09-20 | 2010-08-18 | 杭州华三通信技术有限公司 | Data packet sampling statistic method and apparatus |
| CN101888303B (en) * | 2009-05-13 | 2012-07-04 | 中国移动通信集团上海有限公司 | Recording method of network traffic information and related device |
| CN101895521B (en) * | 2009-05-22 | 2013-09-04 | 中国科学院研究生院 | Network worm detection and characteristic automatic extraction method and system |
| CN103368952A (en) * | 2013-06-28 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Method and equipment for carrying out sampling on data packet to be subjected to intrusion detection processing |
| US9680916B2 (en) * | 2013-08-01 | 2017-06-13 | Flowtraq, Inc. | Methods and systems for distribution and retrieval of network traffic records |
| CN107113282A (en) * | 2014-12-30 | 2017-08-29 | 华为技术有限公司 | A kind of method and device for extracting data message |
| CN111835708A (en) * | 2014-12-30 | 2020-10-27 | 华为技术有限公司 | Characteristic information analysis method and device |
| CN106034056B (en) * | 2015-03-18 | 2020-04-24 | 北京启明星辰信息安全技术有限公司 | Method and system for analyzing business safety |
| CN106375235A (en) * | 2016-08-30 | 2017-02-01 | 成都科来软件有限公司 | Method and device for obtaining specified IP (Internet Protocol) traffic information by statistics |
| US10264005B2 (en) * | 2017-01-11 | 2019-04-16 | Cisco Technology, Inc. | Identifying malicious network traffic based on collaborative sampling |
-
2021
- 2021-02-02 CN CN202110142710.8A patent/CN112866275B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112866275A (en) | 2021-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106416171B (en) | Characteristic information analysis method and device | |
| US10084713B2 (en) | Protocol type identification method and apparatus | |
| KR101295708B1 (en) | Apparatus for capturing traffic and apparatus, system and method for analyzing traffic | |
| EP2016712B1 (en) | Nat and proxy device detection | |
| US9577898B1 (en) | Identifying IP traffic from multiple hosts behind a network address translation device | |
| EP2482497A1 (en) | Data forwarding method, data processing method, system and device thereof | |
| CN111953552B (en) | Data flow classification method and message forwarding equipment | |
| CN104994016B (en) | Method and apparatus for packet classification | |
| CN108141387B (en) | Length control for packet header samples | |
| JP2020503775A (en) | DDoS attack detection method and device | |
| CN112866275B (en) | Flow sampling method, device and computer readable storage medium | |
| EP4073981A1 (en) | Network traffic identification device | |
| CN111131070B (en) | Port time sequence-based network traffic classification method and device and storage medium | |
| KR101292873B1 (en) | Network interface card device and method of processing traffic by using the network interface card device | |
| CN114020734A (en) | Flow statistics duplication removing method and device | |
| CN105939304B (en) | Tunnel message parsing method and device | |
| CN114124773A (en) | System and method for testing port block address translation | |
| CN102223261A (en) | Method and device for sampling message | |
| CN107948022B (en) | Identification method and identification device for peer-to-peer network traffic | |
| CN110753364A (en) | Network monitoring method, system, electronic device and storage medium | |
| JP4246238B2 (en) | Traffic information distribution and collection method | |
| JP2007228217A (en) | Traffic decision device, traffic decision method, and program therefor | |
| CN114124551B (en) | Malicious encryption traffic identification method based on multi-granularity feature extraction under WireGuard protocol | |
| JP3596478B2 (en) | Traffic classification device and traffic classification method | |
| CN113645188A (en) | Data packet fast forwarding method based on security association |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |