CN1494278A - Data stream classifying method - Google Patents
Data stream classifying method Download PDFInfo
- Publication number
- CN1494278A CN1494278A CNA021501122A CN02150112A CN1494278A CN 1494278 A CN1494278 A CN 1494278A CN A021501122 A CNA021501122 A CN A021501122A CN 02150112 A CN02150112 A CN 02150112A CN 1494278 A CN1494278 A CN 1494278A
- Authority
- CN
- China
- Prior art keywords
- rule
- tree
- rules
- input data
- main
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Based on needs of security or management, a rule is created by user. The said rule is added into additive rule tree. All rules in the additive rule tree are added into main rule tree regularly. Matching between main rule tree and additive rule tree is carried out for features of input data. Based on matched result, relevant operation is taken for current input data. The advantages of the invention are that when lots of classification rule for steams are existed in current, the invented method makes new added classification rule for steams take effect instantly.
Description
Technical field
The present invention relates to a kind of method for classifying data stream, belong to data communication technology field.
Background technology
The traffic classification process of IP message is that a plurality of data segments to the IP message mate, and the process of output matching result.The foundation of traffic classification is generally five parameters such as the source IP address, purpose IP address, protocol type, source port number, destination slogan of IP message, is also referred to as " five-tuple ".Coupling for these five parameters has fixing pattern usually respectively.Wherein, the source and destination address of IP adopts the mode of IP address and prefix (or mask) to mate usually, that is: if the designated length of IP address prefix is identical, then think to match each other.Wherein, the coupling of protocol type usually adopts the mode of coupling fully (perhaps accurately coupling), and promptly protocol type equates with set point just to think and matches each other.Wherein, the coupling of port numbers usually adopts the mode of coupling fully or commensurate in scope, adopts under the commensurate in scope mode, and parameter value drops on the interval that sets and promptly thinks mutual coupling.
For ease of searching fast, the rule that the user sets is stored in the mode of tree usually, below will be used for stream classification checking and the tree form data structure that generates is called flow classification rule tree or rule tree.In the prior art, a complete traffic classification process can comprise following step as shown in Figure 1:
1, the user generates a rule according to certain needs;
2, the rule that is generated joins in the existing rule tree through calculating;
3, data and the rule tree with all inputs mates, the output matching result;
4, according to output matching result, take corresponding action, for example make message by or abandon.
To importing data (IP message) when carrying out rule match, the number of parameters of use is more relatively, and the matching way of each parameter is inconsistent usually according to the method described above, and this just makes that the generating algorithm of the tree that is used for searching fast that traffic classification is used is comparatively complicated.Special needs to be pointed out is, may have overlapping or inclusion relation between the different flow classification rules, make one group of input parameter to be complementary with more than one flow classification rule, this overlapping or inclusion relation also need be embodied in the create-rule tree.Present way is, whenever newly-increased or delete one when regular, the flow classification rule tree rebuild, to re-construct the structure of flow classification rule tree.Recomputate, construct the operation time of flow classification rule tree, to increase along with the increase of the regular number that has existed, when regular quantity growth to a certain degree the time, re-construct the time of flow classification rule tree, that is will look and be difficult to tolerance the time of taking effect rules.
Summary of the invention
The objective of the invention is to propose a kind of method for classifying data stream,, shorten the time that rule tree comes into force to overcome the shortcoming of prior art.
The method for classifying data stream that the present invention proposes comprises following each step:
1, the user generates a rule according to the needs of safety or management;
2, above-mentioned rule is joined in the ancillary rules tree;
3, regularly the strictly all rules in the ancillary rules tree is joined in the main rule tree;
4, the feature that will import data is mated with main rule tree and ancillary rules tree respectively, according to matching result, present input data is taked corresponding actions.
Between the step 1 and step 2 of said method, also comprise judging whether this rule is complete matched rule, if, then this rule is joined in the complete matched rule tree, otherwise execution in step 2; And between step 3 and step 4, also comprise the feature of all input data is mated with complete matched rule tree, if coupling is then taked corresponding actions to present input data, otherwise execution in step 4.
In the said method, with the strictly all rules in the ancillary rules tree join time interval in the main rule tree be rule tree computing time 2-3 doubly.
In the said method, the corresponding actions that present input data is taked comprise " by ", any in " abandoning ", " be redirected to formulate main frame ", " recording daily record ", " mark again ", " carrying out flow restriction " or " carrying out bandwidth guarantees ".
The method for classifying data stream that comes into force fast that the present invention proposes, its advantage is when having a large amount of flow classification rule, and newly-increased flow classification rule is come into force.
Description of drawings
Fig. 1 is the schematic diagram that carries out data flow classification in the prior art.
Fig. 2 adopts the ancillary rules tree to realize data flow classification process schematic diagram.
Fig. 3 is the data flow classification process schematic diagram that increases after complete matched rule is set.
Embodiment
The method for classifying data stream that the present invention proposes, its flow process as shown in Figure 2, at first the user generates a rule according to the needs of safety or management; This rule is joined in the ancillary rules tree; Regularly the strictly all rules in the ancillary rules tree is joined in the main rule tree; The feature that to import data is at last mated with main rule tree and ancillary rules tree respectively, according to matching result, present input data is taked corresponding actions.
In the said method, can also judge at first whether the user is complete matched rule according to the rule of safety or managerial demand generation, if, then this rule is joined in the complete matched rule tree, then the feature of all input data is mated with complete matched rule tree, if coupling is then taked corresponding actions to present input data, its flow process as shown in Figure 3.
In the said method, with the strictly all rules in the ancillary rules tree join time interval in the main rule tree be rule tree computing time 2-3 doubly.
In the said method, the corresponding actions that present input data is taked comprise " by ", any in " abandoning ", " be redirected to formulate main frame ", " recording daily record ", " mark again ", " carrying out flow restriction " or " carrying out bandwidth guarantees ".
In data communications equipment, user's safety or managerial demand may be the messages that detects certain feature, and for example the resource occupation of malice is attacked etc.In addition, for the needs of management, in data communications equipment, which main frame the user may dispose can be visited for which server, and which server which main frame cannot visit.In some network centers, need for safety or other, may not allow certain server by mistrustful host access.
Strictly all rules in the ancillary rules tree is joined time interval in the main rule tree according to user's concrete applying flexible decision.If for example Gui Ze content frequently changes, then need the time interval is reduced; If Rule content is more stable, then can suitably increase the time interval.In general, this time should be relevant with the computing time of rule tree, and for example, when having 10000 when regular, the machine of a PII 400 approximately need calculate 30 seconds, and blanking time is proper between one minute to several minutes greatly so.
The data communications equipment of a network center, need configuration only to have the main frame that satisfies certain feature (source address) just can visit, the purpose of searching the flow classification rule tree so is exactly to judge whether current message satisfies this feature, if satisfy, then message can pass through; If do not satisfy, message will be dropped (filtration).Like this, the data of input are exactly this message (saying exactly, is the key feature of message, for example source address, destination address etc.); And in fact rule tree is exactly a description to various types of other message.Matching result is exactly whether message satisfies a kind of feature that has defined, and action be exactly whether allow by or abandon.
The present invention adopts ancillary rules to set to assist original rule tree to carry out the coupling of rule.So claim original rule tree to be " main rule tree ", newly-increased rule tree is " an ancillary rules tree ".Main rule tree is preserved the strictly all rules of having finished calculating; The ancillary rules tree then can be considered the buffer memory of main rule tree, when main rule tree is not finished calculating, preserves newly-increased rule.Additional rule tree will keep less regular number, regularly the rule in the additional rule tree be recomputated, will be integrated in the main rule tree.When searching, successively carry out searching of two rule trees, according to the difference of lookup result, take different actions.
On the constituted mode of two trees, adopt different strategies.Regular number in the additional tree must remain on below certain number, and newly-increased regular first-selection is issued in the ancillary rules tree.Because the scale of ancillary rules tree is smaller, can finish re-constructing of tree in the short period of time, promptly rule can come into force in a short period of time.Simultaneously, the rule of additional tree regularly is integrated in the main rule tree, makes the scale of ancillary rules tree can remain on smaller degree always.The merger that ancillary rules is set main rule tree will be a more time-consuming operation under the more situation of regular number, but because rule comes into force in the ancillary rules tree in operating process, so the merger operation can be regarded as " backstage " operation, do not influence the entry-into-force time of rule.
Claims (4)
1, a kind of method for classifying data stream is characterized in that this method comprises following each step:
(1) user generates a rule according to the needs of safety or management;
(2) above-mentioned rule is joined in the ancillary rules tree;
(3) regularly the strictly all rules in the ancillary rules tree is joined in the main rule tree;
(4) feature that will import data is mated with main rule tree and ancillary rules tree respectively, according to matching result, present input data is taked corresponding actions.
2, the method for claim 1 is characterized in that:
Between step (1) and step (2), also comprise: judge whether this rule is complete matched rule, if, then this rule is joined in the complete matched rule tree, otherwise execution in step (2);
And between step (3) and step (4), also comprise: the feature and the complete matched rule tree of all input data are mated, if coupling is then taked corresponding actions to present input data, otherwise execution in step (4).
3, the method for claim 1, it is characterized in that in the step (3) with the strictly all rules in the ancillary rules tree join time interval in the main rule tree be rule tree computing time 2-3 doubly.
4, method as claimed in claim 1 or 2, it is characterized in that, the corresponding actions that present input data is taked comprise " by ", any in " abandoning ", " be redirected to formulate main frame ", " recording daily record ", " mark again ", " carrying out flow restriction " or " carrying out bandwidth guarantees ".
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA021501122A CN1494278A (en) | 2002-11-02 | 2002-11-02 | Data stream classifying method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA021501122A CN1494278A (en) | 2002-11-02 | 2002-11-02 | Data stream classifying method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN1494278A true CN1494278A (en) | 2004-05-05 |
Family
ID=34233870
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA021501122A Pending CN1494278A (en) | 2002-11-02 | 2002-11-02 | Data stream classifying method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1494278A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007048318A1 (en) * | 2005-10-24 | 2007-05-03 | Huawei Technologies Co., Ltd. | A stream classification device, a stream classification method and a base station applying the stream classification device |
CN100466594C (en) * | 2004-10-09 | 2009-03-04 | 华为技术有限公司 | Method for classification processing message |
CN101827002A (en) * | 2010-05-27 | 2010-09-08 | 文益民 | Concept drift detection method of data flow classification |
CN101888369A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Method and device for matching network message rules |
CN101227318B (en) * | 2007-12-04 | 2011-05-11 | 东南大学 | Method for overtrick real-time detection of high speed network flow quantity |
CN102427428A (en) * | 2011-12-07 | 2012-04-25 | 西安电子科技大学 | Stream identifying method and device based on multi-domain longest match |
CN101005455B (en) * | 2006-12-30 | 2012-06-27 | 中国科学院计算技术研究所 | Flow control method based on by-path interference |
CN101091369B (en) * | 2004-12-22 | 2012-11-14 | 艾利森电话股份有限公司 | Means and method for control of personal data |
CN103164400A (en) * | 2011-12-08 | 2013-06-19 | 中国移动通信集团浙江有限公司 | Method, device and system of correlation analysis |
CN104573101A (en) * | 2015-01-29 | 2015-04-29 | 南京烽火星空通信发展有限公司 | System and method for real-time data stream classification on basis of rule routes |
CN106789727A (en) * | 2016-12-27 | 2017-05-31 | 锐捷网络股份有限公司 | Packet classification method and device |
CN110083663A (en) * | 2019-04-09 | 2019-08-02 | 北京中科智营科技发展有限公司 | A kind of Classified optimization method and apparatus that data are shown |
CN117828487A (en) * | 2024-02-23 | 2024-04-05 | 深圳赋乐科技集团有限公司 | Method, system, equipment and medium for judging matching result of flow classification rule |
-
2002
- 2002-11-02 CN CNA021501122A patent/CN1494278A/en active Pending
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100466594C (en) * | 2004-10-09 | 2009-03-04 | 华为技术有限公司 | Method for classification processing message |
CN101091369B (en) * | 2004-12-22 | 2012-11-14 | 艾利森电话股份有限公司 | Means and method for control of personal data |
WO2007048318A1 (en) * | 2005-10-24 | 2007-05-03 | Huawei Technologies Co., Ltd. | A stream classification device, a stream classification method and a base station applying the stream classification device |
CN101005455B (en) * | 2006-12-30 | 2012-06-27 | 中国科学院计算技术研究所 | Flow control method based on by-path interference |
CN101227318B (en) * | 2007-12-04 | 2011-05-11 | 东南大学 | Method for overtrick real-time detection of high speed network flow quantity |
CN101888369B (en) * | 2009-05-15 | 2013-04-03 | 北京启明星辰信息技术股份有限公司 | Method and device for matching network message rules |
CN101888369A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Method and device for matching network message rules |
CN101827002A (en) * | 2010-05-27 | 2010-09-08 | 文益民 | Concept drift detection method of data flow classification |
CN102427428A (en) * | 2011-12-07 | 2012-04-25 | 西安电子科技大学 | Stream identifying method and device based on multi-domain longest match |
CN103164400A (en) * | 2011-12-08 | 2013-06-19 | 中国移动通信集团浙江有限公司 | Method, device and system of correlation analysis |
CN104573101A (en) * | 2015-01-29 | 2015-04-29 | 南京烽火星空通信发展有限公司 | System and method for real-time data stream classification on basis of rule routes |
CN104573101B (en) * | 2015-01-29 | 2018-02-16 | 南京烽火星空通信发展有限公司 | A kind of data flow real-time grading method and system of rule-based route |
CN106789727A (en) * | 2016-12-27 | 2017-05-31 | 锐捷网络股份有限公司 | Packet classification method and device |
CN110083663A (en) * | 2019-04-09 | 2019-08-02 | 北京中科智营科技发展有限公司 | A kind of Classified optimization method and apparatus that data are shown |
CN110083663B (en) * | 2019-04-09 | 2021-08-17 | 北京中科智营科技发展有限公司 | Classification optimization method and device for data display |
CN117828487A (en) * | 2024-02-23 | 2024-04-05 | 深圳赋乐科技集团有限公司 | Method, system, equipment and medium for judging matching result of flow classification rule |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107665191B (en) | Private protocol message format inference method based on extended prefix tree | |
CN1494278A (en) | Data stream classifying method | |
DE112012002624B4 (en) | Regex compiler | |
CN111565205A (en) | Network attack identification method and device, computer equipment and storage medium | |
CN111552246B (en) | Equipment production line scheduling method applied to smart park and cloud computing server | |
Awerbuch et al. | The hyperring: a low-congestion deterministic data structure for distributed environments | |
CN111488582A (en) | Intelligent contract reentry vulnerability detection method based on graph neural network | |
CN110083746B (en) | Quick matching identification method and device based on character strings | |
CN104935570A (en) | Network flow connection behavior characteristic analysis method based on network flow connection graph | |
CN110674503B (en) | Intelligent contract endless loop detection method based on graph convolution neural network | |
Wang et al. | Using CNN-based representation learning method for malicious traffic identification | |
Gu et al. | Realtime Encrypted Traffic Identification using Machine Learning. | |
Patel et al. | Bypassing space explosion in high-speed regular expression matching | |
CN108462707A (en) | A kind of mobile application recognition methods based on deep learning sequence analysis | |
Chistikov et al. | Subcubic certificates for CFL reachability | |
CN116070206A (en) | Abnormal behavior detection method, system, electronic equipment and storage medium | |
CN114205816B (en) | Electric power mobile internet of things information security architecture and application method thereof | |
CN115242424A (en) | Private network protocol classification method based on state machine subgraph isomorphic matching | |
Kutten et al. | Deterministic resource discovery in distributed networks | |
CN105871856B (en) | The implementation method of batch processing packet filter firewall | |
Chien et al. | Active learning in the geometric block model | |
CN105573726B (en) | A kind of rules process method and equipment | |
CN111274247A (en) | Verifiable range query method based on ciphertext space-time data | |
CN116318975A (en) | Malicious traffic detection method and system based on multiple sessions and multiple protocols | |
Sija et al. | Automatic payload signature generation for accurate identification of internet applications and application services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |