JP6410309B2 - Communication identification method and apparatus - Google Patents

Description

  The present invention relates to a communication identification method and apparatus, and more particularly, to a communication identification method and apparatus for identifying communication performed by a communication terminal in the foreground and communication performed in the background.

  A technique for identifying the contents of communication executed by a communication terminal has been studied. Patent Document 1 discloses a technique for calculating periodicity from a time series change of communication traffic volume or data using Fourier transform or the like.

  In Patent Literature 2, communication traffic is measured and aggregated for each flow, and a cepstrum analysis that is a frequency analysis method is applied from the communication traffic characteristics for each flow to identify an application (type of communication service) from the flow. Technology is disclosed.

  In Patent Document 3, communication traffic is measured and aggregated for each flow, a feature amount is calculated from communication traffic characteristics for each flow, and machine learning is applied to identify the type (application) of the communication service from the flow. Technology is disclosed.

JP 2010-283668 A JP 2012-105043 A JP 2013-127504 A Japanese Patent Application No. 2014-037083

  Due to the explosive spread of mobile terminals in recent years, various services have emerged, and not only foreground communication that is triggered by terminal user's communication request operation, but also the application itself Background communication that communicates with a server or the like has occurred at an arbitrary convenient timing.

  Each communication method differs in importance, urgency, data size, tolerance for delay and jitter, influence on the subjective evaluation of the terminal user, and so on, so that each communication method can be used for various purposes if it can be identified.

  However, in Patent Document 1, the purpose is abnormality detection, that is, trend change detection from normal times, and foreground / background communication cannot be identified. Patent Documents 2 and 3 are technologies aimed at identifying applications and communication services, and cannot identify foreground / background communication.

  On the other hand, in response to such technical problems, the inventors of the present invention classify each session observed on the network into an SD group specific to the combination of the transmission source information and the destination information, and the SD group. For each session, an autocorrelation relating to the occurrence timing of each session was calculated, and a communication identification device was invented for identifying a session having a high autocorrelation coefficient as background communication, and a patent application (Patent Document 4) was filed.

  However, CDN (Contents Delivery Network) optimized for delivering web content over the Internet and cloud services provided by Google Inc. distribute content on multiple servers, and distribute content from users. It may be changed or optimized dynamically depending on the location of the terminal.

  In such a case, the source (client / user terminal) is the same and the session is related to the same service or application, but because the destination is different, it is classified into different SD groups. Communication type could not be identified based on relevance.

  An object of the present invention is to solve the above technical problem, and even if sessions having different destination information are used, sessions having the same transmission source information and similar or high correlation in traffic characteristics may be the same service or An object of the present invention is to provide a communication identification method and apparatus that can be identified as a foreground communication or a background communication by treating the session as an application.

  In order to achieve the above object, the present invention provides a communication identification apparatus that identifies a session established between a communication terminal and a communication partner as either foreground communication or background communication, and has the following configuration: There is a feature.

  (1) A method for classifying each session into an SD group specific to a combination of source information and destination information, and a plurality of SD groups with the same source information but different destination information are correlated with the traffic characteristics of each session. A means for aggregating based on; a means for calculating an occurrence timing characteristic of a session for each SD group; and a means for identifying a session of the SD group based on the occurrence timing characteristic of the session.

  (2) The means for calculating the occurrence timing characteristics calculates the autocorrelation related to the occurrence timing of each session for each SD group, and identifies sessions in the SD group whose autocorrelation exceeds a predetermined threshold as background communication. .

(3) Means for calculating occurrence timing characteristics is means for generating an occurrence timing vector having the bin position as an element by representing the occurrence timing of each session for each SD group as a bin position having a predetermined time width. A means for calculating a difference for each combination of elements having different occurrence timing vectors, and a means for calculating a reliability for which the difference is the occurrence period of a session for each set of elements having the same difference. Sessions were identified based on the reliability of each occurrence period.
(4) The session aggregation means includes means for calculating the cross-correlation of traffic characteristics between SD groups having the same source information and different destination information, and the SD groups whose cross-correlation exceeds a predetermined threshold are combined into one SD group. Aggregated into groups.
Further, the session aggregation means includes characteristic sequence generation means for generating a traffic characteristic sequence by discretizing a time series variation of traffic characteristics for each bin of unit time width, and the means for calculating the cross correlation includes the traffic characteristics The cross-correlation of the sequence was calculated.

According to the present invention, the following effects are achieved.
(1) Sessions with the same source information and similar or high correlation in session traffic characteristics, even in sessions with different destination information, belong to the same SD group as sessions related to the same service or application. The communication types are aggregated and are subject to communication type determination based on the occurrence timing characteristics of the session.

  Therefore, even if the session is related to a service or application in which content is distributed and distributed on multiple servers, or the content distribution source is dynamically changed and optimized according to the location of the user terminal, The foreground communication and the background communication can be accurately discriminated.

  (2) Of the communications performed by communication terminals, sessions with high autocorrelation of occurrence timing are likely to be background communications that are automatically and mechanically executed by the OS and applications regardless of user operations. By calculating the autocorrelation coefficient of the occurrence timing, the foreground communication and the background communication can be accurately determined.

  (3) When evaluating an extremely sparse data sequence, such as the occurrence timing of a session related to background communication, this is not a bit sequence T that contains a number of “0” s continuously corresponding to the sparse interval. Since the reliability calculation is performed on the occurrence timing vector generated from the bit sequence T, the sequence length after projection can be shortened, and the calculation amount can be greatly reduced.

It is the figure which showed the structure of the network to which the communication identification method of this invention is applied. It is the functional block diagram which showed the structure of the principal part of a capture apparatus. It is the figure which expressed typically the method of integrating the SD group from which only a destination differs. It is the figure which showed the measuring method of the traffic characteristic in a TCP connection. It is the figure which showed the measuring method of the traffic characteristic in HTTP session. It is the flowchart which showed the calculation method of the autocorrelation coefficient. It is a functional block diagram of the capture device concerning a 1st embodiment of the present invention. It is the flowchart which showed the calculation method of the cross correlation coefficient. It is a functional block diagram of the capture device concerning a 2nd embodiment of the present invention. It is a figure for demonstrating the function of the bit sequence generator 105B1. It is a figure for demonstrating the function of difference calculation part 105C1. It is a figure for demonstrating the function of element set table production | generation part 105C2. It is the flowchart which showed operation | movement of the reliability calculation part 105C3.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is a block diagram showing the configuration of a network to which the communication identification method of the present invention is applied.

  A radio base station BS is installed in each area of the service providing range, and a radio mobile terminal MN (for example, a smartphone or a tablet terminal) in the area is accommodated in each radio base station BS. Each radio base station BS is connected to a radio access network RAN, and the radio access network RAN is connected to a gateway (GW) of the core network. The core network is connected to the Internet at the Internet Exchange (IX).

  Various servers that provide services in response to requests from each MN are connected to the Internet. In the present embodiment, the capture device 1 as a communication identification device is connected to a line L that connects the radio access network RAN and the core network as a line that can aggregate traffic between each MN and each server.

  FIG. 2 is a functional block diagram showing the configuration of the main part of the capture device 1. Here, the configuration unnecessary for the description of the present invention is omitted. The capture device 1 of the present invention can be configured by mounting an application (program) for realizing each function on a general-purpose computer or server. Alternatively, it can be configured as a dedicated machine or a single-function machine in which a part of the application is implemented in hardware or ROM.

  The communication traffic measurement unit 101 captures packets transmitted and received on the line L, and logs various information including the session type (TCP, HTTP, UDP, etc.), occurrence timing, transmission source information, and destination information. Record in the management unit 102.

  The session classification unit 103 classifies each session into one of the SD groups based on the combination of the transmission source information (S) and the destination information (D). That is, sessions with the same transmission source information and destination information are classified into the same SD group, and different sessions are classified into different SD groups.

  In this embodiment, a transmission source IP address is adopted as transmission source information, and a destination IP address and a port number are adopted as destination information. The occurrence timing of each session is represented by the arrival time of the HTTP Request packet in the case of an HTTP session, and is represented by the arrival time of a Syn packet transmitted and received by a three handshake executed at the time of session establishment in the case of a TCP session. For UDP, it is represented by the arrival time of the packet observed for the first time in the session.

  The session aggregating unit 104 targets a plurality of SD groups related to the same service or application based on the analysis result of the traffic characteristic pattern (traffic pattern) of each session for SD groups having the same source information and different destination information. Consolidate groups into a single SD group.

  FIG. 3 is a diagram schematically illustrating a method in which the session aggregating unit 104 calculates the similarity of traffic patterns between SD groups with different destinations, and aggregates a plurality of SD groups with similar traffic patterns.

  Here, a series of traffic patterns P1 is observed in relation to the session that occurred at time t1 for SD group #i. Similarly, a series of traffic patterns P2 is observed in relation to the session that occurred at time t2 for SD group # i + 1 with only different destinations, and occurred at time t3 for SD group # i + 2 that also has different destinations. A series of traffic patterns P3 has been observed in connection with the session.

  The session aggregation unit 104 evaluates the similarity between the traffic patterns P1, P2, and P3. The similarity of traffic patterns can be evaluated by using classification results using learning / discrimination algorithms such as NaiveBayes and clustering as an index. Alternatively, as will be described later with reference to FIG. 6, the evaluation may be performed based on the calculation result of the cross-correlation of traffic characteristics.

  As a result, if the similarity can be evaluated to be sufficiently high, the three SD groups #i, # i + 1, # i + 2 are aggregated, and the arithmetic sum (logic) of the appearance time patterns of the traffic patterns P1, P2, P3 Sum) is obtained and the traffic pattern after aggregation is obtained.

  In the illustrated example, the appearance time pattern of the traffic pattern P1 is [1/0/0/0/0], and the appearance time patterns of the traffic patterns P2 and P3 on the same time axis are [0 / 0/1/0/0] and [0/0/0/0/1], so the appearance time pattern after aggregation is [1/0/1/0/1].

  The appearance time pattern [1/0/1/0/1] after aggregation is calculated as an autocorrelation by the session occurrence timing characteristic calculation unit 105 described later, and an SD group session whose autocorrelation exceeds a predetermined threshold is backed up. It will be identified by ground communication.

  In this embodiment, in order to evaluate the similarity of the traffic patterns of each SD group based on the cross-correlation of traffic characteristics, the session aggregation unit 104 includes a traffic characteristic analysis unit 104a, a characteristic number sequence generation unit 104b, and a correlation calculation unit. 104c.

  The traffic characteristic analysis unit 104a accumulates each traffic information for each predetermined time width (bin) for the SD groups stored in the log information management unit 102 and having the same transmission source information but different destination information. Calculate unit traffic characteristics.

  In this embodiment, as unit traffic characteristics, (1) download (DL) data transfer amount or number of packets, (2) upload (UL) data transfer amount or number of packets, (3) throughput characteristics, (4) various types Traffic delay characteristics (server side RTT delay, client side RTT delay, TCP connection delay, etc.), (5) arrival interval between packets can be adopted.

  Furthermore, (6) the ratio of DL transfer data amount to UL transfer data amount (DL / UL) and (7) the ratio of DL packet number to UL packet number (DL / UL) can also be adopted as unit traffic characteristics. That is, in the user-driven foreground communication, for example, when browsing the Web, DL such as content browsing is mainly used, so DL / UL >> 1. Also, even with user-initiated communications, DL / UL << 1 because SNS is mainly responsible for uploading images. On the other hand, in background communication, for example, a small amount of data is mainly transmitted and received, and DL / UL≈1. Therefore, these traffic characteristics can be a highly discriminating index.

  Furthermore, (8) Ratio of hold time (HoldTime) and response time (RespTime), (9) Time series fluctuation tendency of various traffic characteristics and its statistics (total sum of observed multiple or all bin values) Or average, variance, maximum value, minimum value, etc.) (10) The number of occurrences of a session may be adopted as the unit traffic characteristic.

  That is, in the user-driven foreground communication, for example, when browsing the Web, the DL time after connection is greater than the connection delay, so the ratio of the hold time to the response time (HoldTime / RespTime) is sufficiently greater than 1. growing. In web browsing, content of various types and sizes are subject to access and acquisition, so the time-series fluctuation of traffic characteristics increases, while background communication has a small amount of data transmission and reception and a push notification standby system. Since it is the main body, time series fluctuations are reduced. Therefore, these traffic characteristics can also be a highly discriminating index.

  FIG. 4 is a diagram for explaining a traffic characteristic analysis method by the traffic characteristic analysis unit 104a. Here, a connection that can be captured from a SYN packet of a TCP_3way handshake executed between a client and a server when a TCP connection is established will be described as an example.

  For the TCP connection, the difference between the arrival time (connection occurrence time) t1 of the SYN packet first transmitted from the terminal MH to the server and the arrival time t2 of the SYN + ACK packet returned from the server to the terminal MH (t2- The server side RTT (round trip) delay is calculated based on t1).

  The client-side RTT delay is calculated based on the difference (t3-t2) between the arrival time t2 of the SYN + ACK packet and the arrival time t3 of the ACK packet last transmitted from the terminal MH to the server. Further, the TCP connection delay is calculated based on the difference (t4-t1) between the arrival time t1 of the first SYN packet and the arrival time t4 of the data packet first transmitted from the terminal MH to the server after the 3-way handshake. . Such a delay characteristic is discretized for each bin, converted into a characteristic number sequence, and a correlation coefficient is obtained, so that it can be used as one of indices for foreground communication determination and background communication determination.

  Also, based on the difference (t5-t4) from the arrival time t4 of the first data transmitted from the terminal MH after the 3-way handshake to the arrival time t5 of the FIN or RST packet, and the amount of transmitted / received data captured within the difference time Thus, the throughput characteristic of the TCP connection is calculated.

  Such throughput characteristics can also be used as one of the indicators of foreground communication determination and background communication determination by discretizing and binarizing the characteristics for each bin of a predetermined width and obtaining the correlation coefficient.

  Also, the DL or UL transfer data amount, the number of packets or the ratio of DL and UL observed from the data arrival time t4 to the arrival time t5 of the FIN or RST packet is discretized for each bin of a predetermined width. By obtaining a characteristic number sequence and obtaining its correlation coefficient, it can be used as one of indices for foreground communication determination and background communication determination. Here, the amount of transfer data and the number of packets adopted as an index of traffic characteristics are not limited to the payload data as described above, and may be the total amount of transfer data or the total number of packets including various control packets.

  When packet capture is started from the middle of the connection, only possible analysis is selectively performed from the obtained arrival time. For example, if the capture is started from the SYN + ACK packet, only the client-side RTT delay is calculated based on the difference (t3-t2) from the arrival time t2 to the arrival time t3 of the ACK packet.

  Further, the throughput characteristics and TCP connection time required for the TCP connection depend not only on the client side delay but also on the server side delay, so these characteristics calculated when the server side delay is large are Cannot accurately represent the communication quality on the other side. Therefore, when the server-side RTT delay exceeds a predetermined threshold, or when the packet arrival interval such as data or ACK that can represent the server-side delay exceeds a predetermined threshold, TCP characteristics and TCP connection It is desirable to exclude the time required from quality analysis.

  FIG. 5 is a sequence flow for explaining a method for measuring quality characteristics for an HTTP session. An HTTP request (# 1) packet arrival time t1 and an HTTP response (# 1) The time difference (t2−t1) from the packet arrival time t2 is the HTTP response delay (RespTime). Further, the time difference (t3−t1) between the arrival time t1 of the first HTTP request (# 1) packet and the arrival time t3 of the last HTTP response (# 1) packet is set as the HTTP hold time (HoldTime). Such a ratio between RespTime and HoldTime can also be used as one of the indicators for foreground communication determination and background communication determination by discretizing each bin to form a characteristic number sequence and obtaining a correlation coefficient thereof.

  Also, the time difference (t2-t1) between the arrival time t2 of the first HTTP response (# 1) packet and the arrival time t3 of the last HTTP response (# 1) packet is taken as the HTTP response hold time and downloaded during that time The total data amount is the HTTP communication data amount. Furthermore, the time difference (t5-t4) between the arrival time t4 of the first HTTP request (# 2) packet and the arrival time t5 of the last HTTP request (# 2) packet is the HTTP request hold time, and the amount of data between them is The amount of HTTP request data. Such HTTP communication data amount and HTTP request data amount can also be used as one of the indicators of foreground communication determination and background communication determination by discretizing each bin to form a characteristic number sequence and obtaining the correlation coefficient thereof.

  Returning to FIG. 2, the characteristic number sequence generation unit 104 b generates, for each SD group, a specific number sequence having the unit traffic characteristics obtained for each bin as time-series elements. The correlation calculation unit 104c determines whether to aggregate the SD groups into one SD group based on the cross-correlation of traffic characteristics between SD groups having the same transmission source information but different destination information.

  FIG. 6 is a flowchart showing a method of evaluating the similarity of traffic patterns of each SD group based on the cross-correlation of traffic characteristics, and is repeated for all SD group pairs having the same source information but different destination information. It is.

  In step S101, the traffic characteristics of two SD groups SD1 and SD2 having different destination information are discretized (BINed) at a predetermined period τ, and the traffic characteristics observed in each period are sequenced in time series. . In step S102, τ seconds are set as the lag value j for calculating the cross-correlation.

  In step S103, the cross-correlation coefficient CC (j) corresponding to the current lag value j is calculated based on the following equation (1). In the present embodiment, the cross-correlation coefficient is obtained by calculating the sum of products by shifting two number sequences by τ.

  In step S104, the calculation result of the current cross-correlation coefficient CC (j) is calculated from the autocorrelation coefficients AC1 (0), AC2 (when the lag value j = 0, as shown in the following equation (2). The cross-correlation coefficient CC (j) is normalized by dividing by the square root of the product of (0).

  In step S105, it is determined whether or not the lag value j has reached a predetermined upper limit value jmax. If j ≧ jmax, the process proceeds to step S106 to extend the lag value j by the period τ seconds, and then returns to step S103 to calculate and normalize the cross-correlation coefficient CC (j) corresponding to the updated lag value j Is repeated.

  Such calculation of the cross-correlation coefficient CC (j) is repeated while switching the calculation target to another SD group when there are other SD groups having the same source information and different destination information.

  In the present embodiment, SD groups whose traffic characteristics cross-correlation exceed a predetermined threshold are determined to have similar traffic patterns, and these SD groups are aggregated into one SD group.

  Returning to FIG. 2, the session occurrence timing characteristic calculation unit 105 calculates a characteristic relating to the occurrence timing of the session for each of the classified or aggregated SD groups, as will be described in detail later. The communication identification unit 106 identifies the session of the SD group as foreground communication or background communication based on the occurrence timing characteristic of the session.

[First embodiment]
FIG. 7 is a diagram showing a configuration of a main part of the capture device according to the first embodiment of the present invention, and the same reference numerals as those described above represent the same or equivalent parts, and thus description thereof is omitted. The present embodiment is characterized in that the session occurrence timing characteristic calculation unit 105 employs an autocorrelation calculation unit 105A that calculates an autocorrelation related to the occurrence timing of each session classified or aggregated into the same group for each SD group. There is.

  FIG. 8 is a flowchart showing a calculation procedure of the intra-SD group autocorrelation performed by the autocorrelation calculation unit 105A, and is repeated for all SD groups.

  In step S201, the occurrence timing of each session classified in the SD group (SD1) to be identified this time is discretized (binized) at a predetermined period τ seconds, and the number of sessions generated within each period τ is calculated. It is converted into a number sequence in time series.

  In step S202, the same τ seconds as the cycle are set as the lag value (delay time) j for calculating the autocorrelation. In step S203, the autocorrelation coefficient AC (j) corresponding to the current lag value j is calculated based on the following equation (3). In the present embodiment, the autocorrelation coefficient AC (j) is obtained by calculating the sum of products by shifting the same number sequence by j. Note that i is an element identifier of the sequence, SD (i) is the value of the i-th element of the sequence, and N is the sequence length.

  In step S204, the current autocorrelation coefficient AC (j) calculation result is divided by the autocorrelation coefficient AC (0) when the lag value j = 0, as shown in the following equation (4). Thus, the autocorrelation coefficient AC (j) is normalized.

  In step S205, it is determined whether or not the lag value j has reached a predetermined upper limit value jmax. If j ≧ jmax, the process proceeds to step S206 to extend the lag value j by the period τ seconds and then return to step S203 to calculate and normalize the autocorrelation coefficient AC (j) corresponding to the updated lag value j Is repeated.

  According to the present embodiment, even in sessions with different destination information, sessions having the same source information and similar or high correlation in session traffic characteristics are the same as sessions related to the same service or application. And can be used as a communication type determination target based on session occurrence timing characteristics.

  Therefore, even if a session is related to a service or application in which content is distributed and distributed on multiple servers, or the content distribution source is dynamically changed and optimized according to the location of the user terminal, By analyzing the autocorrelation, it becomes possible to accurately identify the user-derived / led foreground communication and the background communication.

  Further, according to the present embodiment, foreground communication and background communication can be identified by passive packet capture at low cost and with only a small number of measurement points.

[Second Embodiment]
FIG. 9 is a functional block diagram showing the configuration of the main part of the capture device 1 according to the second embodiment of the present invention. The same reference numerals as those described above represent the same or equivalent parts, and the description thereof is omitted. To do. The present embodiment is characterized in that the session occurrence timing characteristic calculation unit 105 includes an occurrence timing vector generation unit 105B and a periodicity evaluation unit 105C.

  The occurrence timing vector generation unit 105B includes a bit sequence generation unit 105B1, and represents the occurrence timing of each session for each SD group as a bin position having a predetermined time width, and generates an occurrence timing vector having this as an element. To do.

  FIG. 10 is a diagram for explaining the function of the bit sequence generator 105B1, where the bin width on the time axis for monitoring whether or not a session has occurred is Δt, the monitoring period is n × Δt, When the occurrence of a session is detected in each of the first, second, fifth, eighth, ninth, eleventh, twelfth, and fourteenth bins, as shown in the following equation (5), the bin where the occurrence of a session is detected is “1”. In the bin where the occurrence of the session is not detected, a bit number sequence T in which “0” is set is generated, and the length thereof is n.

  The occurrence timing vector generation unit 105B expresses each bin in which a bit is set in the bit number sequence T as a distance (bin number) from the start bin regarded as the start point of the cycle, and uses this as a time-series element. A vector OCV (occurrence vector) is generated. If the starting bin is the first bin, the occurrence timing vector OCV (occurrence vector) of the following equation (6) is generated from the bit sequence T of the above equation (5), and its length m is “8”. Become.

  In the periodicity evaluation unit 105C, the difference calculation unit 105C1 calculates a difference for each combination of elements of the occurrence timing vector OCV.

  FIG. 11 is a diagram for explaining the function of the difference calculation unit 10C1. In this embodiment, each element i of the occurrence timing vector OCV is arranged in time series in the matrix (x, y) direction, and the matrix The matrix table is derived by registering the difference of each element in the intersection column.

  At this time, since the difference between the same elements does not need to be calculated, combinations on the diagonal line in the matrix table are excluded from the calculation target. Moreover, if the difference between the xth vector element and the yth vector element is obtained, the difference between the yth vector element and the xth vector element is not required to be calculated, so all the combinations below the diagonal are also calculated. Excluded from the target.

  Furthermore, if the monitoring period is n times bin, that is, the bit length of the bit sequence T is n, the occurrence timing period exceeding n / 2, which is half of that, cannot be determined. Is done. In the present embodiment, it is possible to reduce the amount of calculation by executing each of the above-described gradual processing in advance and reducing the difference calculation targets.

  Returning to FIG. 9, the element set table generation unit 105C2 generates a table of element sets of combinations with the same difference.

  FIG. 12 is a diagram for explaining the function of the element set table generation unit 10C2. In this embodiment, a combination of element sets having the same difference is constructed in advance. For example, referring to the matrix table of FIG. 11 for the difference “2”, the interval between the 9th bit and the 11th bit and the interval between the 12th bit and the 14th bit are both “2”. The element set is {9, 11, 12, 14}.

  Similarly, referring to the matrix table for the difference “3”, the interval between the second bit and the fifth bit, the interval between the fifth bit and the eighth bit, the interval between the ninth bit and the twelfth bit, and the eleventh bit And the 14th bit are both “3”, the element set of the difference “3” is {2, 5, 8, 9, 11, 12, 14}. Similarly, for the differences “4”, “5”, “6”, and “7”, an element set is constructed with reference to the matrix table, and the element set table as shown in FIG. 12 is completed.

  Based on the element set obtained for each difference, the reliability calculation unit 105C3 calculates the reliability when the difference is regarded as a session occurrence cycle. The communication identifying unit 106 identifies each session as either foreground communication or background communication based on the reliability of the occurrence timing.

  FIG. 13 is a flowchart showing a reliability calculation procedure performed by the reliability calculation unit 105C3. In this embodiment, a session is generated while switching a start bin for a vector element sequence obtained for each difference Δd. The reliability is calculated based on the ratio detected for each difference Δd.

  In step S301, an element set having the maximum number of elements is selected. In this embodiment, since the number of elements of the element set {2, 5, 8, 9, 11, 12, 14} extracted with the difference Δd as “3” is “7”, this element set is selected. Is done. In step S302, an initial value “1” is set in the start bin regarded as the starting point of the session occurrence cycle.

  In step S303, for the selected element set {2, 5, 8, 9, 11, 12, 14}, an expected element string is obtained by sequentially adding the difference Δd to the element of the current start bin. Here, since the start bin is “1”, the difference “3” is sequentially added to the first element “2” in time series to obtain the expected element sequence {2, 5, 8, 11, 14}.

  In step S304, the selected element set {2, 5, 8, 9, 11, 12, 14} is compared with the expected element sequence {2, 5, 8, 11, 14}, and the expected element sequence is determined. A matching number sequence OCV ′ indicating whether each element matches each element of the element set is obtained. Here, all the elements in the expected element sequence {2, 5, 8, 11, 14} match with any element in the element set {2, 5, 8, 9, 11, 12, 14}. [11111] is obtained as the sequence OCV ′. In step S5, the reliability c in the start bin “1” of the difference “3” is calculated based on the following equation (7).

Here, _{ΠΔd, l} (OCV ′) is the length (bit length) of the coincidence sequence OCV ′, which is “5” in the above example. Further, z is the total number of bins whose occurrence timing is to be detected but not actually detected, that is, the number of “0” s in the coincidence sequence OCV ′. Therefore, the value of the term including z in the above equation (7) is the number when the sequence OCV ′ includes “0”, and is 0 when it does not include “0”. As described above, if the coincidence sequence OCV ′ is [11111], since “0” is not included, the value of the term including z in the above equation (7) is 0. Therefore, the reliability c at the start bin “1” of the period “3” is (5-1-0) / (5-1), which is 100%.

  Note that the case where the start bin is set to “1” for the element set {9, 11, 12, 14} having the difference “2” in FIG. 12 will be described as an example. The difference “2” is sequentially added to the element “9” to obtain the expected element sequence {9, 11, 13, 15}.

  In step S304, the selected element set {9, 11, 12, 14} is compared with the expected element sequence {9, 11, 13, 15}. Here, the elements “9” and “11” match. , “12” and “14” do not match, so [1100] is obtained as the coincidence sequence OCV ′, and z becomes “2”. In step S305, by applying these to the above equation (7), the reliability c of the period “2” in the start bin “1” becomes (4-1-2) / (4-1) and becomes 33 %.

  As described above, in this embodiment, when evaluating an extremely sparse data string, such as the occurrence timing of a session periodically established in the background of communication, a large number of “0” s are set corresponding to the sparse section. Since the reliability calculation is performed on the occurrence timing vectors OCV and OCV 'generated from this bit sequence T instead of the consecutive bit sequence T, the sequence length after projection can be shortened, greatly increasing the amount of calculation. Can be reduced to

That is, if the length of the bit sequence T to be analyzed is `` n '', the autocorrelation and cross-correlation are calculated for this bit sequence T, so the amount of calculation is O (n ² ) Even if the speed is increased by FFT or the like, O (n log n) is obtained.

  On the other hand, in the present embodiment, in calculating the OCV, since all the n elements are once searched for the bit number sequence T of length n, the amount of calculation is O (n). Here, in the vector calculated based on the time of occurrence of the session with communication traffic as the object of analysis, the number of elements m decreases because the time of occurrence is less than the size and length n of the entire communication traffic data. And n >> m.

All calculations dealing with OCV are calculations / processing for the number of elements m, and the calculation amount is O (m ² ) or O (m). Here, since n >> m, O (m ² ) and O (m) are extremely smaller than O (n ² ) and O (n log n). Therefore, according to the present embodiment, the amount of calculation is O (m) particularly when the bit sequence T is sparse, and the amount of calculation can be significantly reduced as compared with the case of other methods.

  Returning to FIG. 13, in step S306, the start bin is incremented. In step S307, it is determined whether or not the start bin has exceeded a predetermined upper limit position. If the start bin has not reached the upper limit position, the process returns to step S303, and each of the processes described above regarding the updated start bin (here, “2”). Is repeated.

  On the other hand, when it is determined that the start bin has reached the upper limit value, the process proceeds to step S308, and the highest value among the reliability obtained for each start bin is adopted as the reliability.

  As in the present embodiment, when the start bin is the initial value “1”, if the reliability is 100%, the subsequent calculation is not necessary, so that the reliability is set to 100% at that time and the processing is performed. May be terminated.

  If the reliability exceeding the predetermined threshold is not obtained even if the reliability calculation is repeated while changing the start bin, the process returns to step S1, the element set with the next largest number of elements is selected, and the above processing is performed. It may be repeated.

  The communication identifying unit 106 identifies a session of each SD group as either background communication or foreground communication based on the calculated reliability. In the present embodiment, for example, a threshold of about 80% is set for the reliability, and if there is a period in which the reliability exceeds the threshold, the attention session of the SD group is identified as background communication, otherwise Identify foreground communication. Alternatively, a large number of reliability obtained for each SD group may be used as a parameter, and the 90% ile value may be used as a threshold value, or likelihood determination may be employed.

  In the second embodiment described above, each bin width is strictly fixed and “1” is set only for bins whose occurrence timing is detected within the bin width. However, the present invention is not limited to this. For each bin whose occurrence timing is detected within the bin width including the additional period, the additional period is set with a predetermined width in the front-rear direction while maintaining the bin width. “1” may be set.

  In this way, even if delays and jitters occur in the network, the occurrence timing of the session shifts, and the calculated sequence, its period, and reliability become low, it is stable regardless of such disturbances. The period can be determined, and as a result, foreground communication and background communication can be accurately identified.

  According to the present embodiment, even in sessions with different destination information, sessions having the same source information and similar or high correlation in session traffic characteristics are the same as sessions related to the same service or application. And can be used as a communication type determination target based on session occurrence timing characteristics.

  Therefore, even if a session is related to a service or application in which content is distributed and distributed on multiple servers, or the content distribution source is dynamically changed and optimized according to the location of the user terminal, By analyzing the periodicity, it becomes possible to distinguish between foreground communication and background communication.

  In addition, according to the present embodiment, when evaluating a very sparse data string, such as the occurrence timing of a session related to background communication, a bit including a number of “0” s corresponding to a sparse section continuously. Since the reliability calculation is performed on the occurrence timing vector OCV generated from the bit sequence T instead of the sequence T, the sequence length after projection can be shortened, and the calculation amount can be greatly reduced.

  Further, according to the present embodiment, foreground communication and background communication can be identified by passive packet capture at low cost and with only a small number of measurement points.

  DESCRIPTION OF SYMBOLS 101 ... Communication traffic measurement part, 102 ... Log information management part, 103 ... Session classification part, 104 ... Session aggregation part, 104a ... Traffic characteristic analysis part, 104b ... Characteristic sequence generation part, 104c ... Correlation calculation part, 105 ... Session occurrence Timing characteristic calculation unit, 105A ... autocorrelation calculation unit, 105B ... occurrence timing vector generation unit, 105C ... periodicity evaluation unit, 106 ... communication identification unit

Claims (9)

In a communication identification device that identifies a session established between a communication terminal and a communication partner as either foreground communication or background communication,
Session classification means for classifying each session into an SD group specific to the combination of source information and destination information,
Session aggregation means for aggregating a plurality of SD groups having the same transmission source information and different destination information based on the similarity of the traffic characteristics of each session;
A means to calculate the occurrence timing characteristics of sessions for each SD group;
Communication identification means for identifying the session of each SD group based on the occurrence timing characteristics of the session , and
The session aggregation means includes means for calculating cross-correlation of traffic characteristics between SD groups having the same source information but different destination information, and SD groups whose cross-correlation exceeds a predetermined threshold are combined into one SD group. Aggregate,
The session aggregation means includes characteristic sequence generation means for generating a traffic characteristic sequence by discretizing time series fluctuations of traffic characteristics for each bin of unit time width, and the means for calculating the cross-correlation includes the traffic characteristic sequence The cross-correlation of
A communication identification device. The characteristic number sequence generation means includes download transfer data amount, upload transfer data amount, ratio of download and upload transfer data amount, download packet number, upload packet number, download and upload packet number ratio, It is characterized by calculating at least one of throughput characteristics, traffic delay characteristics, ratio between hold time and response time, traffic characteristics time-series fluctuation tendency, and the number of session occurrences for each bin as a time-series element of the characteristic sequence. The communication identification device according to claim 1 . The means for calculating the occurrence timing characteristic calculates an autocorrelation related to the occurrence timing of each session for each SD group,
The communication identification device according to claim 1, wherein the communication identification unit identifies an SD group session whose autocorrelation exceeds a predetermined threshold as background communication. The means for calculating the occurrence timing characteristic is:
Representing the occurrence timing of each session for each SD group by a bin position having a predetermined time width, and a means for generating an occurrence timing vector having the bin position as an element,
Means for calculating a difference for each combination of different elements of the occurrence timing vector;
Means for calculating the reliability that the difference is the occurrence cycle of the session for each element set of the combination in which the difference is the same,
The communication identification apparatus according to claim 1, wherein the communication identification unit identifies a session based on a reliability of each occurrence period. The means for generating the occurrence timing vector comprises means for generating a bit sequence indicating whether or not it is the occurrence timing of a session for each bin,
5. The communication identification apparatus according to claim 4 , wherein a time series of the number of bins from the start bin of the bit number sequence to each occurrence timing bin is used as an element of the occurrence timing vector. The means for calculating the reliability calculates the reliability based on the number of bins in which the occurrence timing of the session is detected with respect to the number of bins in which the occurrence timing of the session is expected to be detected within a predetermined monitoring period. 6. The communication identification device according to claim 4 or 5 , wherein: 7. The reliability calculation unit according to claim 4, wherein the reliability calculation unit does not set a combination element set whose difference is approximately half or more of a sampling period of occurrence timing as a reliability calculation target. Communication identification device. The means for generating the occurrence timing vector sets an additional period with a predetermined width in the front-rear direction of each bin, and generates the occurrence timing vector based on the occurrence timing detected within the bin width including the additional period. The communication identification device according to claim 4, wherein In a communication identification method in which a computer identifies a session established between a communication terminal and a communication partner as either foreground communication or background communication,
A procedure for classifying each session into an SD group specific to the combination of source and destination information;
Aggregating multiple SD groups with the same source information and different destination information based on the similarity of the traffic characteristics of each session;
Procedure to calculate the occurrence timing characteristics of the session for each SD group,
Identifying a session for each SD group based on the occurrence timing characteristics of the session ;
A means for calculating a cross-correlation of traffic characteristics between SD groups having the same source information and different destination information, and aggregating SD groups whose cross-correlation exceeds a predetermined threshold into one SD group;
A procedure for discretizing the time series variation of traffic characteristics for each bin of unit time width to generate a traffic characteristic sequence, and calculating a cross correlation of the traffic characteristic sequence by means of calculating the cross correlation;
A communication identification method comprising: