CN117240657A - VPN application identification method based on graph matching network - Google Patents
VPN application identification method based on graph matching network Download PDFInfo
- Publication number
- CN117240657A CN117240657A CN202311146958.7A CN202311146958A CN117240657A CN 117240657 A CN117240657 A CN 117240657A CN 202311146958 A CN202311146958 A CN 202311146958A CN 117240657 A CN117240657 A CN 117240657A
- Authority
- CN
- China
- Prior art keywords
- session
- graph
- vpn
- directed
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 239000013598 vector Substances 0.000 claims abstract description 44
- 230000003993 interaction Effects 0.000 claims abstract description 13
- 230000004931 aggregating effect Effects 0.000 claims abstract description 7
- 238000007781 pre-processing Methods 0.000 claims abstract description 7
- 230000008569 process Effects 0.000 claims abstract description 7
- 239000011159 matrix material Substances 0.000 claims description 17
- 230000007246 mechanism Effects 0.000 claims description 9
- 238000010606 normalization Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 7
- 238000001914 filtration Methods 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 230000001902 propagating effect Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 3
- CKRLIWFOVCLXTP-UHFFFAOYSA-N 4-phenyl-1-propyl-3,6-dihydro-2h-pyridine Chemical compound C1N(CCC)CCC(C=2C=CC=CC=2)=C1 CKRLIWFOVCLXTP-UHFFFAOYSA-N 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The VPN application identification method based on the graph matching network comprises the following steps: deploying flow grabbing equipment in a network, acquiring flow interaction data of different VPN applications by starting the different VPN applications, and preprocessing the flow data into a session; intercepting the first 20 session packets of the session, counting the duration of each session packet and forming a session vector; drawing session directed graphs of different VPN applications to obtain a vertex set and an edge set; drawing a plurality of directed graphs by using the collected multiple groups of data of the same VPN application; coding, transmitting and aggregating the session directed graph of the unknown application and the session directed graphs of a plurality of known applications to form graph embedded vectors, and finally obtaining the similarity of the session directed graph of the unknown flow and the known session graph model; and obtaining the nearest VPN application classification according to the similarity sorting comparison. The establishing process identifies a VPN, and realizes more refined control of the flow.
Description
Technical Field
The invention relates to the field of computer network security, in particular to a VPN application identification method based on a graph matching network.
Background
The VPN is known as Virtual Private Network, a virtual private network, where personal transport data is encrypted by establishing a point-to-point tunnel between a user computer and a server of the VPN provider, masking the IP address. The remote office may access corporate resources from any location through the VPN through a proprietary connection, mobile office normalization. The VPN is widely used, and meanwhile, a new problem is brought, because the tunnel technology and the encryption and decryption technology adopted by the VPN can confuse and even hide the flow characteristics, and a plurality of lawbreakers use the characteristics to carry out network attack or transmit illegal bad contents, so that the VPN brings great risks to network security for governments and network managers, and great challenges exist in terms of flow identification and audit.
One of the more critical technologies in traffic identification auditing is to identify network applications. VPN applications are many and fast in change, there are OpenVPN, shadowsocks, etc. commonly, protocols used by each application are different, including layer 2 protocol PPTP, L2TP, layer 3 protocol IPSec, and protocol MPLS spanning layers 2 and 3, etc., and many VPN implementations use multiple protocols in a mixed manner. After the VPN is built, the data transmitted internally are encrypted, so that the information obtained from the data transmission process is low in effectiveness, different VPN applications have different handshake stage tunnel building processes, the data are not encrypted, and the original attribute and characteristic of the VPN application are provided. The overall process steps at the beginning of the tunnel establishment for the same VPN application are similar even if different nodes are connected or there is more or less delay in the network. Based on this background, it is therefore desirable to identify a VPN through the tunnel establishment procedure of the handshake phase, thereby enabling a more refined management of traffic.
Disclosure of Invention
In view of the foregoing, the present invention has been made to provide a VPN application identification method based on a graph matching network that overcomes or at least partially solves the foregoing problems.
According to an aspect of the present invention, there is provided a VPN application identification method based on a graph matching network, the application identification method including:
step S1: deploying flow grabbing equipment in a network, acquiring flow interaction data of different VPN applications by starting the different VPN applications, and preprocessing the flow data into a session;
step S2: intercepting the first 20 session packets of the session, counting the duration of each session packet and forming a session vector;
step S3: drawing session directed graphs of different VPN applications to obtain a vertex set and an edge set;
step S4: drawing a plurality of directed graphs from the collected multiple groups of data of the same VPN application, carrying out normalization processing, and solving the average of the multiple directed graphs of the same VPN application as a graph model of different VPN applications;
step S5: coding, transmitting and aggregating the session directed graph of the unknown application and the session directed graphs of a plurality of known applications to form graph embedded vectors, and calculating the similarity degree of the two graph embedded vectors by using a graph matching network with an attention mechanism to finally obtain the similarity of the unknown flow session directed graph and the known session graph model;
step S6: and obtaining the nearest VPN application classification according to the similarity sorting comparison.
Optionally, deploying a traffic grabbing device in the network, and acquiring traffic interaction data of different VPN applications by starting the different VPN applications, where preprocessing the traffic data into a session specifically includes:
the flow session is carried out, and the data packets in the grabbed pcap file are ordered according to time;
P={p1:(s1,d1,ps1,pd1,t1),
p2: (s 2, d2, ps2, pd2, t 2) …, pn: (sn, dn, psn, pdf, tn) }; wherein pi represents a data packet, si, di, psi, pdi represents a source IP, a destination IP, a source port, a destination port of the data packet, and ti represents a transmission start time of the data packet;
filtering invalid sessions;
when the data packets meet the same five-tuple and are in the same session, the data packets are combined into a set Q, wherein the items qi in the set Q are (s, d, ps, pd, ti) or (d, s, pd, ps, ti).
Optionally, the invalidation session specifically includes: incomplete packets of incomplete complete handshake procedure, transmission of lost bad packets.
Optionally, intercepting the first 20 session packets of the session, and counting the duration of each session packet and forming a session vector specifically includes:
intercepting the first 20 data packets of the flow session set Q according to the handshake establishment process of the known protocol;
counting the duration of each packet, e.g. Q as described above i The duration of (2) is t i+1 -t i Denoted as T i ;
Will q i Source IP and source port combination s+ps is S, destination IP and destination port combination d + pd is D, and the entries in R are sorted into sets R (S, D, T) i ),(D,S,T i ) Two kinds.
Optionally, the drawing multiple directed graphs of the collected multiple sets of data of the same VPN application, performing normalization processing, and obtaining an average of multiple directed graphs of the same VPN application as a graph model of different VPN applications specifically includes:
drawing a directed graph of a plurality of flow of a certain type of grabbed APP;
carrying out normalization processing on the directed graphs, enabling the longest side of each directed graph to be 1, scaling the other sides in equal proportion, and drawing directed graph pixels to be 10 x 10;
each time a directed graph is drawn, a column vector is converted; constructing a matrix, adding a plurality of column vectors converted by a certain APP flow into the matrix, calculating the average value of each row of the matrix, and forming a vector of a column average value;
reducing the vector of the average value into a matrix, wherein the matrix is an average graph of a plurality of flows of the same class of APP;
the matrix is reduced to a directed graph representation (V, E).
Optionally, the encoding, propagating and aggregating the session directed graph of the unknown application and the session directed graphs of the plurality of known applications to form graph embedded vectors, and calculating the similarity degree of the two graph embedded vectors by using the graph matching network with the attention mechanism, so as to obtain the similarity between the session directed graph of the unknown flow and the known session graph model specifically includes:
step 1 to step 3 are executed on the sessions of unknown traffic to obtain a directed graph G1= (V1, E1) of the sessions of unknown traffic, and the average pattern G2= (V2, E2) of the known VPN application is traversed to calculate the similarity in a pairwise combination mode;
the features of each node and each edge on the directed graph are encoded using MLP.
The features of adjacent nodes and the features of edges are spliced together:
calculating interaction information of two nodes in two graphs based on an attention mechanism, wherein hi and hj are vertexes in the two graphs:
wherein s is h Is a similarity measurement function, a j→i Is the attention weight:
the interaction information of all nodes in the other graph and the node i in the current graph is expressed as:
the updating of the nodes takes the surrounding node information, side information and node information of the matching graph into consideration, and the characteristics of the nodes become:
converting the plurality of node vectors into a graph vector by adopting a weighted average mode:
optionally, the step S6: the method for obtaining the closest VPN application classification specifically comprises the following steps of:
calculating the Euclidean distance between the unknown application vector and the application vector;
determining similarity according to the Euclidean distance;
and obtaining the nearest VPN application classification according to the similarity sorting comparison.
The invention provides a VPN application identification method based on a graph matching network, which comprises the following steps: step S1: deploying flow grabbing equipment in a network, acquiring flow interaction data of different VPN applications by starting the different VPN applications, and preprocessing the flow data into a session; step S2: intercepting the first 20 session packets of the session, counting the duration of each session packet and forming a session vector; step S3: drawing session directed graphs of different VPN applications to obtain a vertex set and an edge set; step S4: drawing a plurality of directed graphs from the collected multiple groups of data of the same VPN application, carrying out normalization processing, and solving the average of the multiple directed graphs of the same VPN application as a graph model of different VPN applications; step S5: coding, transmitting and aggregating the session directed graph of the unknown application and the session directed graphs of a plurality of known applications to form graph embedded vectors, and calculating the similarity degree of the two graph embedded vectors by using a graph matching network with an attention mechanism to finally obtain the similarity of the unknown flow session directed graph and the known session graph model; step S6: and obtaining the nearest VPN application classification according to the similarity sorting comparison. The set-up process identifies a VPN to enable finer control of traffic.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a VPN application identification method based on a graph matching network according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terms "comprising" and "having" and any variations thereof in the description embodiments of the invention and in the claims and drawings are intended to cover a non-exclusive inclusion, such as a series of steps or elements.
The technical scheme of the invention is further described in detail below with reference to the accompanying drawings and the examples.
As shown in fig. 1, in order to solve the above-mentioned problems in the prior art, the present invention proposes a VPN application identification classification method based on a graph matching network, so as to identify the VPN application to which the current traffic belongs faster, thereby managing and controlling the corresponding VPN application. The method provided by the invention is also applicable to the identification of other network applications.
The invention discloses a novel VPN application identification and classification method. And drawing a session directed graph by extracting the first 20 session packets in the VPN traffic session, and analyzing the characteristics of the known VPN application in the tunnel establishment stage. And then calculating the similarity between the session directed graph of the unknown traffic and the session directed graph of the known VPN application traffic by using a graph matching network method, so that the VPN application can be conveniently identified, and an effective network auditing tool is provided for a manager.
The technical scheme adopted by the invention is as follows:
a VPN application identification method based on a graph matching network comprises the following steps:
step 1: and deploying flow grabbing equipment in the network, and acquiring flow interaction data of different VPN applications by starting the different VPN applications. Preprocessing traffic data into a session;
step 2: intercepting the first 20 session packets of the session, counting the duration of each session packet and forming a session vector;
step 3: drawing session directed graphs of different VPN applications to obtain a vertex set and an edge set;
step 4: drawing a plurality of directed graphs from the plurality of groups of data of the same VPN application collected in the step 1), carrying out normalization processing on the directed graphs, and solving the average of the plurality of directed graphs of the same VPN application as a graph model of different VPN applications;
step 5: coding, transmitting and aggregating the session directed graph of the unknown application and the session directed graphs of a plurality of known applications to form graph embedded vectors, and calculating the similarity degree of the two graph embedded vectors by using a graph matching network with an attention mechanism to finally obtain the similarity of the unknown flow session directed graph and the known session graph model;
step 6: and obtaining the nearest VPN application classification according to the similarity sorting comparison.
Step 1) comprises:
1.1 traffic conversational. Firstly, sorting the data packets in the grabbed pcap file according to time. P= { P1: (s 1, d1, ps1, pd1, t 1), p2: (s 2, d2, ps2, pd2, t 2) …, pn: (sn, dn, psn, pdf, tn) }. Wherein pi represents a data packet, si, di, psi, pdi represents a source IP, a destination IP, a source port, a destination port of the data packet, and ti represents a start transmission time of the data packet;
1.2 filtering invalid sessions, such as incomplete packets that do not complete the handshake flow, bad packets that were lost in transmission, etc.;
1.3 the data packets satisfy the same five-tuple and are merged into a set Q in the same session, wherein the Q terms qi are (s, d, ps, pd, ti) or (d, s, pd, ps, ti) two.
Step 2) comprises:
1.1 Intercepting the first 20 data packets of the flow session set Q according to the handshake establishment process of the known protocol;
1.2 Counting the duration of each packet, e.g. Q as described above i The duration of (2) is t i+1 -t i Denoted as T i ;
1.3 Q) to q i Source IP and source port combination s+ps is S, destination IP and destination port combination d + pd is D, and the entries in R are sorted into sets R (S, D, T) i ),(D,S,T i ) Two kinds.
The step 3) comprises the following steps:
according to the existing set R, traversing the set R, drawing a session directed graph, and assuming that a vertex set is V and an edge set is E.
Step 4) comprises:
4.1 Drawing a directed graph of a plurality of flows of one APP which is grabbed in the step 1;
4.2 Normalized processing is carried out on the directed graph, so that the longest side of each directed graph is 1, the rest sides are scaled in equal proportion, and the drawn directed graph pixels are 10 x 10;
4.3 Each time a directed graph is drawn, it is converted into a column vector. Constructing a matrix, adding a plurality of column vectors converted by a certain APP flow into the matrix, calculating the average value of each row of the matrix, and forming a vector of a column average value;
4.4 Vector of averages is reduced to a matrix, which can be considered as an average pattern of multiple flows of the same class APP. The matrix is reduced to a directed graph representation (V, E).
Step 5) comprises:
5.1 Step 1 to step 3 are firstly carried out on the session of the unknown traffic to obtain a directed graph G1= (V1, E1) of the session of the unknown traffic, and the average pattern G2= (V2, E2) of the known VPN application is traversed to calculate the similarity in a pairwise combination mode.
5.2 The features of each node and each edge on the directed graph are encoded using MLP.
5.3 The features of adjacent nodes and the features of edges are spliced together:
5.4 Calculating interaction information of two nodes in the two graphs based on the attention mechanism, wherein hi and hj are vertices in the two graphs:
in particular, wherein s h Is a similarity measurement function, a j→i Is the attention weight:
the interaction information of all nodes in another graph and node i in the current graph can be expressed as:
in this case, the update of the node takes into consideration the surrounding node information, the side information, and the node information of the matching graph, and the characteristics of the node become:
converting the plurality of node vectors into a graph vector by adopting a weighted average mode:
step 6) comprises:
the Euclidean distance between the unknown application vector and the known application vector is calculated, and therefore the similarity is judged, and the closer the distance is, the higher the similarity is represented.
The beneficial effects are that: a VPN is identified through a tunnel establishment process in a handshake stage, so that more refined control over traffic is realized.
The invention provides a VPN application identification classification method based on a graph matching network, which can quickly identify the VPN application to which the current flow belongs, thereby managing and controlling the corresponding VPN application.
The foregoing detailed description of the invention has been presented for purposes of illustration and description, and it should be understood that the invention is not limited to the particular embodiments disclosed, but is intended to cover all modifications, equivalents, alternatives, and improvements within the spirit and principles of the invention.
Claims (7)
1. The VPN application identification method based on the graph matching network is characterized by comprising the following steps:
step S1: deploying flow grabbing equipment in a network, acquiring flow interaction data of different VPN applications by starting the different VPN applications, and preprocessing the flow data into a session;
step S2: intercepting the first 20 session packets of the session, counting the duration of each session packet and forming a session vector;
step S3: drawing session directed graphs of different VPN applications to obtain a vertex set and an edge set;
step S4: drawing a plurality of directed graphs from the collected multiple groups of data of the same VPN application, carrying out normalization processing, and solving the average of the multiple directed graphs of the same VPN application as a graph model of different VPN applications;
step S5: coding, transmitting and aggregating the session directed graph of the unknown application and the session directed graphs of a plurality of known applications to form graph embedded vectors, and calculating the similarity degree of the two graph embedded vectors by using a graph matching network with an attention mechanism to finally obtain the similarity of the unknown flow session directed graph and the known session graph model;
step S6: and obtaining the nearest VPN application classification according to the similarity sorting comparison.
2. The VPN application identification method based on the graph matching network according to claim 1, wherein the deploying a traffic grabbing device in the network, by starting different VPN applications, obtains different VPN application traffic interaction data, and preprocessing the traffic data into a session specifically includes:
the flow session is carried out, and the data packets in the grabbed pcap file are ordered according to time;
P={p1:(s1,d1,ps1,pd1,t1),
p2: (s 2, d2, ps2, pd2, t 2) …, pn: (sn, dn, psn, pdf, tn) }; wherein pi represents a data packet, si, di, psi, pdi represents a source IP, a destination IP, a source port, a destination port of the data packet, and ti represents a transmission start time of the data packet;
filtering invalid sessions;
when the data packets meet the same five-tuple and are in the same session, the data packets are combined into a set Q, wherein the items qi in the set Q are (s, d, ps, pd, ti) or (d, s, pd, ps, ti).
3. The VPN application identification method based on a graph matching network according to claim 2, wherein the invalidation session specifically includes: incomplete packets of incomplete complete handshake procedure, transmission of lost bad packets.
4. The VPN application identification method according to claim 1, wherein intercepting the first 20 session packets of the session, counting the duration of each session packet and forming a session vector specifically includes:
intercepting the first 20 data packets of the flow session set Q according to the handshake establishment process of the known protocol;
counting the duration of each packet, e.g. Q as described above i The duration of (2) is t i+1 -t i Denoted as T i ;
Will q i Source IP and source port combination s+ps is S, destination IP and destination port combination d + pd is D, and the entries in R are sorted into sets R (S, D, T) i ),(D,S,T i ) Two kinds.
5. The VPN application identification method based on the graph matching network according to claim 1, wherein the drawing multiple directed graphs of the collected multiple sets of data of the same VPN application, performing normalization processing, and obtaining an average of multiple directed graphs of the same VPN application as a graph model of different VPN applications specifically includes:
drawing a directed graph of a plurality of flow of a certain type of grabbed APP;
carrying out normalization processing on the directed graphs, enabling the longest side of each directed graph to be 1, scaling the other sides in equal proportion, and drawing directed graph pixels to be 10 x 10;
each time a directed graph is drawn, a column vector is converted; constructing a matrix, adding a plurality of column vectors converted by a certain APP flow into the matrix, calculating the average value of each row of the matrix, and forming a vector of a column average value;
reducing the vector of the average value into a matrix, wherein the matrix is an average graph of a plurality of flows of the same class of APP;
the matrix is reduced to a directed graph representation (V, E).
6. The VPN application identification method according to claim 1, wherein the encoding, propagating and aggregating the session directed graph of the unknown application and the session directed graphs of the plurality of known applications to form a graph embedded vector, and calculating the similarity of the two graph embedded vectors by using the graph matching network with an attention mechanism, so as to obtain the similarity of the session directed graph of the unknown traffic and the known session graph model specifically includes:
step 1 to step 3 are executed on the sessions of unknown traffic to obtain a directed graph G1= (V1, E1) of the sessions of unknown traffic, and the average pattern G2= (V2, E2) of the known VPN application is traversed to calculate the similarity in a pairwise combination mode;
the features of each node and each edge on the directed graph are encoded using MLP.
The features of adjacent nodes and the features of edges are spliced together:
calculating interaction information of two nodes in two graphs based on an attention mechanism, wherein hi and hj are vertexes in the two graphs:
wherein s is h Is a similarity measurement function, a j→i Is the attention weight:
the interaction information of all nodes in the other graph and the node i in the current graph is expressed as:
the updating of the nodes takes the surrounding node information, side information and node information of the matching graph into consideration, and the characteristics of the nodes become:
converting the plurality of node vectors into a graph vector by adopting a weighted average mode:
7. the VPN application identification method based on the graph matching network according to claim 1, wherein the step S6: the method for obtaining the closest VPN application classification specifically comprises the following steps of:
calculating the Euclidean distance between the unknown application vector and the application vector;
determining similarity according to the Euclidean distance;
and obtaining the nearest VPN application classification according to the similarity sorting comparison.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311146958.7A CN117240657B (en) | 2023-09-07 | 2023-09-07 | VPN application identification method based on graph matching network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311146958.7A CN117240657B (en) | 2023-09-07 | 2023-09-07 | VPN application identification method based on graph matching network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117240657A true CN117240657A (en) | 2023-12-15 |
| CN117240657B CN117240657B (en) | 2024-03-12 |
Family
ID=89083683
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311146958.7A Active CN117240657B (en) | 2023-09-07 | 2023-09-07 | VPN application identification method based on graph matching network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117240657B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170124464A1 (en) * | 2015-10-28 | 2017-05-04 | Fractal Industries, Inc. | Rapid predictive analysis of very large data sets using the distributed computational graph |
| CN113283498A (en) * | 2021-05-21 | 2021-08-20 | 东南大学 | VPN flow rapid identification method facing high-speed network |
| CN113656696A (en) * | 2021-08-24 | 2021-11-16 | 工银科技有限公司 | Session recommendation method and device |
| CN114398938A (en) * | 2021-12-02 | 2022-04-26 | 中山大学 | Non-supervision P2P traffic identification method and system based on directed graph |
| CN114978593A (en) * | 2022-04-15 | 2022-08-30 | 中国科学院信息工程研究所 | Graph matching-based encrypted traffic classification method and system for different network environments |
| CN116306685A (en) * | 2023-05-22 | 2023-06-23 | 国网信息通信产业集团有限公司 | Multi-intention recognition method and system for power business scene |
-
2023
- 2023-09-07 CN CN202311146958.7A patent/CN117240657B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170124464A1 (en) * | 2015-10-28 | 2017-05-04 | Fractal Industries, Inc. | Rapid predictive analysis of very large data sets using the distributed computational graph |
| CN113283498A (en) * | 2021-05-21 | 2021-08-20 | 东南大学 | VPN flow rapid identification method facing high-speed network |
| CN113656696A (en) * | 2021-08-24 | 2021-11-16 | 工银科技有限公司 | Session recommendation method and device |
| CN114398938A (en) * | 2021-12-02 | 2022-04-26 | 中山大学 | Non-supervision P2P traffic identification method and system based on directed graph |
| CN114978593A (en) * | 2022-04-15 | 2022-08-30 | 中国科学院信息工程研究所 | Graph matching-based encrypted traffic classification method and system for different network environments |
| CN116306685A (en) * | 2023-05-22 | 2023-06-23 | 国网信息通信产业集团有限公司 | Multi-intention recognition method and system for power business scene |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117240657B (en) | 2024-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5536280B2 (en) | Method and apparatus for identifying an application protocol | |
| JP5362669B2 (en) | Efficient classification of network packets | |
| CN1574764B (en) | Method for managing network filter based policies | |
| US8964747B2 (en) | System and method for restricting network access using forwarding databases | |
| EP2951947B1 (en) | Method and system for automatically managing secure communications in multiple communications jurisdiction zones | |
| US8937945B2 (en) | Method and apparatus for optimizing usage of ternary content addressable memory (TCAM) | |
| Ayres et al. | ALPi: A DDoS defense system for high-speed networks | |
| CN105187378A (en) | Computerized System And Method For Handling Network Traffic | |
| He et al. | Image-based encrypted traffic classification with convolution neural networks | |
| CN104753857A (en) | Network flow control equipment and security policy configuration method and device thereof | |
| CN112769623A (en) | Internet of things equipment identification method under edge environment | |
| CN112511995A (en) | Message interaction method, device, equipment and storage medium | |
| Rong et al. | Umvd-fsl: Unseen malware variants detection using few-shot learning | |
| CN108712369B (en) | Multi-attribute constraint access control decision system and method for industrial control network | |
| Bays et al. | A heuristic-based algorithm for privacy-oriented virtual network embedding | |
| CN115086315A (en) | Cloud edge collaborative security authentication method and system based on image sensitivity identification | |
| CN108462707A (en) | A kind of mobile application recognition methods based on deep learning sequence analysis | |
| CN114866310A (en) | Malicious encrypted flow detection method, terminal equipment and storage medium | |
| CN112788064A (en) | Encryption network abnormal flow detection method based on knowledge graph | |
| CN117240657B (en) | VPN application identification method based on graph matching network | |
| CN112468324B (en) | Graph convolution neural network-based encrypted traffic classification method and device | |
| CN117633657A (en) | Method, device, processor and computer readable storage medium for realizing encryption application flow identification processing based on multi-graph characterization enhancement | |
| CN103581046A (en) | Method and device for achieving control of gateway service quality | |
| CN117041375A (en) | Cross-domain transmission safety management method based on data service bus | |
| CN101783816B (en) | Download traffic control method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |