CN117081822A - Traffic detection method, traffic detection device, communication equipment, storage medium and chip - Google Patents

Traffic detection method, traffic detection device, communication equipment, storage medium and chip Download PDF

Info

Publication number
CN117081822A
CN117081822A CN202311109500.4A CN202311109500A CN117081822A CN 117081822 A CN117081822 A CN 117081822A CN 202311109500 A CN202311109500 A CN 202311109500A CN 117081822 A CN117081822 A CN 117081822A
Authority
CN
China
Prior art keywords
value parameter
data
data packet
performance
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311109500.4A
Other languages
Chinese (zh)
Inventor
陈方杰
白景鹏
高唯瀚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Original Assignee
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Technology Innovation Center, China Telecom Corp Ltd filed Critical China Telecom Technology Innovation Center
Priority to CN202311109500.4A priority Critical patent/CN117081822A/en
Publication of CN117081822A publication Critical patent/CN117081822A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The present application relates to a traffic detection method, apparatus, communication device, storage medium, chip and computer program product. The method comprises the following steps: acquiring the equipment performance of the network equipment at the current moment; according to the equipment performance of the network equipment at the current moment, extracting the characteristics of the data flow to be detected to obtain the target flow characteristics of the data flow to be detected; inputting the target flow characteristics into a flow detection model to obtain a detection result aiming at the data flow to be detected. By adopting the method, the dynamic target flow characteristic related to the equipment performance of the network equipment can be determined. The problem of network equipment blocking caused by traffic detection when the performance of the network equipment is poor is avoided. The method and the device realize that the use influence on the network equipment is reduced while the network equipment is utilized to detect the network traffic, and the detection effect of the network equipment for detecting the traffic is improved.

Description

Traffic detection method, traffic detection device, communication equipment, storage medium and chip
Technical Field
The present application relates to the technical field of communications, and in particular, to a traffic detection method, apparatus, communication device, storage medium, chip, and computer program product.
Background
With the development of technology in the communication field, a network traffic detection technology has emerged, and network traffic detection can identify normal network traffic and abnormal network traffic in network traffic. However, as internet devices and network traffic increases, larger traffic detection systems need to be deployed, resulting in higher deployment costs.
In the prior art, the number of the internet devices is considered to be numerous, and the computing power is not negligible, so that the detection model can be considered to be deployed in the internet devices, and the distributed flow detection is formed by the detection model and a large-scale flow detection system deployed by a server, so that the cost of network flow detection is reduced.
However, compared with a server dedicated to flow detection, the internet device can run more applications, the device performance can change according to the use of a user, and when the performance of the internet device is poor, the existing flow detection method can cause the internet device to be blocked when the flow detection is performed, so that the flow detection effect is poor.
Disclosure of Invention
The embodiment of the application provides a flow detection method, a flow detection device, communication equipment, a storage medium, a chip and a computer program product, which can detect flow through internet equipment and can not influence the experience of a user using the internet equipment.
A method of traffic detection, the method comprising:
acquiring the equipment performance of the network equipment at the current moment;
according to the equipment performance of the network equipment at the current moment, extracting the characteristics of the data flow to be detected to obtain the target flow characteristics of the data flow to be detected;
inputting the target flow characteristics into a flow detection model to obtain a detection result aiming at the data flow to be detected.
In one embodiment, the extracting the characteristics of the data stream to be detected according to the device performance of the network device at the current time to obtain the target flow characteristics of the data stream to be detected includes:
determining a data packet value parameter and a bit value parameter according to the equipment performance of the network equipment;
and determining the target flow characteristics of the data flow to be detected according to the data packet value parameter and the bit value parameter.
In one embodiment, the determining the packet value parameter and the bit value parameter according to the device performance of the network device includes:
determining that the device performance of the network device is poor relative to the device performance threshold when the device performance of the network device is above the device performance threshold;
Determining the data packet value parameter according to the performance difference and the data packet value parameter range;
and determining the bit value parameter according to the performance difference and the bit value parameter range.
In one embodiment, the determining the packet value parameter and the bit value parameter according to the device performance of the network device includes:
acquiring the equipment performance of the network equipment at the previous moment, and a historical data packet value parameter and a historical bit value parameter corresponding to the equipment performance at the previous moment;
determining a duty cycle of device performance of the network device at the current time relative to device performance of the network device at the previous time;
determining a data packet value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical data packet value parameter;
and determining the bit value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical bit value parameter.
In one embodiment, the determining the target traffic characteristic of the data stream to be detected according to the data packet value parameter and the bit value parameter includes:
Acquiring the data packets of the data packet value parameters in the data stream to be detected;
extracting a target field of a target part from a data part of each data packet, wherein the target field comprises a bit value parameter number of bits;
determining field information entropy of each target field;
and determining the target flow characteristics of the data flow to be detected according to the data part length of the data packet, the data packet value parameter, the bit value parameter and the field information entropy of each target field.
In one embodiment, the determining the target traffic characteristic of the data stream to be detected according to the data portion length of the data packet, the data packet value parameter, the bit value parameter, and the field information entropy of each target field includes:
constructing a first characteristic sequence according to the length of the data part of the data packet and the field information entropy of each target field;
constructing a second characteristic sequence according to the data packet value parameter and the first characteristic sequence;
determining a data packet value rate based on the data packet value parameter, and determining a bit value rate based on the bit value parameter;
And constructing the target flow characteristic of the data flow to be detected according to the second characteristic sequence, the data packet value rate and the bit value rate.
In one embodiment, the method further comprises:
determining a plurality of value groups based on the data packet value parameter range and the bit value parameter range, wherein the value groups comprise one data packet value parameter and one bit value parameter;
acquiring a plurality of sample data streams;
for each sample data stream, determining a plurality of sample flow characteristics corresponding to each value group according to the data packet value parameters and the bit value parameters in each value group,
constructing a training data set based on each of the sample flow characteristics;
and inputting the training data set into an initial flow detection model, and performing model training to obtain a flow detection model.
A flow sensing device, the device comprising:
the first acquisition module is used for acquiring the equipment performance of the network equipment at the current moment;
the extraction module is used for extracting the characteristics of the data flow to be detected according to the equipment performance of the network equipment at the current moment to obtain the target flow characteristics of the data flow to be detected;
And the detection module is used for inputting the target flow characteristics into a flow detection model to obtain a detection result aiming at the data flow to be detected.
In one embodiment, the extraction module is specifically configured to:
determining a data packet value parameter and a bit value parameter according to the equipment performance of the network equipment;
and determining the target flow characteristics of the data flow to be detected according to the data packet value parameter and the bit value parameter.
In one embodiment, the extraction module is specifically configured to:
determining that the device performance of the network device is poor relative to the device performance threshold when the device performance of the network device is above the device performance threshold;
determining the data packet value parameter according to the performance difference and the data packet value parameter range;
and determining the bit value parameter according to the performance difference and the bit value parameter range.
In one embodiment, the extraction module is specifically configured to:
acquiring the equipment performance of the network equipment at the previous moment, and a historical data packet value parameter and a historical bit value parameter corresponding to the equipment performance at the previous moment;
determining a duty cycle of device performance of the network device at the current time relative to device performance of the network device at the previous time;
Determining a data packet value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical data packet value parameter;
and determining the bit value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical bit value parameter.
In one embodiment, the extraction module is specifically configured to:
acquiring the data packets of the data packet value parameters in the data stream to be detected;
extracting a target field of a target part from a data part of each data packet, wherein the target field comprises a bit value parameter number of bits;
determining field information entropy of each target field;
and determining the target flow characteristics of the data flow to be detected according to the data part length of the data packet, the data packet value parameter, the bit value parameter and the field information entropy of each target field.
In one embodiment, the extraction module is specifically configured to:
constructing a first characteristic sequence according to the length of the data part of the data packet and the field information entropy of each target field;
Constructing a second characteristic sequence according to the data packet value parameter and the first characteristic sequence;
determining a data packet value rate based on the data packet value parameter, and determining a bit value rate based on the bit value parameter;
and constructing the target flow characteristic of the data flow to be detected according to the second characteristic sequence, the data packet value rate and the bit value rate.
In one embodiment, the apparatus further comprises:
the first determining module is used for determining a plurality of value groups based on the value parameter range of the data packet and the value parameter range of the bit, wherein the value groups comprise one value parameter of the data packet and one value parameter of the bit;
a second acquisition module for acquiring a plurality of sample data streams;
a second determining module, configured to determine, for each of the sample data streams, a plurality of sample flow characteristics corresponding to each of the value groups according to the data packet value parameter and the bit value parameter in each of the value groups,
a building module for building a training data set based on each of the sample flow characteristics;
and the training module is used for inputting the training data set into an initial flow detection model, and performing model training to obtain a flow detection model.
A communication device comprising a memory storing a computer program and a processor implementing the steps of the above-described flow detection methods when the processor executes the computer program.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the respective flow detection methods described above.
A chip comprising programmable logic circuitry and/or program instructions capable of performing the steps of the respective flow detection methods described above when the chip is in operation.
A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the respective flow detection method described above.
The flow detection method, the flow detection device, the communication equipment, the storage medium, the chip and the computer program product acquire the equipment performance of the network equipment at the current moment; according to the equipment performance of the network equipment at the current moment, extracting the characteristics of the data flow to be detected to obtain the target flow characteristics of the data flow to be detected; inputting the target flow characteristics into a flow detection model to obtain a detection result aiming at the data flow to be detected. By adopting the method, the target flow characteristics of the data flow to be detected, which are related to the equipment performance of the network equipment, can be determined, sparse information is extracted from the data flow to be detected under the condition that the equipment performance of the network equipment is poor, the target flow characteristics are obtained, and dense information is extracted from the data flow to be detected under the condition that the equipment performance of the network equipment is good, so that the target flow characteristics are obtained, and the dynamic target flow characteristics are obtained. The problem of network equipment blocking caused by traffic detection when the performance of the network equipment is poor is avoided. The method and the device realize that the use influence on the network equipment is reduced while the network equipment is utilized to detect the network traffic, and the detection effect of the network equipment for detecting the traffic is improved.
Drawings
FIG. 1 is a schematic diagram of a prior art flow detection;
FIG. 2 is a diagram of an application environment for a flow detection method in one embodiment;
FIG. 3 is a flow chart of a flow detection method in one embodiment;
FIG. 4 is a schematic diagram of a flow detection process in one embodiment;
FIG. 5 is a flow chart illustrating determining a target traffic characteristic of a data stream to be detected in one embodiment;
FIG. 6 is a flow chart of determining a packet value parameter and a bit value parameter according to one embodiment;
FIG. 7 is a flow chart of determining a packet value parameter and a bit value parameter according to a performance difference in one embodiment;
fig. 8 is a flow chart of determining a packet value parameter and a bit value parameter corresponding to device performance of a network device at a current time according to an embodiment;
fig. 9 is a flow chart of determining a packet value parameter and a bit value parameter corresponding to device performance of a network device at a current time according to a duty ratio in an embodiment;
FIG. 10 is a flow chart illustrating determining a target traffic characteristic of a data stream to be detected in one embodiment;
FIG. 11 is a schematic diagram of extracting the first a packets in a data stream to be detected in one embodiment;
FIG. 12 is a flow diagram of constructing a target traffic characteristic of a data stream to be detected in one embodiment;
FIG. 13 is a flow diagram of a flow detection model acquisition in one embodiment;
FIG. 14 is a flow diagram of model training in one embodiment;
FIG. 15 is an exemplary schematic diagram of a process of a flow detection method in one embodiment;
FIG. 16 is a block diagram showing the construction of a flow rate detecting device in one embodiment;
fig. 17 is an internal structural diagram of a communication device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
In the conventional technology, referring to fig. 1, in the process of detecting the traffic by using a large-scale dedicated server, a method for detecting the traffic based on information entropy is static, and when the performance of a processor is insufficient, server deployment needs to be increased, and the extraction mode of the traffic characteristics cannot be dynamically changed along with the load change of the processor.
The network device in the application is small network device such as user terminal device, and the like, and most of the network device has other purposes, but is not special flow detection, and the device performance is often related to factors such as user usage habit, so that the factors such as processor load, electric quantity and the like need to be considered when the small device is used for flow detection.
Fig. 2 is a schematic application scenario diagram of a flow detection method according to an embodiment of the present application. As shown in fig. 2, network device 102 and server 104 in this scenario. The network device 102 and the server 104 perform data transmission through a network, and the network device 102 and the server 104 perform data transmission through the network.
Network device 102 may be a wireless terminal, which may be a device that provides voice and/or other traffic data connectivity to a user, or a handheld device with wireless connection capabilities, or other processing device connected to a wireless modem. A wireless terminal may communicate with one or more core networks via a radio access network (Radio Access Network, RAN for short), which may be mobile terminals such as mobile phones (or "cellular" phones) and computers with mobile terminals, e.g., portable, pocket, hand-held, computer-built-in or vehicle-mounted mobile devices that exchange voice and/or data with the radio access network. A wireless Terminal may also be referred to as a system, subscriber Unit (Subscriber Unit), subscriber Station (Subscriber Station), mobile Station (Mobile Station), mobile Station (Mobile), remote Station (Remote Station), remote Terminal (Remote Terminal), access Terminal (Access Terminal), user Terminal (User Terminal), user Agent (User Agent), user equipment (User Device or User Equipment), without limitation. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
It should be noted that the beneficial effects or the technical problems to be solved by the embodiments of the present application are not limited to this one, but may be other implicit or related problems, and particularly, reference may be made to the following description of embodiments.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
In one embodiment, as shown in fig. 3, a method for detecting traffic is provided, and the method is applied to the network device in fig. 2, for example, and includes the following steps:
step 302, obtaining the device performance of the network device at the current moment.
The device performance may include an idle rate of the device performance, for example, a device remaining power of the network device, an idle rate of a CPU (Central Processing Unit ) of the network device, and the like, and device parameters capable of reflecting the idle rate of the device performance of the network device may be applied to the present application, which is not limited in the embodiment of the present application.
In the embodiment of the application, the network equipment acquires the equipment performance of the network equipment at the current moment, and the network equipment acquires the equipment residual capacity or CPU idle rate and the like of the network equipment at the current moment as the equipment performance of the network equipment at the current moment.
And step 304, extracting the characteristics of the data flow to be detected according to the equipment performance of the network equipment at the current moment, and obtaining the target flow characteristics of the data flow to be detected.
The data flow to be detected is the flow of the same service type passing through the network equipment in the current moment. The traffic type of the traffic may be determined according to a source MAC (Media Access Control Address, medium access control address/physical address) address and a destination MAC address, a source IP address and a destination IP address, or an N-tuple (i.e., a tuple with a length of N), etc., and any method that can determine that the source of the traffic is the same may be applied to the method for determining the data flow to be detected, which is not limited in the embodiment of the present application.
In the embodiment of the application, the network equipment determines the relevant parameters of the flow characteristics according to the equipment performance of the network equipment at the current moment. The network device can determine different flow characteristic related parameters according to different device performances of the network device at different moments.
The network device performs feature extraction on the data flow to be detected according to different flow feature related parameters to obtain target flow features of the data flow to be detected, and the method is exemplified: under the condition of better equipment performance, dense target flow characteristics can be acquired, and under the condition of worse equipment performance, sparse target flow characteristics can be acquired.
And step 306, inputting the target flow characteristics into a flow detection model to obtain a detection result aiming at the data flow to be detected.
The flow detection model can be a model obtained based on neural network training, any model capable of performing model training and model testing can be applied to the flow detection model, and the model selection of the flow detection model is not limited in the embodiment of the application.
In the embodiment of the present application, referring to fig. 4, a network device obtains a traffic detection model from a server. Then, the network device inputs the target flow characteristic into the flow detection model to obtain a detection result for the data flow to be detected, for example, the network device inputs the target flow characteristic corresponding to the data flow a to be detected into the flow detection model to obtain a detection result that the data flow a to be detected is normal network flow. According to the device performance at the current moment, the dynamic target flow characteristic related to the device performance can be obtained.
In the flow detection method, the device performance of the network device at the current moment is obtained; according to the equipment performance of the network equipment at the current moment, extracting the characteristics of the data flow to be detected to obtain the target flow characteristics of the data flow to be detected; inputting the target flow characteristics into a flow detection model to obtain a detection result aiming at the data flow to be detected. By adopting the method, the target flow characteristics of the data flow to be detected, which are related to the equipment performance of the network equipment, can be determined, sparse information is extracted from the data flow to be detected under the condition that the equipment performance of the network equipment is poor, the target flow characteristics are obtained, and dense information is extracted from the data flow to be detected under the condition that the equipment performance of the network equipment is good, so that the target flow characteristics are obtained, and the dynamic target flow characteristics are obtained. The problem of network equipment blocking caused by traffic detection when the performance of the network equipment is poor is avoided. The method and the device realize that the use influence on the network equipment is reduced while the network equipment is utilized to detect the network traffic, and the detection effect of the network equipment for detecting the traffic is improved.
In one embodiment, as shown in FIG. 5, step 304 includes:
Step 502, determining a data packet value parameter and a bit value parameter according to the device performance of the network device.
Wherein the data packet value parameter and the bit value parameter are positive integers.
In the embodiment of the application, the network equipment determines the data packet value parameter and the bit value parameter corresponding to the equipment performance of the self equipment according to the equipment performance of the self equipment.
Specifically, under the condition that the device performance of the network device is higher (i.e. the performance idle rate is higher), the network device determines a higher data packet value parameter and a higher bit value parameter so as to acquire more information in the data stream to be detected.
Step 504, determining the target flow characteristics of the data stream to be detected according to the data packet value parameter and the bit value parameter.
In the embodiment of the application, the network equipment extracts the data packet and the bit in the data stream to be detected according to the data packet value parameter and the bit value parameter, processes the extracted data packet and bit, and constructs the target flow characteristic of the data stream to be detected according to the processing result.
In this embodiment, the network device can adjust the data packet value parameter and the bit value parameter according to the device performance of its own device at the current time, and obtain the target flow characteristic related to the device performance according to the data packet value parameter and the bit value parameter. And the target flow characteristics are conveniently input to a flow detection model to detect the data flow to be detected.
In one embodiment, as shown in FIG. 6, step 502 includes:
in step 602, when the device performance of the network device is above the device performance threshold, it is determined that the device performance of the network device is poor relative to the device performance threshold.
The device performance of the network device is higher than the device performance threshold value, so that the device performance of the network device is better, and the flow detection can be performed under the condition that the experience of a user using the network device is not affected; the device performance of the network device is lower than or equal to the device performance threshold, which is used to characterize the poor device performance of the network device, and if the traffic detection is performed, the experience of the user using the network device may be affected, and the traffic detection effect may be affected.
In the embodiment of the application, the network equipment can store the equipment performance threshold, the equipment performance of the network equipment is compared with the equipment performance threshold, and when the equipment performance of the network equipment is higher than the equipment performance threshold, the poor performance of the equipment performance of the network equipment relative to the equipment performance threshold is determined.
Specifically, the device performance threshold of the network device is 50% of the device remaining power, and when the device remaining power of the network device at the current moment is 80%, the network device determines that the device performance of the network device is higher than the device performance threshold, and further, the network device determines that the performance difference of the device performance of the network device relative to the device performance threshold is (80% -50%) =30%.
Step 604, determining the data packet value parameter according to the performance difference and the data packet value parameter range.
In the embodiment of the application, the network equipment determines the data packet value parameter corresponding to the poor performance according to the poor performance in the data packet value parameter range.
Step 606, determining the bit value parameter according to the performance difference and the bit value parameter range.
In the embodiment of the application, the network equipment determines the bit value parameter corresponding to the performance difference in the range of the bit value parameter according to the performance difference.
In this embodiment, according to the performance difference between the device performance of the network device at the current time and the device performance threshold, the network device adjusts the data packet value parameter and the bit value parameter corresponding to the performance difference within the data packet value parameter range and the bit value parameter range. And the subsequent network equipment can conveniently determine the target flow characteristics related to the equipment performance according to the data packet value parameter and the bit value parameter.
In one embodiment, as shown in FIG. 7, step 604 includes:
in step 702, the packet value parameter corresponding to the performance difference is determined in the packet value parameter range.
In the embodiment of the application, the value threshold of the data packet can be stored in the network equipment in advance. And then, the network equipment determines the data packet value parameter corresponding to the poor performance in the data packet value parameter range.
Specifically, when the performance difference is 30%, the device performance threshold is 50%, and the packet value threshold is 100, and the packet value parameter range is [100, 1000], the network device determines, in the packet value parameter range [100, 1000], the ratio of the performance range (100% -50%) where the performance difference is 30%, that is, 30%/(100% -50%) =60%, and the packet value parameter should be (1000-100) ×60% +100=640, that is, the packet value parameter is 640.
Step 606 includes:
in step 704, the bit value parameter corresponding to the performance difference is determined in the bit value parameter range.
In the embodiment of the present application, a bit value threshold may be stored in the network device in advance. Then, the network device determines the bit value parameter corresponding to the performance difference in the bit value parameter range.
Specifically, when the performance difference is 30%, the device performance threshold is 50%, and the bit value threshold is 100, and when the bit value parameter range is [100, 1000], the network device determines the proportion of the performance range (100% -50%) where the performance difference is 30%, namely, 60%, in the bit value parameter range [100, 1000], and the bit value parameter should be (1000-100) ×60++100=640, namely, the bit value parameter is 640.
In this embodiment, the network device adjusts the packet value parameter and the bit value parameter corresponding to the performance difference according to the performance difference in the packet value parameter range and the bit value parameter range. The effect that more data packets and bits are taken in the data stream to be detected when the performance of the network equipment is insufficient is achieved. And the subsequent network equipment can conveniently determine the target flow characteristics related to the equipment performance according to the data packet value parameter and the bit value parameter.
In one embodiment, as shown in FIG. 8, step 502 includes:
step 802, acquiring the device performance of the network device at the previous moment, and the historical data packet value parameter and the historical bit value parameter corresponding to the device performance at the previous moment.
In the embodiment of the application, the network device can store the device performance of the network device at the current time and the previous time, for example, the network device takes 5 minutes as one time, and when the current time is 1:05, the network device can acquire the previous time 1 of 1:05: device performance of 00.
The network device can store a historical data packet value parameter and a historical bit value parameter corresponding to the device performance at a time previous to the current time.
Step 804 determines a duty cycle of the device performance of the network device at the current time relative to the device performance of the network device at the previous time.
In the embodiment of the application, the network equipment determines the duty ratio of the equipment performance of the network equipment at the current moment relative to the equipment performance of the network equipment at the previous moment according to the equipment performance of the network equipment at the current moment and the equipment performance of the network equipment at the previous moment.
Illustratively, the device remaining power of the network device at the previous time is 80%, and the device remaining power of the network device at the current time is 90%, so that the device performance of the network device at the current time is 90%/80% =112.5% relative to the device performance of the network device at the previous time.
Step 806, determining the data packet value parameter corresponding to the device performance of the network device at the current moment according to the duty ratio and the historical data packet value parameter.
In the embodiment of the application, the network equipment takes the historical data packet value parameter of the duty ratio as the data packet value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical data packet value parameter.
Step 808, determining the bit value parameter corresponding to the device performance of the network device at the current moment according to the duty ratio and the historical bit value parameter.
In the embodiment of the application, the network equipment takes the historical bit value parameter of the duty ratio as the bit value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical bit value parameter.
In this embodiment, according to the duty ratio of the device performance of the network device at the current time relative to the device performance at the previous time, the network device adjusts the data packet value parameter and the bit value parameter corresponding to the duty ratio within the data packet value parameter range and the bit value parameter range. And the subsequent network equipment can conveniently determine the target flow characteristics related to the equipment performance according to the data packet value parameter and the bit value parameter.
In one embodiment, as shown in FIG. 9, step 806 includes:
step 902, taking the data packet value parameter corresponding to the device performance of the network device at the current moment as the data packet value parameter corresponding to the duty ratio of the historical data packet value parameter.
In the embodiment of the application, the network device takes the data packet value parameter corresponding to the device performance of the network device at the current moment as the data packet value parameter corresponding to the duty ratio of the historical data packet value parameter.
For example, in the case where the duty ratio is 112.5%, the historical packet value parameter is 500, the network device will be configured to set the packet value parameter corresponding to the device performance of the network device at the current time to 500×112.5% =562.5 with respect to 112.5% of the historical packet value parameter (i.e., 500).
Step 608 includes:
step 904, taking the bit value parameter corresponding to the device performance of the network device at the current moment as the bit value parameter corresponding to the duty ratio of the historical bit value parameter.
In the embodiment of the application, the network equipment takes the bit value parameter corresponding to the equipment performance of the network equipment at the current moment as the bit value parameter corresponding to the duty ratio of the historical bit value parameter.
Illustratively, when the duty ratio is 112.5%, the historical bit value parameter is 50, the network device will be configured to use the 112.5% bit value parameter 50×112.5% =56.25 of the historical bit value parameter (i.e. 50) as the bit value parameter corresponding to the device performance of the network device at the current time.
In this embodiment, according to the duty ratio of the device performance of the network device at the current time relative to the device performance at the previous time, the network device adjusts the data packet value parameter and the bit value parameter corresponding to the duty ratio within the data packet value parameter range and the bit value parameter range. The effect that more data packets and bits are taken in the data stream to be detected when the performance of the network equipment is insufficient is achieved. And the subsequent network equipment can conveniently determine the target flow characteristics related to the equipment performance according to the data packet value parameter and the bit value parameter.
In one embodiment, as shown in FIG. 10, step 504 includes:
step 1002, obtaining a data packet value parameter number of data packets in a data stream to be detected.
Wherein, the data packet is the minimum unit of transmission information in network communication. It consists of a head part, a load part and a tail part. The header is used for describing the attribute and control information of the data packet, the load is the data content actually required to be transmitted, and the tail is used for checking, error detection and other functions.
In the embodiment of the application, the network equipment extracts the data packets with the value parameters from the data stream to be detected.
For the method of extracting the data packet, referring to fig. 11, the network device may extract the first a data packet in the data stream to be detected; the network device may also extract a random a data packet in the data stream to be detected, and the method for extracting the data packet is not limited in the present application.
In step 1004, for each data packet, a target field of the target portion is extracted from the data portion of the data packet.
Wherein the data portion of the data packet is the payload portion of the data packet. The target field contains a number of bits of the bit value parameter. The target part is the front part, the middle part and the back part of the data packet, the front part is n bits from front to back, the middle part is n bits of the central position of the data part of the data packet, and the back part is n bits from back to front.
In the embodiment of the application, the network device determines the data part of each data packet, and extracts the bit value parameter bits from each target part in the data part of the data packet. Illustratively, in the case where the bit value parameter is 50, the network device extracts, for each packet, 50 bits from the front to the back, 50 bits from the center position, and 50 bits from the rear portion.
Then, the network device takes the extracted bit value parameter of each target part as a target field. Illustratively, the network device extracts, for each packet, 50 bits from the front to the back, 50 bits from the center, and 50 bits from the back as three target fields.
In step 1006, field information entropy of each target field is determined.
In the embodiment of the present application, for each data packet, the network device determines the field information entropy of the target field in the data packet, and for the calculation method of the field information entropy, the specific content includes:
wherein m is i The value of the i-th bit in the characterization field is only 0 or 1.n represents a bit value parameter, and P represents field information entropy of a target field.
Step 1008, determining the target flow characteristics of the data flow to be detected according to the data part length of the data packet, the data packet value parameter, the bit value parameter and the field information entropy of each target field.
In the embodiment of the application, the network equipment can acquire the data part length of each data packet, and for each data packet, the network equipment constructs the target flow characteristic of the data flow to be detected according to the data part length of the data packet, the data packet value parameter at the current moment, the bit value parameter at the current moment and the field information entropy of each target field.
In this embodiment, the network device can determine the target flow characteristic of the data flow to be detected, so that the target flow characteristic is conveniently input into the flow detection model for model detection.
In one embodiment, as shown in FIG. 12, step 1008 includes:
step 1202, constructing a first feature sequence according to the length of the data portion of the data packet and the field information entropy of each target field.
In the embodiment of the application, for each data packet, the network device constructs the length of the data part of the data packet and the field information entropy of each target field of the data packet as a first feature sequence to obtain a plurality of first feature sequences of the data stream to be detected.
Illustratively, the network device forms the first feature sequence T from the front, the middle and the tail of L, P in the case that the field length of the data portion of one data packet is L, the field information entropy of the front portion of the data portion (i.e., the field information entropy corresponding to the front portion of the data portion), the middle of P (the field information entropy corresponding to the middle portion of the data portion), and the tail of P (the field information entropy corresponding to the rear portion of the data portion), where T is { L, front of P, middle of P, and tail }.
And step 1204, constructing a second characteristic sequence according to the data packet value parameter and the first characteristic sequence.
In the embodiment of the application, the network equipment constructs a second characteristic sequence corresponding to the data stream to be detected according to a plurality of first characteristic sequences corresponding to the data stream to be detected and the value parameters of the data packet.
For example, when the packet value parameter is a and the plurality of first feature sequences corresponding to the data stream to be detected are T1, T2, … Ta-1 and Ta, the network device constructs a second feature sequence a corresponding to the data stream to be detected as (t1+t2+ … +ta-1+ta)/a according to the plurality of first feature sequences T1, T2, … Ta-1 and Ta and the packet value parameter a.
The first feature sequences T1, T2, … Ta-1 and Ta are spliced, and the splicing result is divided by the data packet value parameter a, so that the influence of large difference between target flow features due to the difference of the data packet value parameters a can be balanced, and the different data packet value parameters a all comprise uniform information quantity.
In step 1206, a packet valuation rate is determined based on the packet valuation parameter, and a bit valuation rate is determined based on the bit valuation parameter.
In the embodiment of the application, the network equipment determines the data packet value rate in the data packet value parameter based on the data packet value parameter at the current moment, and determines the bit value rate in the bit value parameter based on the bit value parameter at the current moment.
Illustratively, where the packet value parameter is a, the packet value parameter range is [ a ] min ,a max ]In the case of (a), the method for determining the value rate of the data packet may be shown by referring to the formula (b), and the specific contents are as follows:
wherein j represents the value rate of the data packet; a, representing a data packet value parameter; a, a min Representing the minimum value of the value parameter range of the data packet; a, a max And characterizing the maximum value of the value parameter range of the data packet.
Illustratively, where the bit-valued parameter is n, the bit-valued parameter range is [ n ] min ,n max ]In the case of (a), the method for determining the bit value rate may be shown by the formula (iii), and the specific contents are as follows:
wherein k represents the bit value rate; n represents a bit value parameter; n is n min Representing the minimum value of the bit value parameter range; n is n max The maximum value of the parameter range of the characterization bit takes on value.
Step 1208, constructing the target traffic feature of the data stream to be detected according to the second feature sequence, the data packet value rate and the bit value rate.
In the embodiment of the application, the network equipment constructs the second characteristic sequence, the data packet value rate and the bit value rate as the target flow characteristics of the data flow to be detected.
For example, in the case that the second feature sequence is a, the packet value rate is j, and the bit value rate is k, the network device constructs the packet value rate j, the bit value rate k, and the second feature sequence a as the target traffic feature { j, k, a } of the data stream to be detected.
In this embodiment, the network device may construct the second feature sequence, the data packet value rate and the bit value rate as the target flow feature of the data stream to be detected, so that the data packet value rate and the bit value rate are used as parameters of model detection, and the target flow feature is checked according to different data packet value rates and bit value rates, so that the efficiency and the accuracy of the flow detection model can be improved.
In one embodiment, as shown in fig. 13, the method further includes:
in step 1302, a plurality of value sets are determined based on the packet value parameter range and the bit value parameter range.
The value group comprises a data packet value parameter and a bit value parameter.
In the embodiment of the present application, referring to fig. 14, the network device determines a plurality of packet value parameters in the packet value parameter range and a plurality of bit value parameters in the bit value parameter range based on the packet value parameter range and the bit value parameter range, and combines to obtain a plurality of value groups based on the plurality of packet value parameters and the plurality of bit value parameters.
Illustratively, the network device determines that r1 packet value parameters exist in the packet value parameter range, and r2 bit value parameters exist in the bit value parameter range, so that r1 x r2 value groups are obtained based on the combination of the r1 packet value parameters and the r2 bit value parameters.
At step 1304, a plurality of sample data streams is acquired.
In the embodiment of the application, the server can acquire a plurality of sample data streams, for example, acquire the data streams in the historical flow detection process. The server may also obtain traffic detection resources in other platforms, resulting in multiple sample data streams.
The method for obtaining the sample data stream is not specifically limited in the embodiments of the present application.
Step 1306, for each sample data stream, determining a plurality of sample flow characteristics corresponding to each value group according to the data packet value parameter and the bit value parameter in each value group.
In the embodiment of the application, a server determines a plurality of sample flow characteristics corresponding to each value group according to the value parameters of the data packet and the bit value parameters in each value group for each sample data stream.
The method for determining the flow characteristics according to the packet value parameter and the bit value parameter has been described in the foregoing embodiments, and will not be described herein.
Step 1308, a training data set is constructed based on the sample flow characteristics.
In the embodiment of the application, the server constructs a plurality of sample flow characteristics into a training data set.
The server can also label data according to the characteristics of each sample flow, so as to distinguish whether each data flow to be checked is abnormal network flow.
Step 1310, inputting the training data set into an initial flow detection model, and performing model training to obtain a flow detection model.
In the embodiment of the application, a training data set is input into an initial flow detection model by a server, and model training is carried out to obtain a flow detection model. The server may then issue a traffic detection model to each network device.
The initial flow detection model can be a model obtained based on neural network training, any model capable of performing model training and model testing can be applied to the method, and the method and the device are not particularly limited in model selection of the initial flow detection model and specific processes of model training.
In this embodiment, the server extracts the characteristics of the sample data stream at different data packet value rates and bit value rates, so that the extracted training data sets are uniformly distributed in the data packet value parameter range and the bit value parameter range, and when the data packet value parameters and the bit value parameters are changed, the recognition influence on the model is reduced, and the accuracy of the flow detection model is improved.
In one embodiment, as shown in fig. 15, a processing procedure example of a flow detection method is further provided, and the specific content is as follows:
and step A1, extracting the device performance of the network device at the current moment, such as CPU idle rate, device residual capacity and the like.
And step A2, calculating whether the device performance of the network device at the current moment is sufficient, if so, increasing the data packet value parameter and the bit value parameter, and if not, decreasing the data packet value parameter and the bit value parameter.
The network device may pre-store a performance sufficiency threshold, and under a condition that the device performance at the current moment is higher than the performance sufficiency threshold, the network device determines that the device performance of the network device at the current moment is sufficient; and under the condition that the device performance at the current moment is lower than or equal to the performance sufficiency threshold, the network device determines that the device performance of the network device at the current moment is insufficient.
For example, the performance sufficient threshold is 80% of the remaining capacity of the device, and the lowest remaining capacity of the device, which can perform flow detection, is 50%, so that the network device can adjust the data packet value parameter and the bit value parameter according to the performance of the device within the range of [50%,80% ].
And A3, calculating the data packet value rate and the bit value rate according to the newly determined data packet value parameters and the bit value parameters, extracting flow characteristics, and forming target flow characteristics.
And step A4, inputting the target flow characteristics into a flow detection model to detect the flow.
It should be understood that, although the steps in the flowcharts of fig. 3-15 are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in fig. 3-15 may include multiple steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the steps or stages in other steps or other steps.
In one embodiment, as shown in fig. 16, there is provided a flow detection device 1600 comprising: a first acquisition module 1602, an extraction module 1604, and a detection module 1606, wherein:
a first obtaining module 1602, configured to obtain device performance of a network device at a current time.
And the extracting module 1604 is configured to perform feature extraction on a data stream to be detected according to the device performance of the network device at the current moment, so as to obtain a target flow feature of the data stream to be detected.
The detection module 1606 is configured to input the target flow characteristic into a flow detection model, and obtain a detection result for the data flow to be detected.
By adopting the flow detection model provided by the embodiment of the disclosure, the target flow characteristics of the data flow to be detected, which are related to the equipment performance of the network equipment, can be determined, sparse information is extracted from the data flow to be detected under the condition that the equipment performance of the network equipment is poor, the target flow characteristics are obtained, and dense information is extracted from the data flow to be detected under the condition that the equipment performance of the network equipment is good, so that the target flow characteristics are obtained, and the dynamic target flow characteristics are obtained. The problem of network equipment blocking caused by traffic detection when the performance of the network equipment is poor is avoided. The method and the device realize that the use influence on the network equipment is reduced while the network equipment is utilized to detect the network traffic, and the detection effect of the network equipment for detecting the traffic is improved.
In one embodiment, the extracting module 1604 is specifically configured to:
determining a data packet value parameter and a bit value parameter according to the equipment performance of the network equipment;
and determining the target flow characteristics of the data flow to be detected according to the data packet value parameter and the bit value parameter.
In one embodiment, the extracting module 1604 is specifically configured to:
determining that the device performance of the network device is poor relative to the device performance threshold when the device performance of the network device is above the device performance threshold;
determining the data packet value parameter according to the performance difference and the data packet value parameter range;
and determining the bit value parameter according to the performance difference and the bit value parameter range.
In one embodiment, the extracting module 1604 is specifically configured to:
determining the data packet value parameter with poor performance relative to the data packet value threshold in the data packet value parameter range;
and determining the bit value parameter with the poor performance relative to the bit value threshold in the bit value parameter range.
In one embodiment, the extracting module 1604 is specifically configured to:
acquiring the equipment performance of the network equipment at the previous moment, and a historical data packet value parameter and a historical bit value parameter corresponding to the equipment performance at the previous moment;
Determining a duty cycle of device performance of the network device at the current time relative to device performance of the network device at the previous time;
determining a data packet value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical data packet value parameter;
and determining the bit value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical bit value parameter.
In one embodiment, the extracting module 1604 is specifically configured to:
taking the data packet value parameter of the duty ratio relative to the historical data packet value parameter as the data packet value parameter corresponding to the equipment performance of the network equipment at the current moment;
the determining, according to the duty ratio and the historical bit value parameter, the bit value parameter corresponding to the device performance of the network device at the current time includes:
and taking the bit value parameter of the duty ratio relative to the historical bit value parameter as the bit value parameter corresponding to the equipment performance of the network equipment at the current moment.
In one embodiment, the extracting module 1604 is specifically configured to:
Acquiring the data packets of the data packet value parameters in the data stream to be detected;
extracting a target field of a target part from a data part of each data packet, wherein the target field comprises a bit value parameter number of bits;
determining field information entropy of each target field;
and determining the target flow characteristics of the data flow to be detected according to the data part length of the data packet, the data packet value parameter, the bit value parameter and the field information entropy of each target field.
In one embodiment, the extracting module 1604 is specifically configured to:
constructing a first characteristic sequence according to the length of the data part of the data packet and the field information entropy of each target field;
constructing a second characteristic sequence according to the data packet value parameter and the first characteristic sequence;
determining a data packet value rate based on the data packet value parameter, and determining a bit value rate based on the bit value parameter;
and constructing the target flow characteristic of the data flow to be detected according to the second characteristic sequence, the data packet value rate and the bit value rate.
In one embodiment, the apparatus further comprises:
the first determining module is used for determining a plurality of value groups based on the value parameter range of the data packet and the value parameter range of the bit, wherein the value groups comprise one value parameter of the data packet and one value parameter of the bit;
a second acquisition module for acquiring a plurality of sample data streams;
a second determining module, configured to determine, for each of the sample data streams, a plurality of sample flow characteristics corresponding to each of the value groups according to the data packet value parameter and the bit value parameter in each of the value groups,
a building module for building a training data set based on each of the sample flow characteristics;
and the training module is used for inputting the training data set into an initial flow detection model, and performing model training to obtain a flow detection model.
For specific limitations of the flow rate detection device, reference may be made to the above limitations of the flow rate detection method, and no further description is given here. The various modules in the flow detection device described above may be implemented in whole or in part in software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In an exemplary embodiment, a communication apparatus is provided, which may be a terminal, and an internal structure diagram thereof may be as shown in fig. 17. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a flow detection method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in FIG. 17 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, implements the steps of the method embodiments described above.
In one embodiment, a chip is provided that includes programmable logic and/or program instructions that when executed perform the steps of the method embodiments described above.
Embodiments of the present application also provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the steps of the method embodiments described above.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims (12)

1. A method for traffic detection, applied to a network device, the method comprising:
acquiring the equipment performance of the network equipment at the current moment;
according to the equipment performance of the network equipment at the current moment, extracting the characteristics of the data flow to be detected to obtain the target flow characteristics of the data flow to be detected;
inputting the target flow characteristics into a flow detection model to obtain a detection result aiming at the data flow to be detected.
2. The method according to claim 1, wherein the extracting features of the data flow to be detected according to the device performance of the network device at the current moment to obtain the target traffic feature of the data flow to be detected includes:
determining a data packet value parameter and a bit value parameter according to the equipment performance of the network equipment;
and determining the target flow characteristics of the data flow to be detected according to the data packet value parameter and the bit value parameter.
3. The method of claim 2, wherein determining the packet value parameter and the bit value parameter based on the device capabilities of the network device comprises:
determining that the device performance of the network device is poor relative to the device performance threshold when the device performance of the network device is above the device performance threshold;
determining the data packet value parameter according to the performance difference and the data packet value parameter range;
and determining the bit value parameter according to the performance difference and the bit value parameter range.
4. The method of claim 2, wherein determining the packet value parameter and the bit value parameter based on the device capabilities of the network device comprises:
Acquiring the equipment performance of the network equipment at the previous moment, and a historical data packet value parameter and a historical bit value parameter corresponding to the equipment performance at the previous moment;
determining a duty cycle of device performance of the network device at the current time relative to device performance of the network device at the previous time;
determining a data packet value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical data packet value parameter;
and determining the bit value parameter corresponding to the equipment performance of the network equipment at the current moment according to the duty ratio and the historical bit value parameter.
5. The method according to any one of claims 2 to 4, wherein determining the target traffic characteristic of the data stream to be detected based on the packet value parameter and the bit value parameter comprises:
acquiring the data packets of the data packet value parameters in the data stream to be detected;
extracting a target field of a target part from a data part of each data packet, wherein the target field comprises a bit value parameter number of bits;
Determining field information entropy of each target field;
and determining the target flow characteristics of the data flow to be detected according to the data part length of the data packet, the data packet value parameter, the bit value parameter and the field information entropy of each target field.
6. The method according to claim 5, wherein determining the target traffic characteristics of the data stream to be detected according to the data portion length of the data packet, the data packet value parameter, the bit value parameter, and the field information entropy of each of the target fields comprises:
constructing a first characteristic sequence according to the length of the data part of the data packet and the field information entropy of each target field;
constructing a second characteristic sequence according to the data packet value parameter and the first characteristic sequence;
determining a data packet value rate based on the data packet value parameter, and determining a bit value rate based on the bit value parameter;
and constructing the target flow characteristic of the data flow to be detected according to the second characteristic sequence, the data packet value rate and the bit value rate.
7. The method according to claim 1, wherein the method further comprises:
Determining a plurality of value groups based on the data packet value parameter range and the bit value parameter range, wherein the value groups comprise one data packet value parameter and one bit value parameter;
acquiring a plurality of sample data streams;
for each sample data stream, determining a plurality of sample flow characteristics corresponding to each value group according to the data packet value parameters and the bit value parameters in each value group,
constructing a training data set based on each of the sample flow characteristics;
and inputting the training data set into an initial flow detection model, and performing model training to obtain the flow detection model.
8. A flow sensing device, the device comprising:
the first acquisition module is used for acquiring the equipment performance of the network equipment at the current moment;
the extraction module is used for extracting the characteristics of the data flow to be detected according to the equipment performance of the network equipment at the current moment to obtain the target flow characteristics of the data flow to be detected;
and the detection module is used for inputting the target flow characteristics into a flow detection model to obtain a detection result aiming at the data flow to be detected.
9. A communication device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
11. A chip comprising programmable logic circuits and/or program instructions which when run implement the steps of the method of any one of claims 1 to 7.
12. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
CN202311109500.4A 2023-08-30 2023-08-30 Traffic detection method, traffic detection device, communication equipment, storage medium and chip Pending CN117081822A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311109500.4A CN117081822A (en) 2023-08-30 2023-08-30 Traffic detection method, traffic detection device, communication equipment, storage medium and chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311109500.4A CN117081822A (en) 2023-08-30 2023-08-30 Traffic detection method, traffic detection device, communication equipment, storage medium and chip

Publications (1)

Publication Number Publication Date
CN117081822A true CN117081822A (en) 2023-11-17

Family

ID=88713208

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311109500.4A Pending CN117081822A (en) 2023-08-30 2023-08-30 Traffic detection method, traffic detection device, communication equipment, storage medium and chip

Country Status (1)

Country Link
CN (1) CN117081822A (en)

Similar Documents

Publication Publication Date Title
CN109754105B (en) Prediction method, terminal and server
EP2849384B1 (en) Approximate matching method and related device, and communication system
CN111340237A (en) Data processing and model operation method, device and computer equipment
CN107360032B (en) Network flow identification method and electronic equipment
WO2019184640A1 (en) Indicator determination method and related device thereto
CN113412608B (en) Content pushing method and device, server and storage medium
CN106921578A (en) The generation method and device of a kind of forwarding-table item
CN113835902B (en) Data processing method, device, computer equipment and storage medium
CN112580730A (en) Terminal type identification method and device
CN110297764B (en) Vulnerability test model training method and device
CN114513850A (en) Positioning method, positioning device, computer equipment, medium and program product
CN107770239A (en) For the method and apparatus by network service
CN104853447B (en) A kind of data information processing method and device
CN111221827B (en) Database table connection method and device based on graphic processor, computer equipment and storage medium
CN117081822A (en) Traffic detection method, traffic detection device, communication equipment, storage medium and chip
CN109428774B (en) Data processing method of DPI equipment and related DPI equipment
CN114328619A (en) Multi-factor data matching method and device
CN111711946B (en) IoT (internet of things) equipment identification method and identification system under encrypted wireless network
WO2020258101A1 (en) User similarity calculation method and apparatus, server end, and storage medium
KR20180008088A (en) Apparatus and method for performance test of IED and computer readable recording medium to member deterioration
CN110020087B (en) Distributed PageRank acceleration method based on similarity estimation
WO2019114481A1 (en) Cluster type recognition method, apparatus, electronic apparatus, and storage medium
JP2020057240A (en) Data construction system for belonging area analysis, data construction program for belonging area analysis, and belonging area analysis system
CN117540071B (en) Configuration method and device for attribute table item of search engine
CN113193967B (en) Multimode communication method, device, network module and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination