CN114268559A - Directional network detection method, device, equipment and medium based on TF-IDF algorithm - Google Patents
Directional network detection method, device, equipment and medium based on TF-IDF algorithm Download PDFInfo
- Publication number
- CN114268559A CN114268559A CN202111634982.6A CN202111634982A CN114268559A CN 114268559 A CN114268559 A CN 114268559A CN 202111634982 A CN202111634982 A CN 202111634982A CN 114268559 A CN114268559 A CN 114268559A
- Authority
- CN
- China
- Prior art keywords
- message
- list
- target
- basic
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 109
- 238000004422 calculation algorithm Methods 0.000 title claims abstract description 53
- 238000000034 method Methods 0.000 claims abstract description 23
- 230000002159 abnormal effect Effects 0.000 claims description 12
- 230000011218 segmentation Effects 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000013507 mapping Methods 0.000 claims description 4
- 238000005192 partition Methods 0.000 claims description 4
- 238000000638 solvent extraction Methods 0.000 claims description 4
- 239000000284 extract Substances 0.000 abstract description 7
- 238000004590 computer program Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 238000013473 artificial intelligence Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0811—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention relates to the field of Internet of things, and provides a method, a device, equipment and a medium for detecting a directional network based on a TF-IDF algorithm, which can divide collected CAP packets to obtain each message, generate a data pane according to basic characteristics of each message, determine the protocol type of each message based on the data pane by adopting the TF-IDF algorithm, extract backfill characteristics of each message according to the protocol type of each message to backfill the data pane to obtain a target pane, mark each message in the target pane according to a first list and a second list to obtain a detection report, calculate the connectivity matching degree of the target directional network according to the detection report, and output the detection report and the connectivity matching degree. The invention can quickly match the relevant protocol types of the messages based on the TF-IDF algorithm, marks the messages by combining the configured list, and can quickly and accurately realize the detection of the directional network without manual intervention.
Description
Technical Field
The invention relates to the technical field of Internet of things, in particular to a method, a device, equipment and a medium for detecting a directional network based on a TF-IDF algorithm.
Background
The oriented service is one of important revenue services in the field of Internet of things, and the oriented service acceptance has the factors of more opened clients, more client channels, more control strategies and the like, so that the network connectivity of the oriented service opened by the client is called as an important link before delivery.
At present, the customization degree of the client-oriented service is high, and after an acceptance staff analyzes the client-oriented service through professional tools such as a network packet capturing tool and a wireshark, the acceptance staff still needs to manually screen key information such as a specific Protocol, an Internet Protocol (IP), a Uniform Resource Locator (URL), a domain name and the like, and extract information after clicking and observing each network message layer by layer from a physical layer to an application layer.
In the processing mode, the repetitive workload is large, the labor cost is high, and meanwhile, the matching efficiency and the accuracy are not high.
Disclosure of Invention
In view of the above, there is a need to provide a method, an apparatus, a device and a medium for detecting a directional network based on a TF-IDF algorithm, which aim to solve the problems of low efficiency and low accuracy of detecting a directional network.
A directional network detection method based on TF-IDF algorithm includes:
responding to a detection instruction of a target directional network, and acquiring a CAP packet captured from the target directional network based on a network element;
segmenting the CAP packet to obtain each message carried in the CAP packet;
extracting the basic characteristics of each message, and generating a data pane according to the basic characteristics of each message;
determining the protocol type of each message based on the data pane by adopting a TF-IDF algorithm;
extracting backfill characteristics of each message according to the protocol type of each message;
backfilling the data pane by utilizing the backfilling characteristics of each message to obtain a target pane;
acquiring a first list and a second list which are configured in advance, and marking each message in the target pane according to the first list and the second list to obtain a detection report;
calculating the connectivity matching degree of the target orientation network according to the detection report;
and outputting the detection report and the connectivity matching degree.
According to the preferred embodiment of the present invention, the segmenting the CAP packet to obtain each message carried in the CAP packet includes:
acquiring a starting identifier and an ending identifier;
determining the starting identifier and the ending identifier as partitioning points to partition the CAP packet;
and for each segment of data obtained after segmentation, determining the starting identifier as a message starting point, and determining the ending identifier as a message ending point to obtain each message carried in the CAP packet.
According to the preferred embodiment of the present invention, the determining, by using the TF-IDF algorithm, the protocol type of each packet based on the data pane includes:
reading the occurrence frequency of each basic feature in each message and the total occurrence frequency of all basic features in each message from the data pane;
calculating the quotient of the occurrence frequency of each basic feature and the total frequency to obtain the occurrence frequency of each basic feature in each message;
acquiring a pre-configured message protocol dictionary, wherein the message protocol dictionary is used for storing a mapping relation between protocol types and characteristics;
determining the number of each protocol type in the message protocol dictionary;
determining the number of each basic feature in the message protocol dictionary;
calculating the sum of the number of each basic characteristic and a preset value to obtain a basic value of each basic characteristic;
calculating a logarithmic value of a quotient of the quantity of each protocol type and a basic value of each basic feature to obtain an inverse frequency of each basic feature relative to each protocol type;
calculating the product of the occurrence frequency of each basic feature and the frequency of each basic feature relative to each protocol type to obtain the weight of each basic feature relative to each protocol type;
calculating the sum of the weights of all basic features in each message relative to each protocol type to obtain the degree of engagement of each message relative to each protocol type;
and determining the protocol type with the highest conformity degree as the protocol type of each message.
According to the preferred embodiment of the present invention, the extracting the backfill feature of each packet according to the protocol type of each packet includes:
determining a field to which the backfill characteristics of each message belong according to the protocol type of each message;
and extracting the backfill characteristics of each message from each message according to the field to which the backfill characteristics of each message belong.
According to a preferred embodiment of the present invention, the first list is used to store characteristics of an object that is prohibited from accessing the target oriented network, the second list is used to store characteristics of an object that is allowed to access the target oriented network, and the marking each message in the target pane according to the first list and the second list includes:
reading the backfill characteristics of each message from the target pane;
matching backfill characteristics of each message with characteristics of the objects in the first list, and performing first marking on the matched message;
matching backfill characteristics of each message with characteristics of the objects in the second list, and performing second marking on the matched message;
and carrying out third marking on the messages which are not successfully matched with the first list and are not successfully matched with the second list.
According to a preferred embodiment of the present invention, the calculating the connectivity matching degree of the target oriented network according to the detection report includes:
acquiring the number of the messages with the second marks from the detection report as a first number;
acquiring the number of the messages with the third marks from the detection report as a second number;
calculating the sum of the first quantity and the second quantity to obtain a third quantity;
acquiring the total number of all messages from the detection report;
and calculating the quotient of the third quantity and the total quantity to obtain the connectivity matching degree of the target directional network.
According to a preferred embodiment of the present invention, after outputting the detection report and the connectivity matching degree, the method further comprises:
when the connectivity matching degree is not equal to 1, sending out prompt information;
and the prompt information is used for prompting that the target directional network has an abnormal access condition and prompting to check the detection report.
A directional network detection device based on TF-IDF algorithm comprises:
the acquisition unit is used for responding to a detection instruction of a target oriented network and acquiring a CAP packet captured from the target oriented network based on a network element;
the segmentation unit is used for segmenting the CAP packet to obtain each message carried in the CAP packet;
the generating unit is used for extracting the basic characteristics of each message and generating a data pane according to the basic characteristics of each message;
the determining unit is used for determining the protocol type of each message based on the data pane by adopting a TF-IDF algorithm;
the extracting unit is used for extracting backfill characteristics of each message according to the protocol type of each message;
the backfill unit is used for backfilling the data pane by utilizing the backfill characteristics of each message to obtain a target pane;
the marking unit is used for acquiring a first list and a second list which are configured in advance, and marking each message in the target pane according to the first list and the second list to obtain a detection report;
the calculation unit is used for calculating the connectivity matching degree of the target orientation network according to the detection report;
and the output unit is used for outputting the detection report and the connectivity matching degree.
A computer device, the computer device comprising:
a memory storing at least one instruction; and
a processor executing instructions stored in the memory to implement the TF-IDF algorithm-based directional network detection method.
A computer-readable storage medium having stored therein at least one instruction for execution by a processor in a computer device to implement the TF-IDF algorithm based directed network detection method.
According to the technical scheme, the method and the device can quickly match the relevant protocol types of the messages based on the TF-IDF algorithm, mark the messages by combining the configured lists, and quickly and accurately realize the detection of the directional network without manual intervention.
Drawings
Fig. 1 is a flow chart of a preferred embodiment of the directional network detection method based on the TF-IDF algorithm of the present invention.
Fig. 2 is a functional block diagram of a preferred embodiment of the directional network detection device based on the TF-IDF algorithm according to the present invention.
Fig. 3 is a schematic structural diagram of a computer device for implementing the preferred embodiment of the directional network detection method based on the TF-IDF algorithm according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a flow chart of a preferred embodiment of the method for detecting a directional network based on the TF-IDF algorithm according to the present invention. The order of the steps in the flow chart may be changed and some steps may be omitted according to different needs.
The directional network detection method based on the TF-IDF algorithm is applied to one or more computer devices, wherein the computer devices are devices capable of automatically performing numerical calculation and/or information processing according to preset or stored instructions, and hardware of the computer devices includes but is not limited to microprocessors, Application Specific Integrated Circuits (ASICs), Programmable Gate arrays (FPGAs), Digital Signal Processors (DSPs), embedded devices and the like.
The computer device may be any electronic product capable of performing human-computer interaction with a user, for example, a Personal computer, a tablet computer, a smart phone, a Personal Digital Assistant (PDA), a game machine, an interactive web Television (IPTV), an intelligent wearable device, and the like.
The computer device may also include a network device and/or a user device. The network device includes, but is not limited to, a single network server, a server group consisting of a plurality of network servers, or a Cloud Computing (Cloud Computing) based Cloud consisting of a large number of hosts or network servers.
The server may be an independent server, or may be a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), a big data and artificial intelligence platform, and the like.
Among them, Artificial Intelligence (AI) is a theory, method, technique and application system that simulates, extends and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge and uses the knowledge to obtain the best result.
The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
The Network in which the computer device is located includes, but is not limited to, the internet, a wide area Network, a metropolitan area Network, a local area Network, a Virtual Private Network (VPN), and the like.
And S10, responding to the detection instruction of the target oriented network, and acquiring the CAP packet captured from the target oriented network based on the network element.
In this embodiment, the target-oriented network refers to a network accessible by a specific object.
In this embodiment, the network element may include, but is not limited to: PGW (PDN GateWay), etc.
In this embodiment, the CAP packet may be a 16-ary CAP file, or a CAP file of pcap or other types.
And S11, segmenting the CAP packet to obtain each message carried in the CAP packet.
In at least one embodiment of the present invention, the segmenting the CAP packet to obtain each packet carried in the CAP packet includes:
acquiring a starting identifier and an ending identifier;
determining the starting identifier and the ending identifier as partitioning points to partition the CAP packet;
and for each segment of data obtained after segmentation, determining the starting identifier as a message starting point, and determining the ending identifier as a message ending point to obtain each message carried in the CAP packet.
For example: and when the starting identifier is a first identifier and the ending identifier is a second identifier, the data loaded between the first identifier and the second identifier after the division is a message.
Through the embodiment, the automatic segmentation of the CAP packet can be realized according to the identifier so as to extract each message in the CAP packet.
And S12, extracting the basic characteristics of each message, and generating a data pane according to the basic characteristics of each message.
In at least one embodiment of the present invention, the basic features may include, but are not limited to, one or more of the following in combination:
source address Src, destination address Dest, source port SrcPort, destination port DestPort, base Protocol type Protocol, etc.
Further, each message is taken as a column, and the basic features of each message are placed in a square grid behind each message to form the data pane, which may be specifically referred to as the following table:
message 1 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 |
Message 2 | Basic feature 1 | Basic characteristicsSign 2 | Basic feature 3 | Basic feature 4 |
Message 3 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 |
Message 4 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 |
Message 5 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 |
Through the embodiment, the data pane can be generated for subsequent data processing.
S13, determining the protocol type of each message based on the data pane by adopting a TF-IDF (term frequency-inverse document frequency) algorithm.
In at least one embodiment of the present invention, the determining, by using a TF-IDF algorithm, a protocol type of each packet based on the data pane includes:
reading the occurrence frequency of each basic feature in each message and the total occurrence frequency of all basic features in each message from the data pane;
calculating the quotient of the occurrence frequency of each basic feature and the total frequency to obtain the occurrence frequency of each basic feature in each message;
acquiring a pre-configured message protocol dictionary, wherein the message protocol dictionary is used for storing a mapping relation between protocol types and characteristics;
determining the number of each protocol type in the message protocol dictionary;
determining the number of each basic feature in the message protocol dictionary;
calculating the sum of the number of each basic characteristic and a preset value to obtain a basic value of each basic characteristic;
calculating a logarithmic value of a quotient of the quantity of each protocol type and a basic value of each basic feature to obtain an inverse frequency of each basic feature relative to each protocol type;
calculating the product of the occurrence frequency of each basic feature and the frequency of each basic feature relative to each protocol type to obtain the weight of each basic feature relative to each protocol type;
calculating the sum of the weights of all basic features in each message relative to each protocol type to obtain the degree of engagement of each message relative to each protocol type;
and determining the protocol type with the highest conformity degree as the protocol type of each message.
For example: the message protocol dictionary may store: a DNS (Domain Name Server) protocol, and a feature "port 53" corresponding to the DNS protocol; GTP (GPRS tunneling protocol), and the corresponding feature "port 2152" of the GTP protocol; GTP < HTTP > protocol, and the corresponding feature "port 80" of the GTP < HTTP > protocol.
By the implementation mode, the protocol types of the messages every day can be automatically matched based on the TF-IDF algorithm and the configured message protocol dictionary, manual intervention is not needed, the calculation efficiency is high, the problem of misoperation caused by manual participation is effectively avoided, and the accuracy is high.
And S14, extracting backfill characteristics of each message according to the protocol type of each message.
In at least one embodiment of the present invention, the extracting backfill characteristics of each packet according to a protocol type of each packet includes:
determining a field to which the backfill characteristics of each message belong according to the protocol type of each message;
and extracting the backfill characteristics of each message from each message according to the field to which the backfill characteristics of each message belong.
For example: the backfill characteristics can include, but are not limited to: IP (Internet Protocol), URL (uniform resource locator), domain name, and the like.
It will be appreciated that, unlike the base feature having a fixed field under each protocol type, the backfill feature will have a different field under each protocol type, and therefore needs to be extracted according to the different protocol types.
Through the implementation mode, the backfill characteristics can be extracted in a targeted manner based on the protocol type of the message, and manual intervention is not needed.
And S15, backfilling the data pane by using the backfilling characteristics of each message to obtain a target pane.
In this embodiment, the backfill feature of each packet may be added behind the corresponding packet feature to obtain the target pane, which may specifically refer to the following table:
message 1 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 1 |
Message 2 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 2 |
Message 3 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 3 |
Message 4 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 4 |
Message 5 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 5 |
S16, acquiring a first list and a second list which are configured in advance, and marking each message in the target pane according to the first list and the second list to obtain a detection report.
In at least one embodiment of the present invention, the first list is used to store characteristics of an object that is prohibited from accessing the target oriented network, the second list is used to store characteristics of an object that is allowed to access the target oriented network, and the marking each message in the target pane according to the first list and the second list includes:
reading the backfill characteristics of each message from the target pane;
matching backfill characteristics of each message with characteristics of the objects in the first list, and performing first marking on the matched message;
matching backfill characteristics of each message with characteristics of the objects in the second list, and performing second marking on the matched message;
and carrying out third marking on the messages which are not successfully matched with the first list and are not successfully matched with the second list.
Specifically, the first list is equivalent to a preconfigured black list, and the second list is equivalent to a preconfigured white list.
Further, according to the matching situation, the detection report is generated, and the specific form can be seen in the following table:
message 1 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 1 | First mark |
Message 2 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 2 | Second mark |
Message 3 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 3 | Third mark |
Message 4 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 4 | First mark |
Message 5 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 5 | Second mark |
Through the embodiment, each message can be automatically marked by combining with the preconfigured list, and then the detection report is automatically generated.
And S17, calculating the connectivity matching degree of the target directional network according to the detection report.
In at least one embodiment of the present invention, the calculating the connectivity matching degree of the target directional network according to the detection report includes:
acquiring the number of the messages with the second marks from the detection report as a first number;
acquiring the number of the messages with the third marks from the detection report as a second number;
calculating the sum of the first quantity and the second quantity to obtain a third quantity;
acquiring the total number of all messages from the detection report;
and calculating the quotient of the third quantity and the total quantity to obtain the connectivity matching degree of the target directional network.
Taking the above example as a support, if the number of the messages with the second label is 2, the number of the messages with the third label is 1, and the total number of all the messages is 5, then the connectivity matching degree of the target directional network is calculated by using the formula (2+1)/5, and is 60%.
By the implementation method, the connectivity matching degree of the target oriented network can be automatically calculated.
And S18, outputting the detection report and the connectivity matching degree.
In this embodiment, the detection report and the connectivity matching degree may be transmitted to a terminal device of a specified user.
For example: the detection report and the connectivity matching degree can be transmitted to a terminal device of a client or a terminal device of a tester.
In this embodiment, after outputting the detection report and the connectivity matching degree, the method further includes:
when the connectivity matching degree is not equal to 1, sending out prompt information;
and the prompt information is used for prompting that the target directional network has an abnormal access condition and prompting to check the detection report.
For example: the prompt message may be: "the connectivity matching degree of the current network is not hundreds, and there may be abnormal access condition, please query the detection report to determine the abnormal access object".
It can be understood that, as long as the object in the blacklist in the detection report accesses the target oriented network, it indicates that there is an abnormal access condition, at this time, the computed connectivity matching degree will not be 1, and at this time, a prompt message is sent out in time to remind related personnel to handle the abnormality.
And when the connectivity matching degree is 1, it indicates that there is no object in the blacklist accessing the target oriented network in the detection report, and there is no abnormal access, and at this time, the detection report does not need to be checked, so as to save time. Of course, the detection report is still output for the user to review when needed.
According to the technical scheme, the method can divide the collected CAP packet to obtain each message, generate a data pane according to the basic characteristics of each message, determine the protocol type of each message based on the data pane by adopting a TF-IDF algorithm, extract the backfill characteristics of each message according to the protocol type of each message to backfill the data pane to obtain the target pane, mark each message in the target pane according to the first list and the second list to obtain the detection report, calculate the connectivity matching degree of the target directional network according to the detection report, and output the detection report and the connectivity matching degree. The invention can quickly match the relevant protocol types of the messages based on the TF-IDF algorithm, marks the messages by combining the configured list, and can quickly and accurately realize the detection of the directional network without manual intervention.
Fig. 2 is a functional block diagram of a preferred embodiment of the directional network detection apparatus based on the TF-IDF algorithm according to the present invention. The oriented network detection device 11 based on the TF-IDF algorithm comprises an acquisition unit 110, a segmentation unit 111, a generation unit 112, a determination unit 113, an extraction unit 114, a backfill unit 115, a marking unit 116, a calculation unit 117 and an output unit 118. The module/unit referred to in the present invention refers to a series of computer program segments that can be executed by the processor 13 and that can perform a fixed function, and that are stored in the memory 12. In the present embodiment, the functions of the modules/units will be described in detail in the following embodiments.
The acquisition unit 110 is used for responding to a detection instruction of a target oriented network and acquiring a CAP packet captured from the target oriented network based on network elements.
In this embodiment, the target-oriented network refers to a network accessible by a specific object.
In this embodiment, the network element may include, but is not limited to: PGW (PDN GateWay), etc.
In this embodiment, the CAP packet may be a 16-ary CAP file, or a CAP file of pcap or other types.
The segmentation unit 111 segments the CAP packet to obtain each packet carried in the CAP packet.
In at least one embodiment of the present invention, the segmenting unit 111 segments the CAP packet, and obtaining each packet carried in the CAP packet includes:
acquiring a starting identifier and an ending identifier;
determining the starting identifier and the ending identifier as partitioning points to partition the CAP packet;
and for each segment of data obtained after segmentation, determining the starting identifier as a message starting point, and determining the ending identifier as a message ending point to obtain each message carried in the CAP packet.
For example: and when the starting identifier is a first identifier and the ending identifier is a second identifier, the data loaded between the first identifier and the second identifier after the division is a message.
Through the embodiment, the automatic segmentation of the CAP packet can be realized according to the identifier so as to extract each message in the CAP packet.
The generating unit 112 extracts the basic feature of each packet and generates a data pane according to the basic feature of each packet.
In at least one embodiment of the present invention, the basic features may include, but are not limited to, one or more of the following in combination:
source address Src, destination address Dest, source port SrcPort, destination port DestPort, base Protocol type Protocol, etc.
Further, each message is taken as a column, and the basic features of each message are placed in a square grid behind each message to form the data pane, which may be specifically referred to as the following table:
message 1 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 |
Message 2 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 |
Message 3 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 |
Message 4 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 |
Message 5 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 |
Through the embodiment, the data pane can be generated for subsequent data processing.
The determining unit 113 determines a protocol type of each packet based on the data pane by using a TF-IDF (term frequency-inverse document frequency) algorithm.
In at least one embodiment of the present invention, the determining unit 113, using a TF-IDF algorithm, determines the protocol type of each packet based on the data pane, including:
reading the occurrence frequency of each basic feature in each message and the total occurrence frequency of all basic features in each message from the data pane;
calculating the quotient of the occurrence frequency of each basic feature and the total frequency to obtain the occurrence frequency of each basic feature in each message;
acquiring a pre-configured message protocol dictionary, wherein the message protocol dictionary is used for storing a mapping relation between protocol types and characteristics;
determining the number of each protocol type in the message protocol dictionary;
determining the number of each basic feature in the message protocol dictionary;
calculating the sum of the number of each basic characteristic and a preset value to obtain a basic value of each basic characteristic;
calculating a logarithmic value of a quotient of the quantity of each protocol type and a basic value of each basic feature to obtain an inverse frequency of each basic feature relative to each protocol type;
calculating the product of the occurrence frequency of each basic feature and the frequency of each basic feature relative to each protocol type to obtain the weight of each basic feature relative to each protocol type;
calculating the sum of the weights of all basic features in each message relative to each protocol type to obtain the degree of engagement of each message relative to each protocol type;
and determining the protocol type with the highest conformity degree as the protocol type of each message.
For example: the message protocol dictionary may store: a DNS (Domain Name Server) protocol, and a feature "port 53" corresponding to the DNS protocol; GTP (GPRS tunneling protocol), and the corresponding feature "port 2152" of the GTP protocol; GTP < HTTP > protocol, and the corresponding feature "port 80" of the GTP < HTTP > protocol.
By the implementation mode, the protocol types of the messages every day can be automatically matched based on the TF-IDF algorithm and the configured message protocol dictionary, manual intervention is not needed, the calculation efficiency is high, the problem of misoperation caused by manual participation is effectively avoided, and the accuracy is high.
The extracting unit 114 extracts the backfill feature of each packet according to the protocol type of each packet.
In at least one embodiment of the present invention, the extracting unit 114 extracts the backfill feature of each packet according to the protocol type of each packet, including:
determining a field to which the backfill characteristics of each message belong according to the protocol type of each message;
and extracting the backfill characteristics of each message from each message according to the field to which the backfill characteristics of each message belong.
For example: the backfill characteristics can include, but are not limited to: IP (Internet Protocol), URL (uniform resource locator), domain name, and the like.
It will be appreciated that, unlike the base feature having a fixed field under each protocol type, the backfill feature will have a different field under each protocol type, and therefore needs to be extracted according to the different protocol types.
Through the implementation mode, the backfill characteristics can be extracted in a targeted manner based on the protocol type of the message, and manual intervention is not needed.
The backfill unit 115 backfills the data pane with the backfill characteristics of each message to obtain a target pane.
In this embodiment, the backfill feature of each packet may be added behind the corresponding packet feature to obtain the target pane, which may specifically refer to the following table:
message 1 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 1 |
Message 2 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 2 |
Message 3 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 3 |
Message 4 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 4 |
Message 5 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 5 |
The marking unit 116 obtains a first list and a second list configured in advance, and marks each message in the target pane according to the first list and the second list to obtain a detection report.
In at least one embodiment of the present invention, the first list is used to store characteristics of an object that is prohibited from accessing the target oriented network, the second list is used to store characteristics of an object that is allowed to access the target oriented network, and the marking unit 116 marks each message in the target pane according to the first list and the second list includes:
reading the backfill characteristics of each message from the target pane;
matching backfill characteristics of each message with characteristics of the objects in the first list, and performing first marking on the matched message;
matching backfill characteristics of each message with characteristics of the objects in the second list, and performing second marking on the matched message;
and carrying out third marking on the messages which are not successfully matched with the first list and are not successfully matched with the second list.
Specifically, the first list is equivalent to a preconfigured black list, and the second list is equivalent to a preconfigured white list.
Further, according to the matching situation, the detection report is generated, and the specific form can be seen in the following table:
message 1 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 1 | First mark |
Message 2 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 2 | Second mark |
Message 3 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 3 | Third mark |
Message 4 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 4 | First mark |
Message 5 | Basic feature 1 | Basic feature 2 | Basic feature 3 | Basic feature 4 | Backfill feature 5 | Second mark |
Through the embodiment, each message can be automatically marked by combining with the preconfigured list, and then the detection report is automatically generated.
The calculating unit 117 calculates the connectivity matching degree of the target directional network according to the detection report.
In at least one embodiment of the present invention, the calculating unit 117 calculates the connectivity matching degree of the target directional network according to the detection report includes:
acquiring the number of the messages with the second marks from the detection report as a first number;
acquiring the number of the messages with the third marks from the detection report as a second number;
calculating the sum of the first quantity and the second quantity to obtain a third quantity;
acquiring the total number of all messages from the detection report;
and calculating the quotient of the third quantity and the total quantity to obtain the connectivity matching degree of the target directional network.
Taking the above example as a support, if the number of the messages with the second label is 2, the number of the messages with the third label is 1, and the total number of all the messages is 5, then the connectivity matching degree of the target directional network is calculated by using the formula (2+1)/5, and is 60%.
By the implementation method, the connectivity matching degree of the target oriented network can be automatically calculated.
The output unit 118 outputs the detection report and the connectivity matching degree.
In this embodiment, the detection report and the connectivity matching degree may be transmitted to a terminal device of a specified user.
For example: the detection report and the connectivity matching degree can be transmitted to a terminal device of a client or a terminal device of a tester.
In this embodiment, after the detection report and the connectivity matching degree are output, when the connectivity matching degree is not equal to 1, a prompt message is sent out;
and the prompt information is used for prompting that the target directional network has an abnormal access condition and prompting to check the detection report.
For example: the prompt message may be: "the connectivity matching degree of the current network is not hundreds, and there may be abnormal access condition, please query the detection report to determine the abnormal access object".
It can be understood that, as long as the object in the blacklist in the detection report accesses the target oriented network, it indicates that there is an abnormal access condition, at this time, the computed connectivity matching degree will not be 1, and at this time, a prompt message is sent out in time to remind related personnel to handle the abnormality.
And when the connectivity matching degree is 1, it indicates that there is no object in the blacklist accessing the target oriented network in the detection report, and there is no abnormal access, and at this time, the detection report does not need to be checked, so as to save time. Of course, the detection report is still output for the user to review when needed.
According to the technical scheme, the method can divide the collected CAP packet to obtain each message, generate a data pane according to the basic characteristics of each message, determine the protocol type of each message based on the data pane by adopting a TF-IDF algorithm, extract the backfill characteristics of each message according to the protocol type of each message to backfill the data pane to obtain the target pane, mark each message in the target pane according to the first list and the second list to obtain the detection report, calculate the connectivity matching degree of the target directional network according to the detection report, and output the detection report and the connectivity matching degree. The invention can quickly match the relevant protocol types of the messages based on the TF-IDF algorithm, marks the messages by combining the configured list, and can quickly and accurately realize the detection of the directional network without manual intervention.
Fig. 3 is a schematic structural diagram of a computer device for implementing the directional network detection method based on the TF-IDF algorithm according to the preferred embodiment of the present invention.
The computer device 1 may comprise a memory 12, a processor 13 and a bus, and may further comprise a computer program, such as a directed network detection program based on the TF-IDF algorithm, stored in the memory 12 and executable on the processor 13.
It will be understood by those skilled in the art that the schematic diagram is merely an example of the computer device 1, and does not constitute a limitation to the computer device 1, the computer device 1 may have a bus-type structure or a star-shaped structure, the computer device 1 may further include more or less other hardware or software than those shown, or different component arrangements, for example, the computer device 1 may further include an input and output device, a network access device, etc.
It should be noted that the computer device 1 is only an example, and other electronic products that are currently available or may come into existence in the future, such as electronic products that can be adapted to the present invention, should also be included in the scope of the present invention, and are included herein by reference.
The memory 12 includes at least one type of readable storage medium, which includes flash memory, removable hard disks, multimedia cards, card-type memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disks, optical disks, etc. The memory 12 may in some embodiments be an internal storage unit of the computer device 1, for example a removable hard disk of the computer device 1. The memory 12 may also be an external storage device of the computer device 1 in other embodiments, such as a plug-in removable hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device 1. Further, the memory 12 may also include both an internal storage unit and an external storage device of the computer device 1. The memory 12 can be used not only for storing application software installed in the computer device 1 and various types of data, such as codes of a directed network detection program based on the TF-IDF algorithm, etc., but also for temporarily storing data that has been output or is to be output.
The processor 13 may be composed of an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same or different functions, including one or more Central Processing Units (CPUs), microprocessors, digital Processing chips, graphics processors, and combinations of various control chips. The processor 13 is a Control Unit (Control Unit) of the computer device 1, connects various components of the whole computer device 1 by using various interfaces and lines, and executes various functions and processes data of the computer device 1 by running or executing programs or modules (for example, executing a directed network detection program based on a TF-IDF algorithm, and the like) stored in the memory 12 and calling data stored in the memory 12.
The processor 13 executes the operating system of the computer device 1 and various installed application programs. The processor 13 executes the application program to implement the steps in each of the embodiments of the TF-IDF algorithm-based directional network detection method described above, such as the steps shown in fig. 1.
Illustratively, the computer program may be divided into one or more modules/units, which are stored in the memory 12 and executed by the processor 13 to accomplish the present invention. The one or more modules/units may be a series of computer readable instruction segments capable of performing certain functions, which are used to describe the execution of the computer program in the computer device 1. For example, the computer program may be segmented into an acquisition unit 110, a segmentation unit 111, a generation unit 112, a determination unit 113, an extraction unit 114, a backfill unit 115, a labeling unit 116, a calculation unit 117, an output unit 118.
The integrated unit implemented in the form of a software functional module may be stored in a computer-readable storage medium. The software functional module is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a computer device, or a network device) or a processor (processor) to execute the parts of the directed network detection method based on the TF-IDF algorithm according to the embodiments of the present invention.
The integrated modules/units of the computer device 1 may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as separate products. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), random-access Memory, or the like.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one line is shown in FIG. 3, but this does not mean only one bus or one type of bus. The bus is arranged to enable connection communication between the memory 12 and at least one processor 13 or the like.
Although not shown, the computer device 1 may further include a power supply (such as a battery) for supplying power to each component, and preferably, the power supply may be logically connected to the at least one processor 13 through a power management device, so that functions of charge management, discharge management, power consumption management and the like are realized through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The computer device 1 may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
Further, the computer device 1 may further include a network interface, and optionally, the network interface may include a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the computer device 1 and other computer devices.
Optionally, the computer device 1 may further comprise a user interface, which may be a Display (Display), an input unit, such as a Keyboard (Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the computer device 1 and for displaying a visualized user interface.
It is to be understood that the described embodiments are for purposes of illustration only and that the scope of the appended claims is not limited to such structures.
Fig. 3 shows only the computer device 1 with the components 12-13, and it will be understood by a person skilled in the art that the structure shown in fig. 3 does not constitute a limitation of the computer device 1 and may comprise fewer or more components than shown, or a combination of certain components, or a different arrangement of components.
With reference to fig. 1, the memory 12 of the computer device 1 stores a plurality of instructions to implement a directional network detection method based on the TF-IDF algorithm, and the processor 13 can execute the plurality of instructions to implement:
responding to a detection instruction of a target directional network, and acquiring a CAP packet captured from the target directional network based on a network element;
segmenting the CAP packet to obtain each message carried in the CAP packet;
extracting the basic characteristics of each message, and generating a data pane according to the basic characteristics of each message;
determining the protocol type of each message based on the data pane by adopting a TF-IDF algorithm;
extracting backfill characteristics of each message according to the protocol type of each message;
backfilling the data pane by utilizing the backfilling characteristics of each message to obtain a target pane;
acquiring a first list and a second list which are configured in advance, and marking each message in the target pane according to the first list and the second list to obtain a detection report;
calculating the connectivity matching degree of the target orientation network according to the detection report;
and outputting the detection report and the connectivity matching degree.
Specifically, the processor 13 may refer to the description of the relevant steps in the embodiment corresponding to fig. 1 for a specific implementation method of the instruction, which is not described herein again.
It should be noted that all the data involved in the present application are legally acquired.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The invention is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the present invention may also be implemented by one unit or means through software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (10)
1. A directional network detection method based on TF-IDF algorithm is characterized by comprising the following steps:
responding to a detection instruction of a target directional network, and acquiring a CAP packet captured from the target directional network based on a network element;
segmenting the CAP packet to obtain each message carried in the CAP packet;
extracting the basic characteristics of each message, and generating a data pane according to the basic characteristics of each message;
determining the protocol type of each message based on the data pane by adopting a TF-IDF algorithm;
extracting backfill characteristics of each message according to the protocol type of each message;
backfilling the data pane by utilizing the backfilling characteristics of each message to obtain a target pane;
acquiring a first list and a second list which are configured in advance, and marking each message in the target pane according to the first list and the second list to obtain a detection report;
calculating the connectivity matching degree of the target orientation network according to the detection report;
and outputting the detection report and the connectivity matching degree.
2. The method according to claim 1, wherein the segmenting the CAP packet to obtain each packet carried in the CAP packet comprises:
acquiring a starting identifier and an ending identifier;
determining the starting identifier and the ending identifier as partitioning points to partition the CAP packet;
and for each segment of data obtained after segmentation, determining the starting identifier as a message starting point, and determining the ending identifier as a message ending point to obtain each message carried in the CAP packet.
3. The TF-IDF algorithm-based directed network detection method according to claim 1, wherein said determining the protocol type of each packet based on said data pane using the TF-IDF algorithm comprises:
reading the occurrence frequency of each basic feature in each message and the total occurrence frequency of all basic features in each message from the data pane;
calculating the quotient of the occurrence frequency of each basic feature and the total frequency to obtain the occurrence frequency of each basic feature in each message;
acquiring a pre-configured message protocol dictionary, wherein the message protocol dictionary is used for storing a mapping relation between protocol types and characteristics;
determining the number of each protocol type in the message protocol dictionary;
determining the number of each basic feature in the message protocol dictionary;
calculating the sum of the number of each basic characteristic and a preset value to obtain a basic value of each basic characteristic;
calculating a logarithmic value of a quotient of the quantity of each protocol type and a basic value of each basic feature to obtain an inverse frequency of each basic feature relative to each protocol type;
calculating the product of the occurrence frequency of each basic feature and the frequency of each basic feature relative to each protocol type to obtain the weight of each basic feature relative to each protocol type;
calculating the sum of the weights of all basic features in each message relative to each protocol type to obtain the degree of engagement of each message relative to each protocol type;
and determining the protocol type with the highest conformity degree as the protocol type of each message.
4. The method according to claim 1, wherein the extracting backfill characteristics of each packet according to the protocol type of each packet comprises:
determining a field to which the backfill characteristics of each message belong according to the protocol type of each message;
and extracting the backfill characteristics of each message from each message according to the field to which the backfill characteristics of each message belong.
5. The TF-IDF algorithm-based directed network detection method according to claim 1, wherein said first list is used for storing the characteristics of the objects prohibited from accessing the target directed network, said second list is used for storing the characteristics of the objects allowed to access the target directed network, said marking each packet in the target pane according to the first list and the second list comprises:
reading the backfill characteristics of each message from the target pane;
matching backfill characteristics of each message with characteristics of the objects in the first list, and performing first marking on the matched message;
matching backfill characteristics of each message with characteristics of the objects in the second list, and performing second marking on the matched message;
and carrying out third marking on the messages which are not successfully matched with the first list and are not successfully matched with the second list.
6. The TF-IDF algorithm-based directional network detection method according to claim 5, wherein said calculating connectivity match of the target directional network according to the detection report comprises:
acquiring the number of the messages with the second marks from the detection report as a first number;
acquiring the number of the messages with the third marks from the detection report as a second number;
calculating the sum of the first quantity and the second quantity to obtain a third quantity;
acquiring the total number of all messages from the detection report;
and calculating the quotient of the third quantity and the total quantity to obtain the connectivity matching degree of the target directional network.
7. A method for directional network detection based on TF-IDF algorithm according to claim 1, wherein after outputting the detection report and the connectivity match degree, the method further comprises:
when the connectivity matching degree is not equal to 1, sending out prompt information;
and the prompt information is used for prompting that the target directional network has an abnormal access condition and prompting to check the detection report.
8. A directional network detection device based on TF-IDF algorithm is characterized in that the directional network detection device based on TF-IDF algorithm comprises:
the acquisition unit is used for responding to a detection instruction of a target oriented network and acquiring a CAP packet captured from the target oriented network based on a network element;
the segmentation unit is used for segmenting the CAP packet to obtain each message carried in the CAP packet;
the generating unit is used for extracting the basic characteristics of each message and generating a data pane according to the basic characteristics of each message;
the determining unit is used for determining the protocol type of each message based on the data pane by adopting a TF-IDF algorithm;
the extracting unit is used for extracting backfill characteristics of each message according to the protocol type of each message;
the backfill unit is used for backfilling the data pane by utilizing the backfill characteristics of each message to obtain a target pane;
the marking unit is used for acquiring a first list and a second list which are configured in advance, and marking each message in the target pane according to the first list and the second list to obtain a detection report;
the calculation unit is used for calculating the connectivity matching degree of the target orientation network according to the detection report;
and the output unit is used for outputting the detection report and the connectivity matching degree.
9. A computer device, characterized in that the computer device comprises:
a memory storing at least one instruction; and
a processor executing instructions stored in the memory to implement a TF-IDF algorithm based directional network detection method according to any one of claims 1 to 7.
10. A computer-readable storage medium characterized by: the computer-readable storage medium has stored therein at least one instruction that is executed by a processor in a computer device to implement the TF-IDF algorithm based directed network detection method according to any one of claims 1 to 7.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111634982.6A CN114268559B (en) | 2021-12-27 | 2021-12-27 | Directional network detection method, device, equipment and medium based on TF-IDF algorithm |
PCT/CN2022/142008 WO2023125435A1 (en) | 2021-12-27 | 2022-12-26 | Directional network detection method and apparatus based on tf-idf algorithm, device and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111634982.6A CN114268559B (en) | 2021-12-27 | 2021-12-27 | Directional network detection method, device, equipment and medium based on TF-IDF algorithm |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114268559A true CN114268559A (en) | 2022-04-01 |
CN114268559B CN114268559B (en) | 2024-02-20 |
Family
ID=80831384
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111634982.6A Active CN114268559B (en) | 2021-12-27 | 2021-12-27 | Directional network detection method, device, equipment and medium based on TF-IDF algorithm |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN114268559B (en) |
WO (1) | WO2023125435A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023125435A1 (en) * | 2021-12-27 | 2023-07-06 | 天翼物联科技有限公司 | Directional network detection method and apparatus based on tf-idf algorithm, device and medium |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1997007614A1 (en) * | 1995-08-16 | 1997-02-27 | Telstra Corporation Limited | A network analysis system |
US20040268232A1 (en) * | 2003-06-24 | 2004-12-30 | Microsoft Corporation | Pane Element |
US20080117907A1 (en) * | 2006-11-22 | 2008-05-22 | Hein Richard W | Method and Apparatus for Generating Bi-directional Network Traffic and Collecting Statistics on Same |
EP2041923A2 (en) * | 2006-07-14 | 2009-04-01 | Cuculus Gmbh | Method and arrangement for creating networks for accessing a public network |
WO2014127827A1 (en) * | 2013-02-22 | 2014-08-28 | Telefonaktiebolaget L M Ericsson (Publ) | A network node and a method of a network node of controlling data packet delivery to a mobile terminal in case of data rate throttling after having reached a data download cap |
CN104067588A (en) * | 2011-09-26 | 2014-09-24 | 高通股份有限公司 | Systems and methods for traffic detection network control |
US20160094467A1 (en) * | 2014-09-25 | 2016-03-31 | Hughes Network Systems, Llc | Application aware multihoming for data traffic acceleration in data communications networks |
CN106815199A (en) * | 2015-11-30 | 2017-06-09 | 任子行网络技术股份有限公司 | Protocol type analysis method and device based on machine learning |
CN107273454A (en) * | 2017-05-31 | 2017-10-20 | 北京京东尚科信息技术有限公司 | User data sorting technique, device, server and computer-readable recording medium |
CN108234141A (en) * | 2016-12-22 | 2018-06-29 | 中移(杭州)信息技术有限公司 | A kind of orientation flow processing method and server |
CN109257242A (en) * | 2017-07-13 | 2019-01-22 | 中国电信股份有限公司 | Business recognition method and device, grouped data network gateway |
CN110471832A (en) * | 2019-06-25 | 2019-11-19 | 平安科技(深圳)有限公司 | Processing method, device and the computer readable storage medium of program operation |
CN112887173A (en) * | 2021-02-19 | 2021-06-01 | 山东英信计算机技术有限公司 | Storage network detection method, device, equipment and readable storage medium |
CN113422774A (en) * | 2021-06-23 | 2021-09-21 | 安徽工业大学 | Automatic penetration testing method and device based on network protocol and storage medium |
CN113783881A (en) * | 2021-09-15 | 2021-12-10 | 浙江工业大学 | Network honeypot deployment method facing penetration attack |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114268559B (en) * | 2021-12-27 | 2024-02-20 | 天翼物联科技有限公司 | Directional network detection method, device, equipment and medium based on TF-IDF algorithm |
-
2021
- 2021-12-27 CN CN202111634982.6A patent/CN114268559B/en active Active
-
2022
- 2022-12-26 WO PCT/CN2022/142008 patent/WO2023125435A1/en unknown
Patent Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1997007614A1 (en) * | 1995-08-16 | 1997-02-27 | Telstra Corporation Limited | A network analysis system |
US20040268232A1 (en) * | 2003-06-24 | 2004-12-30 | Microsoft Corporation | Pane Element |
EP2041923A2 (en) * | 2006-07-14 | 2009-04-01 | Cuculus Gmbh | Method and arrangement for creating networks for accessing a public network |
US20080117907A1 (en) * | 2006-11-22 | 2008-05-22 | Hein Richard W | Method and Apparatus for Generating Bi-directional Network Traffic and Collecting Statistics on Same |
CN104067588A (en) * | 2011-09-26 | 2014-09-24 | 高通股份有限公司 | Systems and methods for traffic detection network control |
WO2014127827A1 (en) * | 2013-02-22 | 2014-08-28 | Telefonaktiebolaget L M Ericsson (Publ) | A network node and a method of a network node of controlling data packet delivery to a mobile terminal in case of data rate throttling after having reached a data download cap |
US20160094467A1 (en) * | 2014-09-25 | 2016-03-31 | Hughes Network Systems, Llc | Application aware multihoming for data traffic acceleration in data communications networks |
CN106815199A (en) * | 2015-11-30 | 2017-06-09 | 任子行网络技术股份有限公司 | Protocol type analysis method and device based on machine learning |
CN108234141A (en) * | 2016-12-22 | 2018-06-29 | 中移(杭州)信息技术有限公司 | A kind of orientation flow processing method and server |
CN107273454A (en) * | 2017-05-31 | 2017-10-20 | 北京京东尚科信息技术有限公司 | User data sorting technique, device, server and computer-readable recording medium |
CN109257242A (en) * | 2017-07-13 | 2019-01-22 | 中国电信股份有限公司 | Business recognition method and device, grouped data network gateway |
CN110471832A (en) * | 2019-06-25 | 2019-11-19 | 平安科技(深圳)有限公司 | Processing method, device and the computer readable storage medium of program operation |
CN112887173A (en) * | 2021-02-19 | 2021-06-01 | 山东英信计算机技术有限公司 | Storage network detection method, device, equipment and readable storage medium |
CN113422774A (en) * | 2021-06-23 | 2021-09-21 | 安徽工业大学 | Automatic penetration testing method and device based on network protocol and storage medium |
CN113783881A (en) * | 2021-09-15 | 2021-12-10 | 浙江工业大学 | Network honeypot deployment method facing penetration attack |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023125435A1 (en) * | 2021-12-27 | 2023-07-06 | 天翼物联科技有限公司 | Directional network detection method and apparatus based on tf-idf algorithm, device and medium |
Also Published As
Publication number | Publication date |
---|---|
CN114268559B (en) | 2024-02-20 |
WO2023125435A1 (en) | 2023-07-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112653760B (en) | Cross-server file transmission method and device, electronic equipment and storage medium | |
CN111210201B (en) | Occupational label establishing method and device, electronic equipment and storage medium | |
CN113806434B (en) | Big data processing method, device, equipment and medium | |
CN113890712A (en) | Data transmission method and device, electronic equipment and readable storage medium | |
CN112702228A (en) | Service current limiting response method and device, electronic equipment and readable storage medium | |
CN114301670B (en) | Terminal authentication method, device, equipment and medium based on IPV6 address | |
WO2023125435A1 (en) | Directional network detection method and apparatus based on tf-idf algorithm, device and medium | |
CN114491646A (en) | Data desensitization method and device, electronic equipment and storage medium | |
CN112528265A (en) | Identity recognition method, device, equipment and medium based on online conference | |
CN114185776A (en) | Big data point burying method, device, equipment and medium for application program | |
CN114547011A (en) | Data extraction method and device, electronic equipment and storage medium | |
CN114185502A (en) | Log printing method, device, equipment and medium based on production line environment | |
CN112667244A (en) | Data verification method and device, electronic equipment and computer readable storage medium | |
CN112597752A (en) | Complaint text processing method and device, electronic equipment and storage medium | |
CN117316359B (en) | Blood detection process tracking method, device, equipment and medium | |
CN116934263B (en) | Product batch admittance method, device, equipment and medium | |
CN113626533B (en) | Ultraviolet power detection method and device and electronic equipment | |
CN114357534B (en) | Classroom training platform construction method, device, equipment and medium based on block chain | |
CN115204158B (en) | Data isolation application method and device, electronic equipment and storage medium | |
CN114640666B (en) | File sharing downloading method, electronic equipment and readable storage medium | |
CN107609008A (en) | A kind of data importing device and method from relevant database to Kafka based on Apache Sqoop | |
CN114416575A (en) | Method, device and equipment for generating Mock data and storage medium | |
CN114942855A (en) | Interface calling method and device, electronic equipment and storage medium | |
CN116340673A (en) | Method, device, electronic equipment and storage medium for web graphical display organization architecture | |
CN115913763A (en) | Flow abnormity detection method, device, equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |