CN113905411B - Detection method, device, equipment and storage medium for deep packet inspection identification rule - Google Patents

Detection method, device, equipment and storage medium for deep packet inspection identification rule Download PDF

Info

Publication number
CN113905411B
CN113905411B CN202111265051.3A CN202111265051A CN113905411B CN 113905411 B CN113905411 B CN 113905411B CN 202111265051 A CN202111265051 A CN 202111265051A CN 113905411 B CN113905411 B CN 113905411B
Authority
CN
China
Prior art keywords
service
deep packet
identification rule
packet detection
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111265051.3A
Other languages
Chinese (zh)
Other versions
CN113905411A (en
Inventor
张晴晴
韩玉辉
程新洲
吴洋
郝若晶
高洁
张亚南
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202111265051.3A priority Critical patent/CN113905411B/en
Publication of CN113905411A publication Critical patent/CN113905411A/en
Application granted granted Critical
Publication of CN113905411B publication Critical patent/CN113905411B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/08Testing, supervising or monitoring using real traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The application provides a detection method, a device, equipment and a storage medium for deep packet inspection identification rules, and relates to the field of communication, wherein the method comprises the following steps: identifying the data flow by utilizing a deep packet detection and identification rule to obtain a validity verification index corresponding to each service; each service corresponds to one or more deep packet inspection and identification rules; classifying all the services in the service library according to the validity verification index to obtain a first service set and a second service set; for each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; when the packet is not hit, determining that the deep packet inspection identification rule is invalid; for each second service in the second set of services: and determining that the deep packet detection recognition rule corresponding to the second service fails. The method can be applied to the detection process of the deep packet detection and identification rule, and is used for solving the problem of low detection efficiency of the deep packet detection and identification rule.

Description

Detection method, device, equipment and storage medium for deep packet inspection identification rule
Technical Field
The present invention relates to the field of communications, and in particular, to a method, an apparatus, a device, and a storage medium for detecting a deep packet inspection recognition rule.
Background
In the mobile communication market, network traffic corresponding to mobile services occupies most of network traffic of an operator network. How to identify and mine the network traffic corresponding to the mobile service becomes the requirement of each large operator.
Currently, the network traffic corresponding to the mobile service is identified by the operator mainly based on the identification rules in the rule base, and is implemented by using deep packet inspection (deep packet inspection, DPI) technology. The network traffic is identified by using the DPI technology, and an effective rule base, that is, an effective identification rule, is required. The validity of the identification rule is mostly judged by manual experience.
However, the effectiveness of the identification rule is judged through manual experience, and the judgment efficiency is low.
Disclosure of Invention
The application provides a detection method, a device, equipment and a storage medium for a deep packet detection and identification rule, which can improve the detection efficiency of the deep packet detection and identification rule.
In a first aspect, the present application provides a method for detecting a deep packet inspection identification rule, where the method includes:
Acquiring a data stream of an operator network in a first period; identifying the data flow by using a deep packet detection identification rule in a preset rule base to obtain a validity verification index corresponding to each service in the preset service base; each service corresponds to one or more deep packet inspection and identification rules; classifying all the services in the service library according to the validity verification index to obtain a first service set and a second service set; the first service set includes services accessed by the user; the second service set comprises services not accessed by the user; for each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid; for each second service in the second set of services: and determining that the deep packet detection recognition rule corresponding to the second service fails.
In a possible implementation manner, the deep packet inspection and identification rule includes a service name and a protocol field, and the method further includes: when the deep packet detection and identification rule corresponding to the first service has hit, marking a first identifier for the deep packet detection and identification rule; when the deep packet detection and identification rule corresponding to the first service is not hit, judging whether the deep packet detection and identification rule uniquely corresponds to the first service according to the service name and/or protocol field in the deep packet detection and identification rule; when the deep packet detection and identification rule corresponds to the service only, marking a second mark on the deep packet detection and identification rule, wherein the effectiveness of the deep packet detection and identification rule with the second mark is lower than that of the deep packet detection and identification rule with the first mark; acquiring the validity requirement of a user on a deep packet inspection and identification rule; and determining a target deep packet detection and identification rule according to the validity requirement, and packaging the target deep packet detection and identification rule to generate a target rule base, wherein the target deep packet detection and identification rule is any one of a deep packet detection and identification rule with a first identifier and a deep packet detection and identification rule with a second identifier.
In another possible implementation manner, the method further includes: judging whether the deep packet detection and identification rule with the first identifier conflicts with the deep packet detection and identification rule with the second identifier according to the service name and the protocol field in the deep packet detection and identification rule with the first identifier and the deep packet detection and identification rule with the second identifier; when the deep packet inspection and identification rule with the first identifier conflicts with the deep packet inspection and identification rule with the second identifier, deleting any one of the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier.
In yet another possible implementation manner, the method further includes: judging whether an inclusion relationship exists between the deep packet detection and identification rule with the first identifier and the deep packet detection and identification rule with the second identifier according to the service name and the protocol field in the deep packet detection and identification rule with the first identifier and the deep packet detection and identification rule with the second identifier; deleting the deep packet inspection and identification rule with the second identifier when the deep packet inspection and identification rule with the first identifier contains the deep packet inspection and identification rule with the second identifier; and deleting the deep packet inspection and identification rule with the first identifier when the deep packet inspection and identification rule with the second identifier contains the deep packet inspection and identification rule with the first identifier.
In another possible implementation manner, classifying the services according to the validity verification index to obtain a first service set and a second service set, including: when the validity verification index corresponding to the service is not empty, determining the service as a first service, and obtaining a first service set according to the first service; and when the validity verification index corresponding to the service is empty, determining the service as a second service, and obtaining a second service set according to the second service.
In another possible implementation manner, classifying the services according to the validity verification index to obtain a first service set and a second service set, including: acquiring a validity verification index corresponding to the data stream; determining coverage rate corresponding to the service according to the validity verification index corresponding to the service and the validity verification index corresponding to the data stream; when the coverage rate corresponding to the service is larger than a preset coverage rate threshold value, determining the service as a first service; and when the coverage rate corresponding to the deep packet inspection and identification rule corresponding to the service is smaller than a preset coverage rate threshold, determining that the service is a second service.
In yet another possible implementation, for each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid; comprising the following steps: when the validity verification index corresponding to the deep packet inspection and identification rule is not empty, determining that the deep packet inspection and identification rule is valid; and when the validity index corresponding to the deep packet inspection and identification rule is empty, determining that the deep packet inspection and identification rule fails.
In yet another possible implementation, for each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid comprises the following steps: acquiring validity verification indexes corresponding to the deep packet inspection identification rules corresponding to each first service according to the data flow of the operator network; determining hit rates corresponding to the deep packet detection and identification rules corresponding to the first services according to the validity verification indexes corresponding to the first services and the validity verification indexes corresponding to the deep packet detection and identification rules corresponding to the first services;
judging whether the deep packet inspection recognition rule has hit or not according to the hit rate; when the deep packet detection and identification rule has hit, determining that the deep packet detection and identification rule is valid; when the deep packet inspection identification rule is not hit, determining that the deep packet inspection identification rule is invalid.
In another possible implementation manner, determining whether the deep packet inspection recognition rule has a hit according to the hit rate includes: judging whether the deep packet inspection recognition rule has hit or not according to the hit rate and a preset hit rate threshold value; when the hit rate is smaller than a preset hit rate threshold value, determining that the deep packet detection recognition rule does not hit; and when the hit rate is larger than a preset hit rate threshold value, determining that the deep packet detection and identification rule has hit.
In another possible implementation manner, determining whether the deep packet inspection recognition rule has a hit according to the hit rate includes: determining the effectiveness comprehensive score corresponding to the deep packet inspection identification rule corresponding to each first service according to the hit rate; when the validity comprehensive score is larger than a preset score threshold value, determining that a deep packet detection recognition rule has a hit; and when the validity comprehensive score is smaller than a preset score threshold value, determining that the deep packet detection recognition rule is not hit.
In yet another possible implementation manner, the method further includes: for each second service in the second set of services: judging whether each second service exists according to an application market library to obtain the existing service and the non-existing service, wherein the application market library comprises the service in the service library and the service outside the service library; for each service present: judging whether the deep packet detection recognition rule corresponding to each service has hit or not according to the data flow of each service in the application market base; the hit deep packet detection and identification rule is reserved; deleting the missed deep packet detection and identification rule; for each service that does not exist: deleting each service from a service library, and deleting the deep packet inspection identification rule corresponding to each service from a preset rule library.
In yet another possible implementation, the validity verification indicator includes one or more of the following: flow rate, number of records, and number of users.
The detection method of the deep packet inspection identification rule can acquire the data flow of the operator network in the first period, wherein the data flow comprises the network flow of the service in the service library; identifying the data flow by utilizing an identification rule to be verified, and obtaining validity verification indexes of a plurality of dimensions corresponding to each service; classifying the services according to the validity verification indexes corresponding to the services to obtain a first service set and a second service set; the first service set includes services accessed by the user; the second service set comprises services not accessed by the user; for each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid; for each second service in the second set of services: and determining that the deep packet detection recognition rule corresponding to the second service fails. The method can automatically screen the effective recognition rules, and improves the efficiency of judging the effectiveness of the recognition rules.
In addition, after the missed recognition rule is determined to be invalid, whether the recognition rule is uniquely corresponding to the service or not can be judged according to the service name and/or the protocol field in the recognition rule according to the invalid recognition rule, because the recognition rule is used for recognizing the service flow, more than one recognition rule is poorer in effectiveness compared with the recognition rule uniquely corresponding to the service, the recognition rule uniquely corresponding to the service is reserved, and the recognition rule which is not uniquely corresponding to the service is deleted.
In addition, after judging whether each identification rule corresponding to the service has hit or not according to the data flow for each service in the services accessed by the user, the first identifier can be marked for the hit identification rule; judging whether the identification rule uniquely corresponds to the service according to the missed identification rule, marking a second identifier for the identification rule which is missed and uniquely corresponds to the service, wherein the validity of the identification rule with the second identifier is lower than that of the identification rule with the first identifier; acquiring the validity requirement of a user on the identification rule; according to the validity requirement, the identification rule with the first identifier or the identification rule with the second identifier is selected as the target identification rule to be packed to generate a target rule base, so that different requirements of users can be met, and the use experience of the users is improved.
In a second aspect, the present application further provides a detection apparatus for deep packet inspection and identification rule, where the apparatus may include: an acquisition module and a processing module.
And the acquisition module is used for acquiring the data flow of the operator network in the first period.
The processing module is used for identifying the data flow by utilizing the deep packet detection identification rule in the preset rule base to obtain the validity verification index corresponding to each service in the preset service base; each service corresponds to one or more deep packet inspection and identification rules; classifying all the services in the service library according to the validity verification index to obtain a first service set and a second service set; the first service set includes services accessed by the user; the second service set comprises services not accessed by the user; for each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; and when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid. For each second service in the second set of services: and determining that the deep packet detection recognition rule corresponding to the second service fails.
In a possible implementation manner, the deep packet inspection and identification rule includes a service name and a protocol field, and the processing module is further configured to mark the first identifier for the deep packet inspection and identification rule when the deep packet inspection and identification rule corresponding to the first service has a hit; when the deep packet detection and identification rule corresponding to the first service is not hit, judging whether the deep packet detection and identification rule uniquely corresponds to the first service according to the service name and/or protocol field in the deep packet detection and identification rule; and when the deep packet inspection and identification rule corresponds to the service unique, marking a second identifier for the deep packet inspection and identification rule, wherein the effectiveness of the deep packet inspection and identification rule with the second identifier is lower than that of the deep packet inspection and identification rule with the first identifier. The acquisition module is also used for acquiring the validity requirement of the user on the deep packet inspection and identification rule. The processing module is further used for determining a target deep packet detection and identification rule according to the validity requirement and packing the target deep packet detection and identification rule to generate a target rule base, wherein the target deep packet detection and identification rule is any one of a deep packet detection and identification rule with a first identifier and a deep packet detection and identification rule with a second identifier.
In another possible implementation manner, the processing module is further configured to determine, according to the service name and the protocol field in the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier, whether the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier conflict; when the deep packet inspection and identification rule with the first identifier conflicts with the deep packet inspection and identification rule with the second identifier, deleting any one of the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier.
In yet another possible implementation manner, the processing module is further configured to determine, according to the service name and the protocol field in the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier, whether an inclusion relationship exists between the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier; deleting the deep packet inspection and identification rule with the second identifier when the deep packet inspection and identification rule with the first identifier contains the deep packet inspection and identification rule with the second identifier; and deleting the deep packet inspection and identification rule with the first identifier when the deep packet inspection and identification rule with the second identifier contains the deep packet inspection and identification rule with the first identifier.
In another possible implementation manner, the processing module is specifically configured to determine that the service is a first service when the validity verification index corresponding to the service is not empty, and obtain a first service set according to the first service; and when the validity verification index corresponding to the service is empty, determining the service as a second service, and obtaining a second service set according to the second service.
In another possible implementation manner, the obtaining module is specifically configured to obtain a validity verification indicator corresponding to the data stream. The processing module is specifically used for determining the coverage rate corresponding to the service according to the validity verification index corresponding to the service and the validity verification index corresponding to the data stream; when the coverage rate corresponding to the service is larger than a preset coverage rate threshold value, determining the service as a first service; and when the coverage rate corresponding to the deep packet inspection and identification rule corresponding to the service is smaller than a preset coverage rate threshold, determining that the service is a second service.
In another possible implementation manner, the processing module is specifically configured to determine that the deep packet inspection and recognition rule is valid when the validity verification index corresponding to the deep packet inspection and recognition rule is not null; and when the validity index corresponding to the deep packet inspection and identification rule is empty, determining that the deep packet inspection and identification rule fails.
In yet another possible implementation manner, the obtaining module is specifically configured to obtain, according to a data flow of the operator network, a validity verification indicator corresponding to a deep packet inspection identification rule corresponding to each first service. The processing module is specifically configured to determine a hit rate corresponding to the deep packet inspection and identification rule corresponding to each first service according to the validity verification index corresponding to the first service and the validity verification index corresponding to the deep packet inspection and identification rule corresponding to each first service; judging whether the deep packet inspection recognition rule has hit or not according to the hit rate; when the deep packet detection and identification rule has hit, determining that the deep packet detection and identification rule is valid; when the deep packet inspection identification rule is not hit, determining that the deep packet inspection identification rule is invalid.
In yet another possible implementation manner, the processing module is specifically configured to determine whether the deep packet inspection recognition rule has a hit according to the hit rate and a preset hit rate threshold; when the hit rate is smaller than a preset hit rate threshold value, determining that the deep packet detection recognition rule does not hit; and when the hit rate is larger than a preset hit rate threshold value, determining that the deep packet detection and identification rule has hit.
In another possible implementation manner, the processing module is specifically configured to determine, according to the hit rate, a validity composite score corresponding to a deep packet inspection and identification rule corresponding to each first service; when the validity comprehensive score is larger than a preset score threshold value, determining that a deep packet detection recognition rule has a hit; and when the validity comprehensive score is smaller than a preset score threshold value, determining that the deep packet detection recognition rule is not hit.
In yet another possible implementation manner, the processing module is further configured to, for each second service in the second service set: judging whether each second service exists according to the application market library to obtain the existing service and the non-existing service, wherein the application market library comprises the service in the service library and the service outside the service library. For each service present: judging whether the deep packet detection recognition rule corresponding to each service has hit or not according to the data flow of each service in the application market base; the hit deep packet detection and identification rule is reserved; the missing deep packet inspection identification rule is deleted. For each service that does not exist: deleting each service from a service library, and deleting the deep packet inspection identification rule corresponding to each service from a preset rule library.
In yet another possible implementation, the validity verification indicator includes one or more of the following: flow rate, number of records, and number of users.
In a third aspect, the present application provides a computer program product, which when run on a computer, causes the computer to perform the steps of the correlation method described in the first aspect, so as to implement the detection method of deep packet inspection identification rule described in the first aspect.
In a fourth aspect, the present application provides an electronic device, comprising: a processor and a memory; the memory stores instructions executable by the processor; the processor is configured to execute the instructions to cause the electronic device to implement the method of the first aspect described above.
In a fifth aspect, the present application provides a computer-readable storage medium comprising: computer software instructions; the computer software instructions, when executed in an electronic device, cause the electronic device to implement the method of the first aspect described above.
Advantageous effects of the second aspect to the fifth aspect described above may be referred to in the first aspect, and will not be described again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a detection method of a deep packet inspection recognition rule according to an embodiment of the present application;
fig. 2 is another flow chart of a detection method of deep packet inspection recognition rule according to an embodiment of the present application;
fig. 3 is a schematic flowchart of another method for detecting a deep packet inspection recognition rule according to an embodiment of the present application;
fig. 4 is a schematic flow chart of a detection method of a deep packet inspection recognition rule according to an embodiment of the present application;
fig. 5 is a schematic flow chart of a detection method of a deep packet inspection recognition rule according to an embodiment of the present application;
fig. 6 is a schematic diagram of a detection device for deep packet inspection and identification rules according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
In order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, the terms "first", "second", and the like are used to distinguish the same item or similar items having substantially the same function and effect, and those skilled in the art will understand that the terms "first", "second", and the like are not limited in number and execution order.
In the mobile communication market, network traffic corresponding to mobile services occupies most of network traffic of an operator network. How to identify and mine the network traffic corresponding to the mobile service becomes the requirement of each large operator.
Currently, the network traffic corresponding to the mobile service is identified by the operator mainly based on the identification rules in the rule base, and is implemented by using deep packet inspection (deep packet inspection, DPI) technology. The network traffic is identified by using the DPI technology, and an effective rule base, that is, an effective identification rule, is required. The validity of the identification rule is mostly judged by manual experience.
However, the effectiveness of the identification rule is judged through manual experience, and the judgment efficiency is low.
Under the background technology, the application provides a detection method for detecting identification rules of deep packets, which can judge and screen the validity of the identification rules in a rule base.
In some embodiments, the execution subject of the method may be a computer, a server, or other device with computing functions. Wherein the server may be a single server or may be a server cluster formed by a plurality of servers. In some implementations, the server cluster may also be a distributed cluster. The present application is not limited to the specific form of the execution subject of the method.
The server may be an application server capable of acquiring traffic data of various services in the network, or other servers connected to the application server capable of acquiring traffic data of various services in the network, or the like. The embodiments of the present application do not limit the specific type of server.
Fig. 1 is a flow chart of a detection method of a deep packet inspection identification rule according to an embodiment of the present application. As shown in fig. 1, the method may include S101 to S107.
S101, acquiring data streams of an operator network in a statistical period.
The statistical period may also be referred to as a first period, and the statistical period may be preset by a manager, for example, the statistical period may be 7 days, 30 days, 60 days, 90 days, or the like. The data flow may include network traffic corresponding to a plurality of services in a service library. The service library may include at least one service.
Illustratively, the service library may be as shown in table 1 below.
TABLE 1
Sequence number 1 2 3
Service name Video A Takeaway B Community C
As shown in table 1, the table may include a sequence number entry and a service name entry. The sequence number items can comprise sequence numbers of 1, 2, 3 and the like; the business name items may include business names of "video a", "take-away B", and "community C". The serial number "1" and the service name "video A" have a corresponding relationship, the serial number "2" and the service name "take-out B" have a corresponding relationship, and the serial number "3" and the service name "community C" have a corresponding relationship.
S102, identifying the data flow by utilizing an identification rule to be verified, and obtaining the validity verification index corresponding to each service.
The recognition rule is a deep packet inspection recognition rule, hereinafter collectively referred to as a recognition rule. The identification rule to be verified may be any one of the identification rules in the rule base. The rule base may be preset by a manager.
Alternatively, one service may correspond to a plurality of identification rules, which may include a service name, a protocol field, and the like. For example, the protocol field may include a host (host) domain name, a universal resource identifier (uniform resource identifier, URI), a user agent (user agent), and the like. The embodiment of the application does not limit the specific content of the protocol field in the identification rule.
In some possible embodiments, the validity verification indicator may include one or more of the following: flow rate, number of records, and number of users.
S103, classifying the services according to the validity verification indexes corresponding to the services to obtain the services accessed by the user and the services not accessed by the user.
It should be noted that, classifying the services according to the validity verification index corresponding to the services to obtain the services accessed by the user and the services not accessed by the user, that is, classifying all the services in the service library according to the validity verification index to obtain the first service set and the second service set; the first set of services includes services accessed by the user, which may be referred to as first services; the second set of services includes services not accessed by the user, which may be referred to as second services.
In some possible embodiments, classifying the service according to the validity verification index corresponding to the service to obtain the service accessed by the user and the service not accessed by the user may include: judging whether the validity verification index corresponding to the service is empty or not, and determining that the service is accessed by the user when the validity verification index corresponding to the service is not empty; and when the validity verification index corresponding to the service is empty, determining that the service is not accessed by the user.
In other possible embodiments, classifying the service according to the validity verification index corresponding to the service to obtain the service accessed by the user and the service not accessed by the user may include: acquiring a validity verification index corresponding to the data stream; determining coverage rate corresponding to the service according to the validity verification index corresponding to the service and the validity verification index corresponding to the data stream; judging whether the coverage rate corresponding to the service is larger than a preset coverage rate threshold value or not; when the coverage rate corresponding to the service is larger than a preset coverage rate threshold value, determining that the service is accessed by a user; and when the coverage rate corresponding to the identification rule corresponding to the service is smaller than a preset coverage rate threshold value, determining that the service is not accessed by the user.
It should be noted that, when the coverage rate corresponding to the service is equal to the preset coverage rate threshold, it may be determined that the service is a service accessed by the user, or it is determined that the service is a service not accessed by the user.
Taking a preset coverage rate threshold value of 10% as an example, assuming that the coverage rate corresponding to the service 1 is 15%, it may be determined that the service 1 is a service accessed by the user according to that the coverage rate corresponding to the service 1 is 15% greater than the preset coverage rate threshold value of 10%.
In one possible implementation manner, the coverage rate corresponding to the service is determined according to the validity verification index corresponding to the service and the total validity verification index corresponding to the data stream, and the coverage rate can be calculated according to the following formula (1).
Figure BDA0003326548370000101
In formula (1), i represents a service. a represents a validity verification index, a= { Flow, count, user }, flow represents a validity verification index of a Flow dimension, count represents a validity verification index of a record number dimension, and User represents a validity verification index of a User dimension. V (V) ia The sum of the values of the service i in the validity verification index a is shown. SUM (SUM) a The sum of the values of the validity verification index a in the current data stream is represented. B (B) i Representing the coverage of service i at the validity verification index a.
Taking the service i as an example of the video a, assuming that the total flow rate contained in the primary data stream is 200 Gigabytes (GB), the recording number is 10 tens of thousands, including data flow rates of 5 tens of thousands of users, where the flow rate of the video a identified by the identification rule corresponding to the video a is 120GB, the recording number of the video a is 3 tens of thousands, and the video a includes data flow rate of 1 tens of thousands of users, according to the above formula (1), the flow rate coverage rate corresponding to the video a is 60%, the recording number coverage rate corresponding to the video a is 30%, and the user coverage rate corresponding to the video a is 20%.
S104, judging whether each identification rule corresponding to each service in the services accessed by the user has hit or not according to the data flow.
If there is a hit, then S105 is performed; if there is no hit, S106 is performed.
In some possible embodiments, determining whether each identification rule corresponding to the service has a hit according to the data flow may include: acquiring a validity verification index corresponding to each identification rule according to the data stream; judging whether the validity verification index corresponding to the identification rule is empty or not, and determining that the identification rule has hit when the validity verification index corresponding to the identification rule is not empty; and when the validity index corresponding to the identification rule is empty, determining that the identification rule does not hit.
In other possible embodiments, determining whether each identification rule corresponding to each service has a hit according to the data flow may include: acquiring a validity verification index corresponding to each identification rule corresponding to each service according to the data flow; determining hit rates corresponding to the identification rules corresponding to each service according to the validity verification indexes corresponding to each service and the validity verification indexes corresponding to the identification rules corresponding to each service; judging whether the identification rule corresponding to each service has hit or not according to the hit rate; when the hit rate corresponding to the identification rule corresponding to each service is smaller than a preset hit rate threshold value, determining that the identification rule does not hit; and when the hit rate corresponding to the identification rule corresponding to each service is larger than a preset hit rate threshold value, determining that the identification rule has hit.
It should be noted that, when the hit rate corresponding to the identification rule corresponding to each service is equal to the preset hit rate threshold, it may be determined that the identification rule has a hit, or it may be determined that the identification rule has no hit.
Taking a preset hit rate threshold value of 15% as an example, assuming that the hit rate corresponding to the identification rule 1 corresponding to the service 1 is 20%, it may be determined that the identification rule 1 corresponding to the service 1 has a hit according to that the hit rate corresponding to the identification rule 1 corresponding to the service 1 is 20% greater than the preset hit rate threshold value of 15%.
In one possible implementation manner, the hit rate corresponding to the identification rule corresponding to each service is determined according to the validity verification index corresponding to each service and the validity verification index corresponding to the identification rule corresponding to each service, which may be calculated according to the following formula (2).
Figure BDA0003326548370000111
/>
In the formula (2), j represents an identification rule. v ija And the value of the identification rule j corresponding to the service i at the validity verification index a is represented. B (B) ij Representing hit rate corresponding to identification rule j corresponding to service i, B ij ={Flow ij ,Count ij ,User ij },Flow ij Representing the traffic hit rate, count, of the identification rule j corresponding to service i ij Record number hit rate indicating identification rule j corresponding to service i, user ij The user hit rate of the identification rule j corresponding to the service i is shown.
Taking a service i as a video a and an identification rule j as an identification rule 1 corresponding to the video a as an example, it is assumed that in one data stream, all the identification rules corresponding to the video a identify that the flow of the video a is 120GB, the number of records is 3 ten thousand, and the number of users is 1 ten thousand; and the identification rule 1 corresponding to the video A identifies that the flow of the video A is 10GB, the recording number is 1 ten thousand, and the number of users is 3000, then the flow hit rate corresponding to the identification rule 1 corresponding to the video A can be calculated according to the formula (2) to obtain 8.33%, the recording number hit rate is 33.33%, and the user hit rate is 30%.
Optionally, determining whether the identification rule corresponding to each service has a hit according to the hit rate may include: determining the validity comprehensive score corresponding to the identification rule corresponding to each service according to the hit rate corresponding to the identification rule corresponding to each service; according to whether the effectiveness comprehensive score corresponding to each recognition rule is larger than a preset score threshold value or not; if yes, determining that the identification rule is valid and reserved; if not, determining that the identification rule is invalid and deleting.
In one possible implementation manner, the validity composite score corresponding to the identification rule corresponding to each service is determined according to the hit rate corresponding to the identification rule corresponding to each service, and may be calculated according to the following formula (3).
S ij =α×Flow ij +β×Count ij +γ×User ij Formula (3)
In the formula (3), S ij And the validity comprehensive score of the identification rule j corresponding to the service i is represented. The alpha table flow affects the weights. Beta represents the record number influencing weight. Gamma denotes the user impact weight. Alpha, beta, and gamma may be preset in formula (3) by a manager.
S105, determining that the hit recognition rule is valid.
S106, determining that the missed recognition rule fails.
S107, for each service in the services which are not accessed by the user, determining that the identification rule corresponding to the service is invalid.
Note that S107 may be performed before S104; or S107 is performed after S104; alternatively, S107 and S104 are performed simultaneously. The embodiment of the present application does not limit the timing relationship of executing S107 and S104.
The detection method of the deep packet inspection identification rule provided by the embodiment of the application can acquire the data flow of the operator network in the statistical period, wherein the data flow comprises the network flow of the service in the service library; identifying the data flow by utilizing an identification rule to be verified, and obtaining validity verification indexes of a plurality of dimensions corresponding to each service; classifying the services according to the validity verification indexes corresponding to the services to obtain the services accessed by the users and the services not accessed by the users; judging whether each identification rule corresponding to each service in the services accessed by the user has hit or not according to the data flow; determining that the hit recognition rule is valid; determining that the missed recognition rule fails; for each service in the services which are not accessed by the user, determining that the identification rule corresponding to the service is invalid. The method can automatically screen the effective recognition rules, and improves the efficiency of judging the effectiveness of the recognition rules.
Optionally, after obtaining the coverage rate corresponding to the service and the hit rate corresponding to the identification rule corresponding to each service accessed by the user, a verification report may also be generated according to the coverage rate corresponding to the service and the hit rate corresponding to the identification rule corresponding to each service accessed by the user.
Taking video a as an example, assuming that the identification rule corresponding to video a includes identification rule 1 and identification rule 2, and the primary data stream is identified by using identification rule 1 and identification rule 2, the traffic coverage corresponding to video a is 50%, the recording number coverage corresponding to video a is 20%, the user coverage corresponding to video a is 82%, the traffic hit rate corresponding to identification rule 1 is 3%, the recording number hit rate corresponding to identification rule 1 is 1%, the user hit rate corresponding to identification rule 1 is 4%, the traffic hit rate corresponding to identification rule 2 is 2%, the recording number hit rate corresponding to identification rule 2 is 2%, and the user hit rate corresponding to identification rule 2 is 3%, the verification report may be as shown in table 1 below.
TABLE 2
Figure BDA0003326548370000131
As shown in table 2, the table may include a service name item, an identification rule item, a traffic coverage item, a record number coverage item, a user coverage item, a traffic hit rate item, a record number hit rate item, and a user hit rate item. Wherein, the service name item can comprise 'video A'; the identification rule items may include "identification rule 1" and "identification rule 2"; the traffic coverage routing library includes "50%"; the record number coverage may include "20%"; the user number coverage may include "82%"; the traffic hit rate term may include "3%" and "2%"; the record number hit rate may include "1%" and "2%"; the user hit rate may include "4%" and "3%". The service name "video A", the identification rule "identification rule 1", the traffic coverage rate "50%", the recording number coverage rate "20%", the user coverage rate "82%", the traffic hit rate "3%", the recording number hit rate "1%", and the user hit rate "4%"; the service name "video a", the identification rule "identification rule 2", the traffic coverage "50%", the recording number coverage "20%", the user coverage "82%", the traffic hit rate "2%", the recording number hit rate "2%", and the user hit rate "3%", have a correspondence relationship.
In some possible embodiments, as described above, the identification rules may include a service name, a protocol field, and the like. After judging whether each identification rule corresponding to the service has hit or not according to the data flow for each service in the services accessed by the user, whether the identification rule uniquely corresponds to the service or not can also be judged according to the service name and/or the protocol field in the identification rule aiming at the missed identification rule. If yes, determining that the identification rule is valid and reserved; if not, determining that the identification rule is invalid and deleting. Fig. 2 is another flow chart of a detection method of deep packet inspection identification rule according to an embodiment of the present application. As shown in fig. 2, after S106, the method may further include S201 to S203.
S201, judging whether the identification rule corresponds to the service uniquely according to the service name and/or the protocol field in the identification rule.
In one possible implementation manner, according to the service name and/or the protocol field in the identification rule, determining whether the identification rule uniquely corresponds to the service may include: and judging whether the identification rule uniquely corresponds to the service according to the service name in the identification rule and/or the host domain name.
If yes, executing S202; if not, S203 is executed.
S202, reserving identification rules.
S203, deleting the identification rule.
In the detection method for detecting the identification rule by deep packet inspection provided by the embodiment of the application, after the missed identification rule is determined to be invalid, whether the identification rule is uniquely corresponding to the service can be judged according to the service name and/or the protocol field in the identification rule according to the invalid identification rule, because the identification rule is used for identifying the service flow, the identification rule corresponding to more than one identification rule is poorer in effectiveness compared with the identification rule uniquely corresponding to the service, the identification rule uniquely corresponding to the service is reserved, the identification rule non-uniquely corresponding to the service is deleted, the identification rule with higher effectiveness can be further screened out from the invalid identification rules, and the accuracy of detection of the identification rule is improved.
In other possible embodiments, after determining whether each identification rule corresponding to each service in the services accessed by the user has a hit according to the data flow, and determining the validity of the identification rule according to the hit condition, the first identifier may also be marked for the valid identification rule; judging whether the identification rule uniquely corresponds to the service according to the identification rule which fails, and marking a second identifier on the identification rule which fails and uniquely corresponds to the service; acquiring the validity requirement of a user on the identification rule; and selecting target recognition rules according to the validity requirements of the user, and packaging to generate a target rule base. Fig. 3 is a schematic flow chart of a detection method of deep packet inspection recognition rule according to an embodiment of the present application. As shown in fig. 3, after S103, the method may further include S301 to S309.
S301, judging whether each identification rule corresponding to each service in the services accessed by the user has hit or not according to the data flow.
S301 may be described with reference to S104 above, and will not be described here again.
If yes, executing S302 to S303; if not, S304 to S307 are performed.
S302, determining that the identification rule is valid.
S303, marking a first mark for the identification rule.
S304, determining that the identification rule fails.
S305, judging whether the identification rule corresponds to the service uniquely according to the service name and/or the protocol field in the identification rule.
S305 may be described with reference to S201 above, and will not be described here again.
If not, executing S306; if yes, S307 is executed.
S306, deleting the identification rule.
S307, marking the second mark for the identification rule.
Wherein the validity of the identification rule with the first identification is higher than the validity of the identification rule with the second identification.
S308, obtaining the validity requirement of the user on the identification rule.
It should be noted that S308 may be performed before any one of the steps before S309, or after any one of the steps before S309. The embodiment of the present application does not limit any one step before S309 is performed and the timing relationship between S308.
S309, determining target recognition rules according to the validity requirements of the users and packaging the target recognition rules to generate a target rule base.
The target recognition rule may be any one of a recognition rule marked with the first identifier and a recognition rule marked with the second identifier.
According to the detection method for the deep packet inspection recognition rule, after judging whether each recognition rule corresponding to the service has hit or not according to the data flow for each service in the services accessed by the user, a first identifier can be marked for the hit recognition rule; judging whether the identification rule uniquely corresponds to the service according to the missed identification rule, marking a second identifier for the identification rule which is missed and uniquely corresponds to the service, wherein the validity of the identification rule with the second identifier is lower than that of the identification rule with the first identifier; acquiring the validity requirement of a user on the identification rule; according to the validity requirement, the identification rule with the first identifier or the identification rule with the second identifier is selected as the target identification rule to be packed to generate a target rule base, so that different requirements of users can be met, and the use experience of the users is improved.
In still other possible embodiments, after determining the identification rule with the first identifier or the identification rule with the second identifier, the identification rule with the first identifier or the identification rule with the second identifier may further determine, according to the service name and the protocol field in the identification rule, whether an abnormal situation exists between the identification rule with the first identifier or the identification rule with the second identifier, and adjust the abnormal situation.
Alternatively, the abnormal condition may include: the identification rules with the first identification or the identification rules with the second identification conflict; adjusting for the abnormal situation may include: any one of the conflicting identification rules is determined to be invalid and deleted. For example, determining a less valid one of the conflicting recognition rules to fail and delete; or, a protocol field or the like is added to any one of the conflicting recognition rules. The embodiment of the application does not limit how the conflict recognition rules are specifically adjusted.
Illustratively, taking service D and service E as examples, it is assumed that service D corresponds to the following identification rule [ D-6], and service E corresponds to the following identification rule [ E-6].
[D-6]
name=D
priority=1
host=.msf.3g.qq.com
Where "name=d" indicates that the service corresponding to the identification rule [ D-6] is the service D. "priority=1" indicates that the identification rule [ D-6] is an identification rule with a first flag. "host=. Msf.3g.qq.com" means an identification rule [ D-6] for identifying a host domain name.
[E-6]
name=E
priority=1
host=.msf.3g.qq.com
Where "name=e" indicates that the service corresponding to the identification rule [ E-6] is the service E. "priority=1" indicates that the identification rule [ E-6] is an identification rule with the first identification. "host=. Msf.3g.qq.com" means an identification rule [ E-6] for identifying a host domain name.
Then, according to the protocol fields in the identification rule [ D-6] and the identification rule [ E-6] being "host=. Msf.3g.qq.com" and the identification rule [ D-6] and the identification rule [ E-6] corresponding to different services D and E, respectively, the identification rule [ D-6] and the identification rule [ E-6] are determined to collide.
Alternatively, the abnormal condition may include: the identification rule with the first identifier or the identification rule with the second identifier has an inclusion relationship; adjusting for the abnormal situation may include: the identification rules containing other identification rules are reserved, and the contained identification rules are deleted. For example, when the deep packet inspection identification rule with the first identifier includes the deep packet inspection identification rule with the second identifier, deleting the deep packet inspection identification rule with the second identifier; and deleting the deep packet inspection and identification rule with the first identifier when the deep packet inspection and identification rule with the second identifier contains the deep packet inspection and identification rule with the first identifier.
Illustratively, also taking service D as an example, it is assumed that service D may correspond to the recognition rule [ D-6] and the recognition rule [ D-7] described below.
[D-6]
name=D
priority=1
host=.msf.3g.qq.com
Where "name=d" indicates that the service corresponding to the identification rule [ D-6] is the service D. "priority=1" indicates that the identification rule [ D-6] is an identification rule with the first identification. "host=. Msf.3g.qq.com" means an identification rule [ D-6] for identifying a host domain name.
[D-7]
name=D
priority=1
host=.msf.3g.qq.com
useragent=V1_AND_SQ_
Where "name=d" indicates that the service corresponding to the identification rule [ D-7] is the service D. "priority=1" indicates that the identification rule [ D-7] is an identification rule with the first identification. "host=. Msf.3g.qq.com" means an identification rule [ D-7] for identifying a host domain name. "user=v1_and_sq_" means that the identification rule [ D-7] is used to identify the user agent v1_and_sq_.
It may be determined that the identification rule [ D-6] contains the identification rule [ D-7] according to the identification rule [ D-6] including "host=. Msf.3g.qq.com", AND the identification rule [ D-7] including "host=. Msf.3g.qq.com" AND "user=v1_and_sq_", thereby deleting the identification rule [ D-7].
According to the detection method for the deep packet inspection recognition rule, after the recognition rule with the first mark and the recognition rule with the second mark are determined, whether conflict and inclusion relation exist between the recognition rules or not can be judged according to the service names and the protocol fields in the recognition rules, the conflict recognition rules are adjusted, the included recognition rules are deleted, repeated recognition of the same service is reduced, and the effectiveness of the screened recognition rules is improved as a whole.
In some embodiments, for the services that are not accessed by the user, whether each service exists or not may also be determined according to the application market base, and the identification rule corresponding to the existing service may be detected. Fig. 4 is a schematic flow chart of a deep packet inspection recognition rule inspection method according to an embodiment of the present application. As shown in fig. 4, after S103, the method may further include S401 to S405.
S401, judging whether each service exists or not according to an application market base for each service in the services which are not accessed by the user, and obtaining the existing service and the non-existing service.
The application market library may include services in a service library and services outside the service library. For example, the application marketplace repository may be obtained from business in an application store corresponding to at least one of the large mobile terminal vendors. The embodiments of the present application do not limit how the application marketplace library is obtained.
Note that S401 may be performed before S104; alternatively, S401 is performed after S104; alternatively, S401 and S104 are performed simultaneously. The embodiment of the present application does not limit the timing relationship of executing S401 and S104.
In one possible implementation manner, for each service in the services not accessed by the user, determining whether each service exists according to the application market base may include: acquiring the updating time of the business in the application market library; judging whether the updating time of the service is earlier than a preset time threshold value; if yes, determining that the service does not exist; if not, determining that the service exists.
S402, judging whether the identification rule corresponding to each service exists according to the data flow of the service in the application market base.
The step of determining whether the recognition rule has hit in S402 may be described with reference to S104, and will not be described herein.
If there is a hit, then S403 is executed; if there is no hit, S404 is performed.
It should be noted that, for the existing service, whether the identification rule corresponding to the service has a hit is determined according to the data flow of the service in the application market base, which may be described with reference to S104, and will not be described here again.
In some possible embodiments, for a service that exists, before determining whether the identification rule corresponding to the service has hit according to the data flow of the service in the application market base, the data flow of the service may also be collected from the application market base.
S403, reserving a hit identification rule.
S404, deleting the missed recognition rule.
S405, deleting the service from the service library for each service which does not exist, and deleting the identification rule corresponding to the service from the rule library.
Note that S405 may be performed before S402; alternatively, S405 is performed after S402; alternatively, S405 and S402 are performed simultaneously. The embodiment of the present application does not limit the timing relationship of executing S405 and S402.
According to the DPI identification rule detection method provided by the embodiment of the application, for each service in the services which are not accessed by the user, whether each service exists or not can be judged according to the application market library, and the existing service and the non-existing service are obtained; judging whether each existing service has hit according to the data flow of the service in the application market base; reserving a hit recognition rule; deleting the missed recognition rule; and deleting each service which does not exist from the service library, and deleting the identification rule corresponding to the service from the rule library. For each service which is not accessed by the user but still exists in the data stream of the operator network in the statistical period, the data stream of the service is queried from the application market base and detected, so that the situation that the identification rule is deleted by mistake due to the limitation of the statistical period when the data stream is acquired can be reduced.
Based on the understanding of the steps shown in fig. 2 and fig. 3, in some possible embodiments, for the service that is not accessed by the user, determining that each service accident cloud creation board exists according to the application market base, and obtaining the existing service and the non-existing service; for each existing service, judging whether the identification rule corresponding to the service is hit or not according to the data flow of the service in the application market base, and marking the hit identification rule as a first identification rule; judging whether the identification rule is uniquely corresponding to the service according to the service name and/or the protocol field in the identification rule, and marking the identification rule uniquely corresponding to the service as a second identification rule; judging whether an abnormal condition exists between the first identification rule and the second identification rule according to the service name and the protocol field in the identification rule, and adjusting the abnormal condition. Fig. 5 is a schematic flow chart of a detection method of deep packet inspection identification rule according to an embodiment of the present application. As shown in fig. 5, the method may include S501 to S508.
S501, classifying the services according to the validity verification index to obtain the services accessed by the user and the services not accessed by the user.
S501 may be described with reference to S101 to S103, and will not be described here again.
S502, judging whether each identification rule corresponding to each service in the services accessed by the user has hit or not according to the data flow of the operator.
S502 may be described with reference to S104 above, and will not be described here again.
S503, judging whether each missed recognition rule corresponds to the service uniquely or not, and adjusting accordingly.
S503 may refer to S201 to S203, or S305 to S306, which are not described herein.
S504, judging whether abnormal conditions exist among the identification rules for each hit identification rule and each identification rule uniquely corresponding to the service, and correspondingly adjusting.
S504, the conflict between the identification rule with the first identifier and the identification rule with the second identifier can be referred to; or, the identification rule with the first identifier and the identification rule with the second identifier are described in the inclusion relationship, which is not described herein.
S505, judging whether each service in the services which are not accessed by the user exists according to the application market library.
S505 may be described with reference to S401 above, and will not be described here again.
S506, judging whether each service in the existing services has hit or not according to the data flow of the application market base.
S506 may be described with reference to S402, and will not be described herein.
S507, judging whether each missed recognition rule corresponds to the service uniquely or not, and correspondingly adjusting each missed recognition rule.
S507 may refer to S201 to S203, or S303 to S305, which are not described herein.
S508, judging whether abnormal conditions exist among the identification rules for each hit identification rule and each identification rule uniquely corresponding to the service, and correspondingly adjusting.
S508, the conflict between the identification rule with the first identifier and the identification rule with the second identifier can be referred to; or, the identification rule with the first identifier and the identification rule with the second identifier are described in the inclusion relationship, which is not described herein.
In an exemplary embodiment, the application further provides a detection device for detecting the identification rule of the deep packet inspection. Fig. 6 is a schematic diagram of a detection apparatus for deep packet inspection and identification rule according to an embodiment of the present application. As shown in fig. 6, the apparatus may include: an acquisition module 601 and a processing module 602; the acquisition module 601 is connected to the processing module 602.
An obtaining module 601 is configured to obtain a data flow of an operator network in a first period.
The processing module 602 is configured to identify a data stream by using a deep packet inspection identification rule in a preset rule base, so as to obtain a validity verification index corresponding to each service in the preset service base; each service corresponds to one or more deep packet inspection and identification rules; classifying all the services in the service library according to the validity verification index to obtain a first service set and a second service set; the first service set includes services accessed by the user; the second service set comprises services not accessed by the user; for each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; and when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid. For each second service in the second set of services: and determining that the deep packet detection recognition rule corresponding to the second service fails.
In some possible embodiments, the deep packet inspection and identification rule includes a service name and a protocol field, and the processing module 602 is further configured to mark the deep packet inspection and identification rule with a first identifier when there is a hit in the deep packet inspection and identification rule corresponding to the first service; when the deep packet detection and identification rule corresponding to the first service is not hit, judging whether the deep packet detection and identification rule uniquely corresponds to the first service according to the service name and/or protocol field in the deep packet detection and identification rule; and when the deep packet inspection and identification rule corresponds to the service unique, marking a second identifier for the deep packet inspection and identification rule, wherein the effectiveness of the deep packet inspection and identification rule with the second identifier is lower than that of the deep packet inspection and identification rule with the first identifier. The obtaining module 601 is further configured to obtain a validity requirement of the user on the deep packet inspection identification rule. The processing module 602 is further configured to determine a target deep packet inspection and recognition rule according to the validity requirement, and package the target deep packet inspection and recognition rule to generate a target rule base, where the target deep packet inspection and recognition rule is any one of a deep packet inspection and recognition rule with a first identifier and a deep packet inspection and recognition rule with a second identifier.
In other possible embodiments, the processing module 602 is further configured to determine, according to the service name and the protocol field in the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier, whether the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier conflict; when the deep packet inspection and identification rule with the first identifier conflicts with the deep packet inspection and identification rule with the second identifier, deleting any one of the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier.
In still other possible embodiments, the processing module 602 is further configured to determine, according to the service name and the protocol field in the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier, whether an inclusion relationship exists between the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier; deleting the deep packet inspection and identification rule with the second identifier when the deep packet inspection and identification rule with the first identifier contains the deep packet inspection and identification rule with the second identifier; and deleting the deep packet inspection and identification rule with the first identifier when the deep packet inspection and identification rule with the second identifier contains the deep packet inspection and identification rule with the first identifier.
In still other possible embodiments, the processing module 602 is specifically configured to determine that the service is a first service when the validity verification index corresponding to the service is not empty, and obtain a first service set according to the first service; and when the validity verification index corresponding to the service is empty, determining the service as a second service, and obtaining a second service set according to the second service.
In still other possible embodiments, the obtaining module 601 is specifically configured to obtain a validity verification indicator corresponding to the data stream. The processing module 602 is specifically configured to determine a coverage rate corresponding to a service according to a validity verification index corresponding to the service and a validity verification index corresponding to a data stream; when the coverage rate corresponding to the service is larger than a preset coverage rate threshold value, determining the service as a first service; and when the coverage rate corresponding to the deep packet inspection and identification rule corresponding to the service is smaller than a preset coverage rate threshold, determining that the service is a second service.
In still other possible embodiments, the processing module 602 is specifically configured to determine that the deep packet inspection recognition rule is valid when the validity verification index corresponding to the deep packet inspection recognition rule is not null; and when the validity index corresponding to the deep packet inspection and identification rule is empty, determining that the deep packet inspection and identification rule fails.
In still other possible embodiments, the obtaining module 601 is specifically configured to obtain, according to a data flow of the operator network, a validity verification indicator corresponding to a deep packet inspection identification rule corresponding to each first service. The processing module 602 is specifically configured to determine a hit rate corresponding to the deep packet inspection and identification rule corresponding to each first service according to the validity verification index corresponding to the first service and the validity verification index corresponding to the deep packet inspection and identification rule corresponding to each first service; judging whether the deep packet inspection recognition rule has hit or not according to the hit rate; when the deep packet detection and identification rule has hit, determining that the deep packet detection and identification rule is valid; when the deep packet inspection identification rule is not hit, determining that the deep packet inspection identification rule is invalid.
In still other possible embodiments, the processing module 602 is specifically configured to determine whether the deep packet inspection recognition rule has a hit according to the hit rate and a preset hit rate threshold; when the hit rate is smaller than a preset hit rate threshold value, determining that the deep packet detection recognition rule does not hit; and when the hit rate is larger than a preset hit rate threshold value, determining that the deep packet detection and identification rule has hit.
In still other possible embodiments, the processing module 602 is specifically configured to determine, according to the hit rate, a validity composite score corresponding to a deep packet inspection identification rule corresponding to each first service; when the validity comprehensive score is larger than a preset score threshold value, determining that a deep packet detection recognition rule has a hit; and when the validity comprehensive score is smaller than a preset score threshold value, determining that the deep packet detection recognition rule is not hit.
In still other possible embodiments, the processing module 602 is further configured to, for each second service in the second service set: judging whether each second service exists according to the application market library to obtain the existing service and the non-existing service, wherein the application market library comprises the service in the service library and the service outside the service library. For each service present: judging whether the deep packet detection recognition rule corresponding to each service has hit or not according to the data flow of each service in the application market base; the hit deep packet detection and identification rule is reserved; the missing deep packet inspection identification rule is deleted. For each service that does not exist: deleting each service from a service library, and deleting the deep packet inspection identification rule corresponding to each service from a preset rule library.
In still other possible embodiments, the validity verification indicator comprises one or more of the following: flow rate, number of records, and number of users.
In an exemplary embodiment, the present application further provides a computer program product, which when run on a computer, causes the computer to perform the above-mentioned related method steps to implement the detection method of the deep packet inspection identification rule in the above-mentioned embodiment.
In an exemplary embodiment, the present application also provides an electronic device. Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic device may include: a processor 701 and a memory 702; memory storage 702 stores instructions executable by processor 701; the processor 701 is configured to execute instructions that, when executed, cause the electronic device to implement the method as described in the method embodiments described previously.
In an exemplary embodiment, the present application also provides a computer-readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by an electronic device, cause the electronic device to implement the method as described in the previous embodiments. The computer readable storage medium may be a non-transitory computer readable storage medium, which may be, for example, ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (14)

1. A method for detecting a deep packet inspection recognition rule, the method comprising:
acquiring a data stream of an operator network in a first period;
identifying the data flow by utilizing a deep packet detection identification rule in a preset rule base to obtain a validity verification index corresponding to each service in a preset service base; each service corresponds to one or more deep packet inspection and identification rules;
classifying all the services in the service library according to the validity verification index to obtain a first service set and a second service set; the first service set comprises services accessed by a user; the second service set comprises services which are not accessed by the user;
for each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid;
For each second service in the second set of services: determining that the deep packet detection recognition rule corresponding to the second service fails;
when the deep packet detection and identification rule corresponding to the first service has hit, marking a first identifier for the deep packet detection and identification rule;
when the deep packet detection and identification rule corresponding to the first service is not hit, judging whether the deep packet detection and identification rule uniquely corresponds to the first service according to the service name and/or the protocol field in the deep packet detection and identification rule;
when the deep packet detection and identification rule is uniquely corresponding to the service, marking a second identifier for the deep packet detection and identification rule, wherein the effectiveness of the deep packet detection and identification rule with the second identifier is lower than that of the deep packet detection and identification rule with the first identifier;
acquiring the validity requirement of a user on a deep packet inspection and identification rule;
and determining a target deep packet detection and identification rule according to the validity requirement, and packaging the target deep packet detection and identification rule to generate a target rule base, wherein the target deep packet detection and identification rule is any one of a deep packet detection and identification rule with a first identifier and a deep packet detection and identification rule with a second identifier.
2. The method according to claim 1, wherein the method further comprises:
judging whether the deep packet detection and identification rule with the first identifier conflicts with the deep packet detection and identification rule with the second identifier or not according to the service name and the protocol field in the deep packet detection and identification rule with the first identifier and the deep packet detection and identification rule with the second identifier;
and deleting any one of the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier when the deep packet inspection and identification rule with the first identifier and the deep packet inspection and identification rule with the second identifier conflict.
3. The method according to claim 1, wherein the method further comprises:
judging whether an inclusion relationship exists between the deep packet detection and identification rule with the first identifier and the deep packet detection and identification rule with the second identifier according to the service name and the protocol field in the deep packet detection and identification rule with the first identifier and the deep packet detection and identification rule with the second identifier;
Deleting the deep packet inspection and identification rule with the second identifier when the deep packet inspection and identification rule with the first identifier contains the deep packet inspection and identification rule with the second identifier;
and deleting the deep packet inspection and identification rule with the first identifier when the deep packet inspection and identification rule with the second identifier contains the deep packet inspection and identification rule with the first identifier.
4. The method of claim 1, wherein classifying the traffic according to the validity verification indicator to obtain a first traffic set and a second traffic set comprises:
when the validity verification index corresponding to the service is not empty, determining the service as a first service, and obtaining a first service set according to the first service;
and when the validity verification index corresponding to the service is empty, determining the service as a second service, and obtaining a second service set according to the second service.
5. The method of claim 1, wherein classifying the traffic according to the validity verification indicator to obtain a first traffic set and a second traffic set comprises:
Acquiring a validity verification index corresponding to the data stream;
determining coverage rate corresponding to the service according to the validity verification index corresponding to the service and the validity verification index corresponding to the data stream;
when the coverage rate corresponding to the service is larger than a preset coverage rate threshold value, determining the service as a first service;
and when the coverage rate corresponding to the deep packet inspection and identification rule corresponding to the service is smaller than a preset coverage rate threshold, determining the service as a second service.
6. The method of claim 1, wherein the pair of each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid; comprising the following steps:
when the validity verification index corresponding to the deep packet detection and identification rule is not empty, determining that the deep packet detection and identification rule is valid;
and when the effectiveness index corresponding to the deep packet detection and identification rule is empty, determining that the deep packet detection and identification rule fails.
7. The method of claim 1, wherein the pair of each first service in the first set of services: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid comprises the following steps:
acquiring validity verification indexes corresponding to the deep packet inspection identification rules corresponding to each first service according to the data flow of the operator network;
determining hit rates corresponding to the deep packet inspection and identification rules corresponding to the first services according to the effectiveness verification indexes corresponding to the first services and the effectiveness verification indexes corresponding to the deep packet inspection and identification rules corresponding to the first services;
judging whether the deep packet detection and identification rule has hit or not according to the hit rate;
when the deep packet detection and identification rule has hit, determining that the deep packet detection and identification rule is valid;
and when the deep packet detection identification rule is not hit, determining that the deep packet detection identification rule is invalid.
8. The method of claim 7, wherein said determining whether there is a hit in the deep packet inspection identification rule based on the hit rate comprises:
judging whether the deep packet detection recognition rule has hit or not according to the hit rate and a preset hit rate threshold;
when the hit rate is smaller than a preset hit rate threshold value, determining that the deep packet detection recognition rule does not hit;
and when the hit rate is larger than a preset hit rate threshold value, determining that the deep packet detection and identification rule has hit.
9. The method of claim 7, wherein said determining whether there is a hit in the deep packet inspection identification rule based on the hit rate comprises:
determining a validity comprehensive score corresponding to the deep packet detection and identification rule corresponding to each first service according to the hit rate;
when the effectiveness comprehensive score is larger than a preset score threshold value, determining that the deep packet detection recognition rule has hit;
and when the validity comprehensive score is smaller than a preset score threshold value, determining that the deep packet detection recognition rule is not hit.
10. The method according to claim 1, wherein the method further comprises:
For each second service in the second set of services:
judging whether each second service exists or not according to an application market library, and obtaining the existing service and the non-existing service, wherein the application market library comprises the service in the service library and the service outside the service library;
for each service present:
judging whether the deep packet detection recognition rule corresponding to each service has hit or not according to the data flow of each service in the application market base;
the hit deep packet detection and identification rule is reserved;
deleting the missed deep packet detection and identification rule;
for each service that does not exist:
deleting each service from the service library, and deleting the deep packet inspection identification rule corresponding to each service from a preset rule library.
11. The method of any one of claims 1-9, wherein the validity verification indicator comprises one or more of the following: flow rate, number of records, and number of users.
12. A device for detecting identification rules of Deep Packet Inspection (DPI), the device comprising: the device comprises an acquisition module and a processing module;
the acquisition module is used for acquiring the data flow of the operator network in the first period;
The processing module is used for identifying the data flow by utilizing a deep packet detection identification rule in a preset rule base to obtain a validity verification index corresponding to each service in the preset service base; each service corresponds to one or more deep packet inspection and identification rules;
the processing module is further used for classifying all the services in the service library according to the validity verification index to obtain a first service set and a second service set; the first service set comprises services accessed by a user; the second service set comprises services which are not accessed by the user;
the processing module is further configured to, for each first service in the first service set: when the deep packet detection and identification rule corresponding to the first service has hit, determining that the deep packet detection and identification rule is valid; when the deep packet detection and identification rule corresponding to the first service is not hit, determining that the deep packet detection and identification rule is invalid;
the processing module is further configured to, for each second service in the second service set: determining that the deep packet detection recognition rule corresponding to the second service fails;
The processing module is further configured to mark a first identifier for the deep packet detection and identification rule when the deep packet detection and identification rule corresponding to the first service has a hit; when the deep packet detection and identification rule corresponding to the first service is not hit, judging whether the deep packet detection and identification rule uniquely corresponds to the first service according to the service name and/or the protocol field in the deep packet detection and identification rule; when the deep packet detection and identification rule is uniquely corresponding to the service, marking a second identifier for the deep packet detection and identification rule, wherein the effectiveness of the deep packet detection and identification rule with the second identifier is lower than that of the deep packet detection and identification rule with the first identifier;
the acquisition module is also used for the validity requirement of the user on the deep packet inspection and identification rule;
the processing module is further configured to determine a target deep packet detection and identification rule according to the validity requirement, and package the target deep packet detection and identification rule to generate a target rule base, where the target deep packet detection and identification rule is any one of a deep packet detection and identification rule with a first identifier and a deep packet detection and identification rule with a second identifier.
13. An electronic device, the electronic device comprising: a processor and a memory;
the memory stores instructions executable by the processor;
the processor is configured to, when executing the instructions, cause the electronic device to implement the method of any one of claims 1-11.
14. A computer-readable storage medium, the computer-readable storage medium comprising: computer software instructions;
the computer software instructions, when run in an electronic device, cause the electronic device to implement the method of any one of claims 1-11.
CN202111265051.3A 2021-10-28 2021-10-28 Detection method, device, equipment and storage medium for deep packet inspection identification rule Active CN113905411B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111265051.3A CN113905411B (en) 2021-10-28 2021-10-28 Detection method, device, equipment and storage medium for deep packet inspection identification rule

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111265051.3A CN113905411B (en) 2021-10-28 2021-10-28 Detection method, device, equipment and storage medium for deep packet inspection identification rule

Publications (2)

Publication Number Publication Date
CN113905411A CN113905411A (en) 2022-01-07
CN113905411B true CN113905411B (en) 2023-05-02

Family

ID=79027390

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111265051.3A Active CN113905411B (en) 2021-10-28 2021-10-28 Detection method, device, equipment and storage medium for deep packet inspection identification rule

Country Status (1)

Country Link
CN (1) CN113905411B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114969129B (en) * 2022-07-29 2022-12-13 飞狐信息技术(天津)有限公司 Abnormal service data backflow method and device

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901268A (en) * 2010-08-02 2010-12-01 华为技术有限公司 Rule matching method and device
WO2011009311A1 (en) * 2009-07-24 2011-01-27 中兴通讯股份有限公司 Method and system for registering deep packet inspection (dpi) device
CN102143151A (en) * 2010-12-22 2011-08-03 华为技术有限公司 Deep packet inspection based protocol packet spanning inspection method and deep packet inspection based protocol packet spanning inspection device
CN102665191A (en) * 2012-04-12 2012-09-12 华为技术有限公司 Policy control method, policy control device and policy control system for data services
CA2898053A1 (en) * 2013-08-05 2015-02-12 Huawei Technologies Co., Ltd. Deep packet inspection method, device, and coprocessor
CA3055428A1 (en) * 2017-03-09 2018-09-13 Magnus Skraastad GULBRANDSEN Core network access provider
CN109272005A (en) * 2017-07-17 2019-01-25 中国移动通信有限公司研究院 A kind of generation method of recognition rule, device and deep packet inspection device
CN110708215A (en) * 2019-10-10 2020-01-17 深圳市网心科技有限公司 Deep packet inspection rule base generation method and device, network equipment and storage medium
CN111061707A (en) * 2019-11-08 2020-04-24 武汉绿色网络信息服务有限责任公司 DPI equipment protocol rule base and rule sample optimization method and device
CN112583832A (en) * 2020-12-14 2021-03-30 北京鼎普科技股份有限公司 DPI-based application layer protocol identification method and system
CN113067743A (en) * 2020-01-02 2021-07-02 中国移动通信有限公司研究院 Flow rule extraction method, device, system and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011009311A1 (en) * 2009-07-24 2011-01-27 中兴通讯股份有限公司 Method and system for registering deep packet inspection (dpi) device
CN101901268A (en) * 2010-08-02 2010-12-01 华为技术有限公司 Rule matching method and device
CN102143151A (en) * 2010-12-22 2011-08-03 华为技术有限公司 Deep packet inspection based protocol packet spanning inspection method and deep packet inspection based protocol packet spanning inspection device
CN102665191A (en) * 2012-04-12 2012-09-12 华为技术有限公司 Policy control method, policy control device and policy control system for data services
CA2898053A1 (en) * 2013-08-05 2015-02-12 Huawei Technologies Co., Ltd. Deep packet inspection method, device, and coprocessor
CA3055428A1 (en) * 2017-03-09 2018-09-13 Magnus Skraastad GULBRANDSEN Core network access provider
CN109272005A (en) * 2017-07-17 2019-01-25 中国移动通信有限公司研究院 A kind of generation method of recognition rule, device and deep packet inspection device
CN110708215A (en) * 2019-10-10 2020-01-17 深圳市网心科技有限公司 Deep packet inspection rule base generation method and device, network equipment and storage medium
CN111061707A (en) * 2019-11-08 2020-04-24 武汉绿色网络信息服务有限责任公司 DPI equipment protocol rule base and rule sample optimization method and device
CN113067743A (en) * 2020-01-02 2021-07-02 中国移动通信有限公司研究院 Flow rule extraction method, device, system and storage medium
CN112583832A (en) * 2020-12-14 2021-03-30 北京鼎普科技股份有限公司 DPI-based application layer protocol identification method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
PGSM-DPI: Precisely Guided Signature Matching of Deep Packet Inspection for Traffic Analysis;Haonan Yan;《2019 IEEE Global Communications Conference (GLOBECOM)》;全文 *
基于数据流的网络安全事件检测技术研究与应用;荆玉淇;《中国优秀硕士学位论文全文数据库》;全文 *

Also Published As

Publication number Publication date
CN113905411A (en) 2022-01-07

Similar Documents

Publication Publication Date Title
EP1738524B1 (en) Method and system for generating a population representative of a set of users of a communication network
CN107743701A (en) The global clustering to event based on Malware similitude and online degree of belief
CN113905411B (en) Detection method, device, equipment and storage medium for deep packet inspection identification rule
EP3684025B1 (en) Web page request identification
CN110502546A (en) A kind of data processing method and device
KR102061833B1 (en) Apparatus and method for investigating cyber incidents
CN110191109B (en) Message sampling method and device
CN114615016B (en) Enterprise network security assessment method and device, mobile terminal and storage medium
CN107622406A (en) Identify the method and system of virtual unit
WO2015182629A1 (en) Monitoring system, monitoring device, and monitoring program
US20090204889A1 (en) Adaptive sampling of web pages for extraction
CN106358220B (en) The detection method of abnormal contact information, apparatus and system
CN110008701A (en) Static detection Rules extraction method and detection method based on ELF file characteristic
CN111625700B (en) Anti-grabbing method, device, equipment and computer storage medium
CN111737751B (en) Method and device for realizing distributed data processing of privacy protection
CN108280019A (en) A kind of method of evaluating server health status
CN109272005B (en) Identification rule generation method and device and deep packet inspection equipment
CN109992960B (en) Counterfeit parameter detection method and device, electronic equipment and storage medium
CN110727895A (en) Sensitive word sending method and device, electronic equipment and storage medium
CN111224890A (en) Traffic classification method and system of cloud platform and related equipment
CN111092879A (en) Log association method and device, electronic equipment and storage medium
JPWO2020161808A1 (en) Priority determination device, priority determination method, and control program
CN114745270A (en) Network planning method, device, equipment and storage medium
CN113395246B (en) Method and system for determining bad domain name
CN113992364A (en) Network data packet blocking optimization method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant