CN114143385A - Network traffic data identification method, device, equipment and medium - Google Patents

Network traffic data identification method, device, equipment and medium Download PDF

Info

Publication number
CN114143385A
CN114143385A CN202111400358.XA CN202111400358A CN114143385A CN 114143385 A CN114143385 A CN 114143385A CN 202111400358 A CN202111400358 A CN 202111400358A CN 114143385 A CN114143385 A CN 114143385A
Authority
CN
China
Prior art keywords
message
current
information
data
historical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111400358.XA
Other languages
Chinese (zh)
Other versions
CN114143385B (en
Inventor
陈少怀
黄斌
余远泽
佘羡韩
林琳
陈璇
林裕新
罗滨
蔡安铭
王腾
戴彦旭
杨炜楠
成翰杰
高爽
李敏
蔡思雨
李文澜
陈昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Shantou Power Supply Bureau of Guangdong Power Grid Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Shantou Power Supply Bureau of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Shantou Power Supply Bureau of Guangdong Power Grid Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN202111400358.XA priority Critical patent/CN114143385B/en
Publication of CN114143385A publication Critical patent/CN114143385A/en
Application granted granted Critical
Publication of CN114143385B publication Critical patent/CN114143385B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, equipment and a medium for identifying network traffic data. The method comprises the following steps: acquiring a current data message to be identified, and analyzing to obtain current message information; determining the current message characteristics according to the current message information, and inquiring a target network protocol associated and matched with the current message characteristics in a preset message characteristic library; and determining the identification result of the current data message according to the target network protocol. The embodiment of the invention can quickly determine the network protocol required in the data conversion process of the network flow data.

Description

Network traffic data identification method, device, equipment and medium
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method, a device, equipment and a medium for identifying network traffic data.
Background
The same network protocol must be used between different computers to communicate. In actual production, because the character sets used by the data terminals of the sending end and the receiving end are different, the receiving end cannot identify the network traffic data sent by the sending end. In order to perform network communication, it is specified that a terminal at a sending end converts a character set adopted in sent network traffic data into characters of a standard character set according to a network protocol, then performs network transmission, and after reaching a destination terminal, a receiving end performs data conversion on the received network traffic data according to the network protocol, converts the standard character set into characters of the character set adopted by the receiving end, and obtains a network message which can be identified by the receiving end.
Most networks adopt a layered architecture, each layer is built on the lower layer, a plurality of protocols exist in each layer of the network, the protocols of the same layer of a receiving end and a sending end need to be consistent, and otherwise, one party cannot identify information sent by the other party. In the process of data conversion of network traffic data according to a network protocol, the network protocol used by each layer needs to be determined layer by layer, so that a long time needs to be consumed to determine the network protocol of each layer, and further, the time for data conversion of the network traffic data is prolonged.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a medium for identifying network traffic data, which are used for quickly identifying a network protocol adopted in the transmission process of the network traffic data.
In a first aspect, an embodiment of the present invention provides a method for identifying network traffic data, including:
acquiring a current data message to be identified, and analyzing to obtain current message information;
determining the current message characteristics according to the current message information, and inquiring a target network protocol associated and matched with the current message characteristics in a preset message characteristic library;
and determining the identification result of the current data message according to the target network protocol.
In a second aspect, an embodiment of the present invention further provides an apparatus for identifying network traffic data, where the apparatus includes:
the message information analysis module is used for acquiring the current data message to be identified and analyzing the current data message to obtain the current message information;
the network protocol query module is used for determining the current message characteristics according to the current message information and querying a target network protocol which is associated and matched with the current message characteristics in a preset message characteristic library;
and the result determining module is used for determining the identification result of the current data message according to the target network protocol.
In a third aspect, an embodiment of the present invention further provides an apparatus for identifying network traffic data, where the apparatus includes:
one or more processors;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for identifying network traffic data provided by the embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides an identification medium for network traffic data, where a computer program is stored on the identification medium, where the computer program, when executed by a processor, implements the identification method for network traffic data provided in the embodiment of the present invention.
In the embodiment, the current data message is acquired, the current message information is analyzed to acquire the current message characteristic, the target network protocol corresponding to the current message characteristic is determined according to the correlation matching result of the current message characteristic and the historical message characteristic, the current data message is identified, the problem that the target network protocol is determined layer by layer to cause long determination time of the target network protocol is solved, the message characteristic is extracted without analyzing the data content in the packet of the acquired data message by establishing the characteristic library, and the target network protocol is determined from the message characteristic library according to the correlation matching result of the message characteristic, so that the effect of acquiring the target network protocol more efficiently and quickly is realized.
Drawings
Fig. 1 is a flowchart of a method for identifying network traffic data according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for identifying network traffic data according to a second embodiment of the present invention;
fig. 3 is a flowchart of a method for identifying network traffic data according to a third embodiment of the present invention;
fig. 4 is a block diagram illustrating a structure of a device for identifying network traffic data according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an identification device for network traffic data according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a method for identifying network traffic data according to an embodiment of the present invention. The embodiment is suitable for the situation of how to identify the network traffic data, and is particularly suitable for the situation of determining the network protocol to be applied in the transmission process in the data message transmission process. The method can be executed by the network traffic data identification device provided by the embodiment of the invention, and the device can be implemented in a software and/or hardware manner. The device can be configured in a terminal device/server, and the method specifically comprises the following steps:
s110, obtaining the current data message to be identified, and analyzing to obtain the current message information.
The message is a data unit exchanged and transmitted in the network, that is, a data block to be sent by the station at one time. The message contains the complete data information to be sent. The message is also a unit of network transmission, and can be continuously encapsulated into packets, packets and frames for transmission in the transmission process. The message information is some information segments added in the message in a packaging mode, and the information segments comprise message version, message function, message sequence number, message length and other information. The method comprises the steps of packaging network flow data, carrying out data transmission between a sending end and a receiving end in the form of data messages, enabling the receiving end to receive the data messages transmitted by the sending end, and analyzing the data messages received by a server through port mirroring to obtain message information. The current data message is a data message received by the receiving end at the current moment, and the current message information is the message information obtained by analyzing the data message received by the receiving end at the current moment.
The port mirroring function is to forward data traffic of one or more source ports to a certain designated port on a switch or a router to monitor the network, wherein the designated port is called a "mirroring port" or a "destination port", and the traffic of the network can be monitored and analyzed through the mirroring port without seriously affecting the normal throughput of the source ports.
And S120, determining the characteristics of the current message according to the information of the current message, and inquiring a target network protocol associated and matched with the characteristics of the current message in a preset message characteristic library.
The message feature library is a database used for storing historical data messages received by the receiving end, historical message information, historical message features contained in the historical message information, historical network protocols used in the historical data message transmission process and other data. The message features contained in the message information may be keywords in the message information. The target network protocol is a network protocol adopted by the receiving end to convert the received current data message into the data message which can be identified by the receiving end after receiving the current data message.
Preferably, in this step, the message information features in the historical data message are extracted by collecting the historical data message and the historical network protocol adopted by the receiving end to convert the historical data message, and the historical data message, the historical network protocol and the message information features in the historical data message are stored in the feature library. Specifically, the method can be realized by the following substeps: before querying a target network protocol associated and matched with the current message feature in a preset message feature library, the method further comprises the following steps:
s1201, collecting the historical data message, and analyzing to obtain the historical message information of the historical data message.
The historical data message is a data message which is received by a receiving end and converted through a network protocol.
Specifically, the receiving end may collect the historical data packet, establish a corresponding relationship between the collected historical data packet and a network protocol used for analyzing the historical data packet, and store the corresponding relationship in the database. And the receiving end analyzes the historical data message to obtain historical message information.
S1202, extracting the characteristics of the historical message information to obtain the historical message characteristics, and adding the historical message characteristics into a message characteristic library.
Specifically, the history message features may be extracted from the history message information through an algorithm, and the history message features may be keywords in the history message information. The algorithm may be a machine learning model, such as a convolutional neural network model, among others. The historical data messages, the historical message information, the historical message characteristics and the historical network protocols used in the historical data message transmission process are stored in the message characteristic library, the characteristics corresponding to the network protocols of different styles can be stored in the message characteristic library, and the characteristic matching is carried out based on the message characteristic library, so that the accuracy of the message characteristic matching can be improved, and the detection accuracy of the network protocols is improved.
Furthermore, after the receiving end receives the current data message, the current message characteristics in the current data message information are extracted, the current message characteristics are associated and matched with the historical message characteristics in the characteristic library, and the target network protocol adopted by the receiving end for analyzing the current data message sent by the sending end is determined according to the associated and matched result.
Wherein, the association matching can be realized by an association matching algorithm. For example, the Hungarian algorithm uses the current message characteristics in the current data message and the historical message characteristics in the historical data message as input parameters of the Hungarian algorithm, and performs matching calculation on the current message characteristics and the historical message characteristics through the Hungarian algorithm to obtain a maximum matching result. If the maximum matching result is larger than a preset matching threshold value, matching the current message characteristics with the historical message characteristics; and if the maximum matching result is less than or equal to the matching threshold, the current message characteristics are not matched with the historical message characteristics. Wherein, the matching threshold value can be set manually according to actual requirements.
And if the current message characteristics are matched with certain historical message characteristics in a preset characteristic library, determining a target network protocol required for converting the current data message content into the network protocol used by the historical data message matched with the target network protocol.
S130, determining the identification result of the current data message according to the target network protocol.
According to the target network protocol, the receiving end carries out data conversion on the current data message to obtain the content which can be identified by the receiving end, the converted content is used as the identification result of the current data message, and the instruction or operation and the like in the content expressed by the identification result are executed. The message information may be information segments formed by dividing the data message, wherein some of the divided information segments are contents that cannot be identified by the receiving end. The identification result is the content obtained by further analyzing the information segments which cannot be identified by the receiving end, so that the receiving end can identify the content of the information segments which cannot be identified before.
In the embodiment, the current data message is acquired, the current message information is analyzed to acquire the current message characteristic, the target network protocol corresponding to the current message characteristic is determined according to the correlation matching result of the current message characteristic and the historical message characteristic, the current data message is identified, the problem that the target network protocol is determined layer by layer to cause long determination time of the target network protocol is solved, the message characteristic is extracted without analyzing the data content in the packet of the acquired data message by establishing the characteristic library, and the target network protocol is determined from the message characteristic library according to the correlation matching result of the message characteristic, so that the effect of acquiring the target network protocol more efficiently and quickly is realized.
Example two
Fig. 2 is a flowchart of a method for identifying network traffic data according to a second embodiment of the present invention. The technical scheme of the embodiment is optimized on the basis of the technical scheme, and the preferred embodiment that the data packet library is preset according to the historical data message and the target network protocol is determined through the data packet library is added. Determining the characteristics of the current message according to the information of the current message, which is embodied as follows: inquiring a target network protocol associated and matched with the current message information in a preset message database; and when the query result of the message database is empty, determining the characteristics of the current message according to the information of the current message. Specifically, as shown in fig. 2, the method for identifying network traffic data provided in this embodiment may include:
s210, obtaining the current data message to be identified, and analyzing to obtain the current message information.
Optionally, the analyzing to obtain the current message information includes: and analyzing the current data message according to the priority of the information type to obtain the current message information.
Specifically, different information types corresponding to different priorities may be preconfigured, and the current data packet is analyzed according to the priorities of the information types to obtain the current packet information.
The information type is information content included in the data packet, such as packet header information, port information, and packet body information. Before analyzing the current data message, the data message can be classified through the port mirror image to obtain the information type in the current data message, and then the priority is distributed to the obtained information type. According to the priority of the information type, the information content with the highest priority is firstly analyzed. If the analyzed highest priority information content is not matched with the data message information in the preset message database, the information content of the next priority is continuously analyzed according to the priority sequence.
S220, inquiring a target network protocol which is associated and matched with the current message information in a preset message database.
The message database is used for storing historical data message information, a complete data message comprises a packet header, a port and a packet body, and the message information in the packet header, namely packet header information, comprises a communication version number, an application version number, a function number, a process number, a flag bit, a data message serial number, a message length and the like; ports generally refer to ports in the TCP/IP protocol; the message information in the packet body is packet body information, including data content. The historical message information stored in the message database comprises the historical message information in the packet header and the historical message information in the packet body.
Specifically, the history data messages may be collected by the server, and the history data messages, the history message information, and the history network protocol may be stored in the message database. When the receiving end receives the current data message, the current message information can be obtained through the port mirror image. And after the receiving end acquires the current message information, the current information is associated and matched with the historical message information in the message database. And if the current message information of the current data message is matched with the historical message information of a certain historical data message, determining that the target network protocol required for converting the current data message is the network protocol used by the historical data message matched with the target network protocol.
And S230, when the query result of the message database is empty, determining the characteristics of the current message according to the information of the current message.
The query result in the message database is null, which means that there is no matching relationship between the message information of the current data message and all the historical data messages stored in the message database.
Specifically, the data packets are classified into regular data packets and irregular data packets. The conventional data message refers to a data message which is common in the network traffic data transmission process, and such a conventional data message is often stored in a message database of a receiving end when historical data messages are collected. The non-conventional data message means that in the network traffic data transmission process, when some enterprises execute network traffic data transmission, the transmitted network traffic data is a data message customized according to the requirements of the enterprises, and a new network protocol different from the conventional data message is used in the data message transmission and data conversion processes.
Typically, the content stored in the message database is derived from historical message data, which is a conventional data message in the network traffic transmission process. And after receiving the historical data message, the receiving end analyzes the historical data message and stores the historical data message, the historical message information and the historical network protocol into a message database. When the receiving end collects the unconventional historical data message and determines the historical network protocol adopted by the unconventional historical data message for data conversion, the message characteristics, namely the historical message characteristics, can be extracted from the historical message information, and the historical message characteristics, the historical data message and the historical network protocol are stored in the characteristic library.
When receiving the current data message, the receiving end analyzes the current data message to obtain the current message information. And performing correlation matching on the current message information and historical message information of historical data messages in a message database. If the query result of the message database is empty, extracting the message characteristics of the current message information, namely the current message characteristics. And performing association matching on the current message characteristics and historical message characteristics in a characteristic library, and if the characteristics of the current message and the characteristics of a certain historical message have a matching relationship, determining that a target network protocol required by the receiving end for performing data conversion on the current data message is a historical network protocol corresponding to the historical data message having the matching relationship with the current data message.
Optionally, the querying, in a preset packet feature library, a target network protocol associated and matched with the current packet feature to determine an identification result of the current data packet includes: and when the query result of the message feature library is empty, determining that the current data message is a fault message.
The failure message refers to a data message that may cause a failure of the terminal device at the receiving end during the transmission of the network traffic data, and may be, for example, a data message that a network carries a network virus or a data message that data is lost during the transmission of the network traffic data.
Specifically, if the current data message is not matched with the historical data messages in the message database and the message feature library, the current data message is determined to be a fault message, data conversion is not performed on the current data message, and the fault message is removed.
In an actual scene, in the process of transmitting network traffic data between a transmitting end and a receiving end, data message information which is possibly transmitted is almost completely stored in a message database and a message feature library. Therefore, when the receiving end receives a data message which cannot be matched with the message database and the message feature library, the data message may be a fault message or a Trojan horse file generated in the network attack process. In this case, the message data that cannot be matched with the message database and the message feature library is removed as a fault message, so that the communication safety between the sending end and the receiving end can be effectively maintained, and the problems of server faults and the like caused by the fault message or the Trojan file are avoided.
In the embodiment, the current message information is associated and matched with the conventional message information in the message database, and the target network protocol is determined according to the matching result; if the message database does not have the historical data message matched with the current data message, the current message characteristic of the current message information is further extracted, the current message characteristic is associated and matched with the historical message characteristic in the characteristic database, the target network protocol is determined through the matching result, and the association and matching are performed through the two databases, so that the detection accuracy of the target network protocol is improved, the identification accuracy of the data message is improved, the current message characteristic of the current message information is extracted only under the condition that the query result of the message data is empty, the data quantity of message matching processing is reduced, the time for obtaining the target network protocol is saved, and the data conversion efficiency is improved.
EXAMPLE III
Fig. 3 is a flowchart of an identification method for network traffic data according to a third embodiment of the present invention. The technical scheme of the embodiment is optimized on the basis of the technical scheme, and the preferred embodiment of presetting the priority of the message information and carrying out association matching on the message information of the current data message with the message database and the feature library according to the priority of the message information is added. Determining the characteristics of the current message according to the information of the current message, which is embodied as follows: inquiring a target network protocol associated and matched with the current message information in a preset message database; and when the query result of the message database is empty, determining the characteristics of the current message according to the current message information. Analyzing to obtain current message information, which is embodied as: and analyzing the current data message according to the priority of the information type to obtain the current message information. When the query result of the message database is empty, determining the characteristics of the current message according to the current message information, which is embodied as follows: when the query result of the message database is empty, analyzing the current data message according to the priority of the information type, and updating the current message information; inquiring a target network protocol which is associated and matched with the updated current message information in a preset message database; when the query result of the message database is empty, returning to execute the steps of analyzing the current data message according to the priority of the information type and updating the current message information until the target network protocol or the whole content of the current message information is analyzed and the current message characteristic is determined according to the current message information.
Specifically, as shown in fig. 3, the method for identifying network traffic data provided in this embodiment may include:
s310, obtaining the current data message to be identified.
S320, analyzing the current data message according to the priority of the information type to obtain the current message information.
The information type is information content included in the data packet, such as packet header information, port information, and packet body information. Before analyzing the current data message, the data message can be classified through the port mirror image to obtain the information type in the current data message, and then the priority is distributed to the obtained information type. According to the priority of the information type, the information content with the highest priority is firstly analyzed. For example, the header information may be assigned the highest priority, the port information may be assigned the second priority, and the body information may be assigned the third priority. After the packet header information is analyzed, information of a communication version number, an application version number, a function number, a process number, a flag bit, a data packet sequence number, a packet length and the like of the current data packet included in the packet header information can be obtained, and the packet header information obtained after the analysis is used as the current packet information.
S330, inquiring a target network protocol which is associated and matched with the current message information in a preset message database.
Specifically, the preset message database includes header information of the historical data message and a historical network protocol corresponding to the historical data message. And performing correlation matching on the header information of the current data message and the header information of the historical data message, if the header information of the historical data message matched with the header information of the current data message exists in the message database, determining that the historical data message matched with the current data message exists in the database, and performing data conversion on the historical network protocol corresponding to the historical data message matched with the current data message, namely the target network protocol required by the current data message.
And S340, when the query result of the message database is empty, analyzing the current data message according to the priority of the information type, and updating the current message information.
Specifically, if there is no history data packet in the packet database that is consistent with the packet header information of the current data packet, the query result is null. If the query result of the header information of the current data packet is null, further analyzing the information of the next priority, that is, the port information of the current data packet in the transmission process according to the information type priority, and the obtained port information may include a port type, a port number, a service type, a port address and the like. And updating the current message information according to the analyzed port information, wherein the updated current message information comprises the packet header information and the port information of the current data message.
The port information is stored in the packet header, and the port information of the data packet can be acquired by the port acquisition subunit in the server. The obtained port information may be port information of any one segment of both communication parties, or may be port information of both communication parties.
And S350, inquiring a target network protocol which is associated and matched with the updated current message information in a preset message database.
And if the query result of the packet header information in the message database is empty, performing correlation matching on the port information of the current data message and the port information of the historical data message in the message database, and if the matching result is that the port information of the historical data message matched with the port information of the current data message exists in the datagram library, determining that the network protocol of the historical data message matched with the current data message is the target network protocol required by data conversion of the current data message.
And S360, when the query result of the message database is empty, returning to execute the steps of analyzing the current data message according to the priority of the information type and updating the current message information until the target network protocol or the whole content of the current message information is analyzed, and determining the current message characteristics according to the current message information.
Specifically, if there is no historical packet data in the packet database that matches the header information and the port information in the current data packet, that is, the query result of the header information and the port information of the current data packet in the packet database is null, the next priority packet information of the data packet is selected for parsing.
Illustratively, the current data packet is further analyzed to obtain packet information of the current data packet, where the packet information includes packet content and data information of the current data packet. And updating the current message information according to the packet body information, wherein the updated current message information comprises packet header information, port information and packet body information. And performing association matching on the inclusion information contained in the current message information and the inclusion information of the data message in a preset message database, and if the matching result is that the inclusion information of the historical data message matched with the inclusion information of the current data message exists in the datagram library, determining that the network protocol of the historical data message matched with the current data message is the target network protocol required by data conversion of the current data message.
If the query result of the packet header information, the port information and the packet body information is empty, that is, no historical data message matched with the packet header information, the port information and the packet body information of the current data message exists in the message database, the current message characteristic of the current message information is further extracted.
Optionally, the current packet characteristics of the current packet information include packet header information characteristics, port information characteristics, and packet body information characteristics. According to the priority of the information types, the header information characteristics of the current message data are associated and matched with the header information characteristics of the historical message data in the message characteristic library, and if the header information of the historical message data matched with the header information of the current data message exists in the message characteristic library, the network protocol of the historical data message matched with the current data message is determined to be the target network protocol required by data conversion of the current data message. And if the packet header information of the historical message data matched with the packet header information of the current data message does not exist in the message feature library, correlating and matching the port information feature of the current message data with the port information feature of the historical message data in the message feature library according to the priority of the information type, and if the port information of the historical message data matched with the port information of the current data message exists in the message feature library, determining a network protocol of the historical data message matched with the current data message as a target network protocol required by data conversion of the current data message. And if the packet header information and the port information of the historical message data which are matched with the packet header information and the port information of the current data message do not exist in the message feature library, associating and matching the packet body information features of the current message data with the packet body information features of the historical message data in the message feature library according to the priority of the information types, and if the packet body information of the historical message data which are matched with the packet body information of the current data message exists in the message feature library, determining that the network protocol of the historical data message which is matched with the current data message is the target network protocol which is required by the data conversion of the current data message.
Optionally, after determining the current packet characteristics according to the current packet information, the method may further include: and updating the message database according to the message feature library.
Specifically, the message feature library stores historical data messages, historical message information, network protocols corresponding to the historical data messages, and historical message features. The historical data messages, the historical message information and the network protocols corresponding to the historical data messages in the message feature library can be migrated to the message database by adopting a data migration tool.
After the receiving end obtains the current data message, the current message information of the current data message is matched with the historical message information in the message database, and if the historical data message matched with the current data message does not exist in the message database, the current message information is matched with the historical message information in the message characteristic database. Therefore, the historical data messages in the message feature library can be transferred to the data message library regularly, and if the receiving end receives the current data message matched with the historical data message transferred to the data message library again, the identification result of the current data message can be determined only by matching the current message information with the historical message information of the message database, so that the identification time of the data message is saved, and the identification efficiency of the data message is improved.
In the embodiment, the priorities are allocated to the message information types of the data messages, the message information of different information types is associated and matched with the historical message information of the historical data messages in the message database according to the priority sequence of the information types, and the target network protocol is determined according to the matching result, so that the problems of overlong matching time and low data conversion efficiency caused by association of all the message information when the current information is associated and matched with the historical message information in the message database are solved, the sequential association and matching of the different message information with the message information in the message database according to the priorities of the information types is realized, and the efficiency of acquiring the target network protocol is improved.
Example four
Fig. 4 is a block diagram of a structure of an apparatus for identifying network traffic data according to a fourth embodiment of the present invention, where the apparatus is capable of executing a method for identifying network traffic data according to any embodiment of the present invention, and as shown in fig. 4, the apparatus includes: a message information parsing module 410, a network protocol query module 420 and a result determination module 430.
The message information analyzing module 410 is configured to obtain a current data message to be identified, and analyze the current data message to obtain current message information; a network protocol query module 420, configured to determine a current message feature according to current message information, and query a preset message feature library for a target network protocol associated and matched with the current message feature; and a result determining module 430, configured to determine an identification result of the current data packet according to the target network protocol.
In the embodiment, historical data messages are collected, historical message characteristics of the historical messages are analyzed, historical message characteristics and target network protocols corresponding to different historical data messages are determined, and the historical message characteristics, the historical data messages and the target network protocols are stored in a characteristic library; when the receiving end server obtains the current data message, the current message characteristic is obtained by analyzing the current message information, the target network protocol corresponding to the current message characteristic is determined according to the correlation matching result of the current message characteristic and the historical message characteristic, and the data which can be identified by the receiving end is obtained by carrying out data conversion on the received current data message according to the target network protocol. The problem of determining that the target network protocol is too long due to the fact that the data packets contained in the acquired data messages need to be analyzed when data transmission is carried out between users and data conversion is carried out according to the network protocol and the target network protocol corresponding to the data messages is determined according to the analysis result of data in the packets is solved, and the effect that the target network protocol is acquired more efficiently and quickly is achieved by establishing a feature library, extracting message features without analyzing the data content in the packets of the acquired data messages and determining the target network protocol according to the associated matching result of the message features.
Illustratively, the message information parsing module 410 is specifically configured to:
and analyzing the current data message according to the priority of the information type to obtain the current message information.
Illustratively, the network protocol query module 420 is specifically configured to:
inquiring a target network protocol associated and matched with the current message information in a preset message database; and when the query result of the message database is empty, determining the characteristics of the current message according to the current message information.
Exemplarily, the apparatus further includes:
the updating module is used for analyzing the current data message according to the priority of the information type when the query result of the message database is empty, and updating the current message information;
inquiring a target network protocol which is associated and matched with the updated current message information in a preset message database;
when the query result of the message database is empty, returning to execute the steps of analyzing the current data message according to the priority of the information type and updating the current message information until the target network protocol or the whole content of the current message information is analyzed and the current message characteristic is determined according to the current message information.
Illustratively, the update module further includes:
and updating the message database according to the message feature library.
Exemplarily, the apparatus further includes:
the historical data acquisition module is used for acquiring historical data messages and analyzing the historical data messages to obtain historical message information of the historical data messages;
and the characteristic extraction module is used for extracting the characteristics of the historical message information to obtain the characteristics of the historical message and adding the characteristics into the message characteristic library.
Illustratively, the result determination module 430 further includes:
and when the query result of the message feature library is empty, determining that the current data message is a fault message.
EXAMPLE five
Fig. 5 is a schematic structural diagram of an identification apparatus for network traffic data according to a fifth embodiment of the present invention, as shown in fig. 5, the apparatus includes a processor 50, a memory 51, an input device 52, and an output device 53; the number of processors 50 in the device may be one or more, and one processor 50 is taken as an example in fig. 5; the processor 50, the memory 51, the input device 52 and the output device 53 in the apparatus may be connected by a bus or other means, which is exemplified in fig. 5.
The memory 51 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the identification method of network traffic data in the embodiment of the present invention. The processor 50 executes various functional applications of the device and data processing by executing software programs, instructions and modules stored in the memory 51, that is, implements the above-described identification method of network traffic data.
The memory 51 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 51 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 51 may further include memory located remotely from the processor 50, which may be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Input device 52 may be used to receive network traffic data message information and generate network traffic data message information inputs relating to user settings and functional control of the appliance. The output device 53 may include a display device such as a display screen.
EXAMPLE six
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, perform a method for identifying network traffic data, the method including:
acquiring a current data message to be identified, and analyzing to obtain current message information;
determining the current message characteristics according to the current message information, and inquiring a target network protocol associated and matched with the current message characteristics in a preset message characteristic library;
and determining the identification result of the current data message according to the target network protocol.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the network traffic data identification method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the above search apparatus, each included unit and module are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method for identifying network traffic data is characterized by comprising the following steps:
acquiring a current data message to be identified, and analyzing to obtain current message information;
determining the current message characteristics according to the current message information, and inquiring a target network protocol associated and matched with the current message characteristics in a preset message characteristic library;
and determining the identification result of the current data message according to the target network protocol.
2. The method of claim 1, wherein determining current packet characteristics based on the current packet information comprises:
inquiring a target network protocol associated and matched with the current message information in a preset message database;
and when the query result of the message database is empty, determining the characteristics of the current message according to the information of the current message.
3. The method of claim 2, wherein the parsing to obtain current message information comprises:
and analyzing the current data message according to the priority of the information type to obtain the current message information.
4. The method of claim 3, wherein determining the current packet characteristic according to the current packet information when the query result of the packet database is null comprises:
when the query result of the message database is empty, analyzing the current data message according to the priority of the information type, and updating the current message information;
inquiring a target network protocol which is associated and matched with the updated current message information in a preset message database;
and when the query result of the message database is empty, returning to execute the steps of analyzing the current data message according to the priority of the information type and updating the current message information until the target network protocol or the whole content of the current message information is analyzed and the current message characteristic is determined according to the current message information.
5. The method of claim 1, wherein before querying a preset message feature library for a target network protocol matching the current message feature association, the method further comprises:
collecting historical data messages, and analyzing to obtain historical message information of the historical data messages;
and extracting the characteristics of the historical message information to obtain the historical message characteristics, and adding the historical message characteristics into a message characteristic library.
6. The method of claim 2, further comprising:
and updating the message database according to the message feature library.
7. The method according to claim 1, wherein said querying a predetermined message feature library for a target network protocol matching the current message feature association and determining the identification result of the current data message comprises:
and when the query result of the message feature library is empty, determining that the current data message is a fault message.
8. An apparatus for identifying network traffic data, comprising:
the message information analysis module is used for acquiring the current data message to be identified and analyzing the current data message to obtain the current message information;
the network protocol query module is used for determining the current message characteristics according to the current message information and querying a target network protocol which is associated and matched with the current message characteristics in a preset message characteristic library;
and the result determining module is used for determining the identification result of the current data message according to the target network protocol.
9. An apparatus for identifying network traffic data, the apparatus comprising:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of identifying network traffic data of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the method of identifying network traffic data according to any one of claims 1 to 7.
CN202111400358.XA 2021-11-24 2021-11-24 Network traffic data identification method, device, equipment and medium Active CN114143385B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111400358.XA CN114143385B (en) 2021-11-24 2021-11-24 Network traffic data identification method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111400358.XA CN114143385B (en) 2021-11-24 2021-11-24 Network traffic data identification method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN114143385A true CN114143385A (en) 2022-03-04
CN114143385B CN114143385B (en) 2024-01-05

Family

ID=80391148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111400358.XA Active CN114143385B (en) 2021-11-24 2021-11-24 Network traffic data identification method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN114143385B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086183A (en) * 2022-07-05 2022-09-20 武汉思普崚技术有限公司 Message association method and device for application layer gateway

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011060368A1 (en) * 2009-11-15 2011-05-19 Solera Networks, Inc. Method and apparatus for storing and indexing high-speed network traffic data
CN104486161A (en) * 2014-12-22 2015-04-01 成都科来软件有限公司 Method and device for network traffic identification
WO2017000761A1 (en) * 2015-07-02 2017-01-05 中兴通讯股份有限公司 Method and apparatus for extracting feature information of terminal device
WO2017050038A1 (en) * 2015-09-21 2017-03-30 深圳市中兴微电子技术有限公司 Message identification method and device, and computer storage medium
WO2017206576A1 (en) * 2016-06-01 2017-12-07 中兴通讯股份有限公司 Gateway service processing method and apparatus
WO2019076025A1 (en) * 2017-10-16 2019-04-25 Oppo广东移动通信有限公司 Method for identifying encrypted data stream, device, storage medium, and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011060368A1 (en) * 2009-11-15 2011-05-19 Solera Networks, Inc. Method and apparatus for storing and indexing high-speed network traffic data
CN104486161A (en) * 2014-12-22 2015-04-01 成都科来软件有限公司 Method and device for network traffic identification
CN105357082A (en) * 2014-12-22 2016-02-24 成都科来软件有限公司 Method and device for identifying network flow
WO2017000761A1 (en) * 2015-07-02 2017-01-05 中兴通讯股份有限公司 Method and apparatus for extracting feature information of terminal device
WO2017050038A1 (en) * 2015-09-21 2017-03-30 深圳市中兴微电子技术有限公司 Message identification method and device, and computer storage medium
WO2017206576A1 (en) * 2016-06-01 2017-12-07 中兴通讯股份有限公司 Gateway service processing method and apparatus
WO2019076025A1 (en) * 2017-10-16 2019-04-25 Oppo广东移动通信有限公司 Method for identifying encrypted data stream, device, storage medium, and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086183A (en) * 2022-07-05 2022-09-20 武汉思普崚技术有限公司 Message association method and device for application layer gateway
CN115086183B (en) * 2022-07-05 2024-02-06 武汉思普崚技术有限公司 Message association method and device of application layer gateway

Also Published As

Publication number Publication date
CN114143385B (en) 2024-01-05

Similar Documents

Publication Publication Date Title
US11855967B2 (en) Method for identifying application information in network traffic, and apparatus
US20090238088A1 (en) Network traffic analyzing device, network traffic analyzing method and network traffic analyzing system
JP2018531527A6 (en) Method and apparatus for identifying application information in network traffic
CN112583797B (en) Multi-protocol data processing method, device, equipment and computer readable storage medium
CN111404770A (en) Network device, data processing method, device, system and readable storage medium
CN112350854A (en) Flow fault positioning method, device, equipment and storage medium
CN114785874B (en) Method for providing high-availability transmission channel based on multi-network protocol
CN111740910A (en) Message processing method and device, network transmission equipment and message processing system
CN112929376A (en) Flow data processing method and device, computer equipment and storage medium
CN114143385B (en) Network traffic data identification method, device, equipment and medium
CN109634908B (en) Data association method, data processing device and storage medium
CN112637223B (en) Application protocol identification method and device, computer equipment and storage medium
CN113630418A (en) Network service identification method, device, equipment and medium
CN112583741A (en) Multi-rate mode data transmission control method and device based on cache queue
CN111447110A (en) Data monitoring method and system
CN107483508B (en) Message filtering method, device, equipment and storage medium
CN116821215A (en) OPC UA server searching method based on port inquiry
CN114301812B (en) Method, device, equipment and storage medium for monitoring message processing result
CN112612670B (en) Session information statistical method, device, exchange equipment and storage medium
WO2017193814A1 (en) Service chain generation method and system
CN115550470A (en) Industrial control network data packet analysis method and device, electronic equipment and storage medium
CN112769923A (en) Method, device and storage medium for monitoring network equipment performance index in big data scene
CN114301960B (en) Processing method and device for cluster asymmetric traffic, electronic equipment and storage medium
CN114827055B (en) Data mirroring method and device, electronic equipment and switch cluster
US20240179178A1 (en) Control method and apparatus, computing device, and computer-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant