RU2697648C2 - Traffic classification system - Google Patents

Abstract

FIELD: computer equipment.

SUBSTANCE: method of classifying traffic, according to which a natural language message is received, determining a message scheme, dividing the message into meaningful syntactic and semantic fields, providing a plurality of nodes for analysing significant message fields, to which text analysis rules are applied depending on the application message protocol, wherein to classify a message by certain categories, an informal row-string of the informal search language and substring processing in a row is determined, and a probabilistic coefficient of relating the message to a specific category, converting an informal string pattern into a regular expression of a standard search language and processing a substring in a row, converting standard language regular expression to text analysis rules configuration module containing data and string processing methods, dynamically creating a plurality of program modules for configuring analysis rules and distributing them over a plurality of nodes for analysing significant message fields, applying analysis rule configuration to significant message fields, sending a message to the input of the neural network.

EFFECT: technical result consists in improvement of flexibility and reliability of messages classification.

8 cl, 7 dwg

Description

The present invention relates to the field of data processing, in particular to systems for syntactic processing of a text data stream used in telecommunications, and is intended for processing messages transmitted both between subscribers and between subscribers and information systems and can be used in a2p, p2a, p2p, A2a services.

In data processing tasks, the question almost always arises of sequentially updating results as new data arrives on the fly. The well-known growth in traffic is A2p, P2a, P2p, A2a services. Banks, social networks, mobile operators generate a large volume of messages to inform their customers, including automatically. SMS and USSD technologies standardized within the framework of the SMPP protocol are still in demand within the framework of these services. In this regard, the task of classifying traffic arises. The task of classifying traffic according to the type of protocol or application — the type of traffic SMPP for SMS and USSD, SMTP for mail, etc., has been solved using the well-known technology for analyzing network packets using the current technology. The task of recognizing the type of traffic by the semantics of messages (advertising, transactional, service, international, fraudulent traffic, etc.) for making business decisions is a difficult technical task. Two main methods of text classification can be distinguished from the prior art: semantic analysis of text based on regular expressions and text classification by heuristic methods based on machine learning methods. Each method has its advantages and disadvantages. The specificity of a2p, p2p, p2a, a2a traffic in the general case is that a large array of text data is a lot of short messages. In terms of machine recognition, this is difficult because in a small text there are much fewer useful features, and the influence of word order is great in comparison with the classification of large blocks of text. This is compounded by the fact that this traffic is highly susceptible to changes both in the syntactic and in the semantic part, and for a traffic recognition device these changes occur continuously (online).

The technology of semantic analysis is known from the prior art, mainly represented by software and hardware systems based on client-server architecture. IBM LanguageWare platform, which is a set of Java, C ++ libraries, provides developers with a set of tools for processing natural language (Natural Language Processing, NLP). IBM AlchemyAPI - a cloud service that provides NLP technology for SaaS models through its APIs; there is a set of development tools (SDK) supported by IBM. Both of these tools provide embedded API clients; direct text processing is performed on the remote servers of the development company. PalitrumLab EUREKA ENGINE is a domestic representative of linguistic analysis platforms, it is provided both via an external API and as an embedded system for business applications. These systems have their advantages and disadvantages, so LanguageWare and AlchemyAPI are more adapted for processing large amounts of text and show less efficiency when processing a stream of heterogeneous messages. PalitrumLab, coping well with the probabilistic processing of a text data stream, does not support their clear classification. There are other technologies that are generally the same in appearance and architecture.

A significant drawback that combines the above and other known solutions, from the point of view of the authors, is the inability to use user settings on an already running system. Analysis settings are prescribed by developers in the code when integrating clients or stand-alone systems into business applications and are applied to data after compilation. Those. configuration of well-known systems is available only to specialists who develop client software for integration into business applications. Users serving business applications cannot configure analysis rules. The increase in the number of heterogeneous nodes in the network is well-known, data exchange is growing, requiring heterogeneous analysis. The prior art does not allow formalization, i.e. put on the logic of the algorithm, all current and future applied problems of semantic analysis. At the same time, engineers and users of business applications need a universal tool that allows, without laborious changes in the algorithm, to quickly change and apply the rules for processing text and other data with a significant change in the text data scheme (message syntax and semantics). For the same reason, the growth of heterogeneous nodes in a network is important for the performance of equipment and its control algorithms.

The authors offer a universal solution for classifying traffic into categories, i.e. semantic type of traffic - advertising, transactional, service, international, fraudulent, etc. The solution combines accurate analysis of the text by semantic attributes and probabilistic classification of the text based on machine learning. The algorithm of the classification method and the architecture of the system that implements it provides the system administrators with real-time adjustment of the classification categories of the message, the rules for its analysis and the adjustment of the separability (separability of classification results) of the neural network. Moreover, the proposed settings are provided to a wide range of users and do not require in-depth training in issues of semantic analysis and / or machine learning. Additionally, the method integrates into heterogeneous software and hardware platforms (network nodes), and scales its performance in accordance with the online streaming load.

Known patent No. US 8494987 from 07.23.13, representing a system and methods for generating hypotheses, in which a local or distributed system interacts with a database and contains a module for generating hypotheses, a module for storing concepts on the basis of which hypotheses are generated, as well as user input modules and output results. A method for generating hypotheses is to pre-calculate hypotheses based on predefined concepts (the topic of knowledge) and database data, and after receiving user input, the system generates at least one hypothesis based on jointly occurring concepts (topic of knowledge) related to entities extracted from user input (sentences, statements).

The method requires user input of the knowledge base or an indication of the database by belonging to the analyzed entities or instructions for processing text, which excludes its use in the mode of constantly arriving large volumes of online data.

The disadvantage of the software and hardware architecture is the “vertical”, non-scalable modularity of the software architecture, in which the modules are rigidly configured for sequential execution of the functions of analysis — loading data from the database, preliminary calculation, receiving user data, computing, output.

Patent No. PCT7US 2007/063983 dated March 14, 2007 describes a software product, system and method for generating hypotheses from a database, according to which various semantic relationships between concepts and concepts and / or concepts and concepts are constructed according to certain rules of relations and based on parsing multiple documents in a predefined repository. Phrases are assigned according to one of the many concepts, or the identifier of the relationship connecting one concept with the second, or the assignment of one concept of a semantic category or the arrangement of concepts in a hierarchical relationship.

The disadvantages of this solution is its inapplicability in the processing of constantly incoming streaming data and the inability to scale the load.

PCT Application No. WO 2013/135474 of 02.22.2013 claims a method of semantic analysis of the text, which consists in constructing a matrix of vectors of word occurrences in a training set of documents, for example Wikipedia articles, training 1 neural network (self-organizing Kohonen map) with this selection of documents and vectors , matching documents containing the target word and the set of map coordinates (area) of occurrences of these documents, determining the semantic context of the word and maintaining the correspondence to the dictionary, template map. Learning a second neural network using documents of the same language, consisting of constructing a sequence of sentences from documents of a training sample, calculating the document's complexity factor (word frequency in a document, etc.) and sorting words in a sequence. And training the network with sample documents with an increase in the coefficient of semantic complexity, comparing the map and words of the second sample, training the second (usually hierarchical) neural network with template cards.

The solution is based only on heuristic analysis methods, does not imply a clear classification of the text, is not adapted to the operational configuration of the analysis rules, and is not applicable to the analysis of streaming data.

Patent RU 2615632 dated 03/20/2015, which proposes a method for recognizing communication messages in terms of determining the name of the sender and assuming the presence of special characters in the message highlighting the name of the sender or a request to the server with a predefined database of subscriber names and determining the name of the sender by comparing the contents of the specified identifier and username in the database. Moreover, the semantic analysis according to the invention can be implemented in hardware by finalizing the mobile terminal with text processing and communication modules with the database server.

In this solution, the obvious shortcomings are the predefinition of a set of semantic features of the sender, the forced maintenance of a database with user names, the solution provides for the hardware refinement of the user's end device by the recognition device. The lack of fuzzy logic algorithms (machine learning), the inability to configure rules is also noted as a drawback.

The closest in technical essence and adopted for the prototype is the patent RU 2429533 dated 06/29/2009, which describes a dynamic parsing / layout mechanism based on schemes for parsing multi-format messages, which receives messages in various formats, converts it into a common format, determination of the grammatical structure of the message format data and, on its basis, indications of a suitable handler. Moreover, the handlers are executed by modules with a separate compilation and can be added to the architecture as new message formats appear. By loading individual processing modules, a gain is achieved in the performance of the analysis system as a whole. Additional performance gains are achieved by indexing the internal message format. Message routing to the processors, processing rules and new specifications are loaded dynamically into the database when registering a new service, due to this, the universality of the solution is achieved.

This solution is applicable for processing data arriving in an online stream, but the obvious drawback is the process of lexical and parsing of messages only according to the rules for analyzing the description of the syntax of formal languages (parsing). It seems that this is not enough for sematic analysis, comprehension of text messages in a natural language for making business decisions. Although American authors indicated that the handlers are loaded dynamically into the database, and the new handlers do not affect the operation of the system as a whole, this does not save the decision makers from the need to develop, compile and test each new handler for loading.

The authors note an interesting solution for indexing the message format resulting from the architecture of such a system, nevertheless note the disadvantages of the prototype:

1. The inability to manually "hot" customize the analysis rules online without the need to develop, test and connect a new semantic analysis processor module for a new grammar in advance.

2. The lack of a probabilistic assessment of the message.

3. Poor hardware scalability - lack of a solution to automatically tune system performance when the load increases - a significant increase in incoming messages.

The technical task of the proposed traffic classification system according to the method of classifying a2p, p2a, p2p, a2a traffic by a predefined semantic traffic categories is:

1. increasing the flexibility of classifying messages through manual user-defined intuitive informal string templates that are used to analyze the text and determine the probabilistic coefficients for classifying a message into a certain category;

2. improving the reliability of message classification by combining clear logic algorithms based on the use of regular expressions, heuristic algorithms for neural networks and additional flexible configuration of these algorithms in accordance with user-defined definitions of string patterns and probability coefficients;

3. Improving the performance of message analysis due to the dynamic generation (playback) and distribution of the configuration of the analysis rules across the set of nodes analyzing the message.

The introduction of the above user settings into the process of analytical text processing takes it to a new universal level, at which the processing process is not only subject to ordinary administrators (users) of the system, who are not experts in the field of semantic analysis, languages and dialects of regular expressions, but also unlimited by existing and future analysis applications due to changes in the message scheme. Moreover, their combined application to the analyzed messages provides a significant increase in the reliability of the analysis. The interaction of user settings on the classification result is predetermined by the sequence of the method, which involves first applying informal line patterns to the message text with clear logic algorithms, and the subsequent application of probability coefficients to the results of heuristic algorithms of the neural network. In this case, the method provides for no dependence on the definition of user settings.

The technical result of the traffic classification method is achieved due to the traffic classification system, according to which a natural language message is received, a message scheme is determined, the message is divided into significant syntactic (semantic) fields, and many nodes are provided for the analysis of significant message fields to which text analysis rules are applied depending on the application protocol of the message, moreover, to classify messages into certain categories, an informal template-string is determined informally of the language of searching and processing substrings in a string and the probabilistic coefficient of assigning a message to a certain category, transform an informal template string into a regular expression of a standard language for searching and processing substrings in a string, convert a regular expression of a standard language into a text module for analyzing text analysis rules containing data and methods line processing, dynamically create many software modules for configuration of analysis rules and distribute them across many nodes for analysis of significant fields messages, apply the configuration of the analysis rules to the meaningful fields of the message, send a message to the input of the neural network, and the result of the classification of the message by the neural network is adjusted in accordance with a certain probabilistic coefficient of assigning the message to a certain category. The definition of an informal template-string of an informal language for searching and processing a substring in a string and the probabilistic coefficient of assigning a message to a certain category is carried out during message processing. Many software modules for the configuration of analysis rules are generated and distributed across many nodes for the analysis of significant message fields in proportion to the network load due to the number of messages analyzed. And the classification result of a neural network is adjusted in accordance with a certain probabilistic coefficient of classifying a message to a certain category, transforming a threshold value for classifying a neural network, or setting a confidence boundary for output elements of a neural network.

The technical task of the device classification system A2P, P2A, P2P, A2A traffic to implement the method of traffic classification is:

1. improvement of operational properties due to the inclusion in the architecture of the traffic classification system of module 4 of the user interface, made with the possibility of manual user definition of semantic categories of message classification, informal string templates applied to the analysis of the message to determine its category and probabilistic coefficients of assigning a message to a specific one categories;

2. improving the reliability of classification by including regex module 2 in the system architecture, the memory of which contains and the processor of which runs the informal regular expression algorithm irregex (irregular expressions) and the algorithm of one or more formal regex language (regular expressions). Moreover, the irregex algorithm allows you to get informal custom string patterns and convert them into regular expressions of the standard regex languages, and the neural network module 3 neural net is configured to algorithmically convert user probability coefficients to transform a threshold value of a neural network and / or establish a confidence boundary for the values of its output elements;

3. improvement of operational properties, due to the possibility of using a variety of semantic analysis tools, which is achieved by “encapsulating” the software architecture, only the user interface module 4 is provided to the system user, and polymorphic work (integration with a wide range of standard regex libraries and neuroimitators) is achieved by defining the set of programming APIs of the irregex language matching interfaces with various regex libraries and finalizing the results of non-software programs yroimitators due to software setting the confidence limits in accordance with a user-defined probability coefficient for assigning a message to a certain category;

4. improving the classification performance due to the inclusion in the architecture of the system of module 7 of a configuration broker configured to dynamically reproduce - generate a lot of software modules for configuration of analysis rules and distribute them across many nodes to apply the analysis rules to the text being analyzed.

The technical problem is solved by a traffic classification system for implementing a traffic classification method including a coordinating module, an analysis rule determination module, a machine learning module, at least one module for applying the analysis rules to significant message fields, and additionally including a system administrator (user) interface that is implemented with the ability to determine message classification categories, informal string patterns applied to message analysis, probability coefficients in classifying messages to a specific category, it additionally includes an analysis rule compiler module configured to create a program analysis analysis module configuration module consisting of a regular expression language module and a machine learning module, the regular expression language module containing and executing algorithms for the informal regular expression language and at least one formal regular expression language and is configured to obtain an informal string pattern and transform it into a regular expression of the formal language of regular expressions, and the neural network module is configured to obtain a probabilistic coefficient for assigning a message to a certain category and to adjust the result of the operation of the neural network based on it, and the coordinating module is configured to receive a software module for configuration of analysis rules and the creation of many software configuration modules analysis rules and distributing them across many modules for applying analysis rules to meaningful message fields. At the same time, the machine learning module contains in memory and implements an algorithm for transforming the threshold value of the neural network and setting the confidence level of the output elements of the neural network in accordance with the obtained probability coefficient for assigning a message to a certain category.

The invention is illustrated by drawings:

In FIG. 1 shows a functional diagram of a traffic classification system.

In FIG. 2 shows the general scheme of a2p service.

In FIG. Figure 2a shows a generalized sequence of SMPP TCP / IP calls for classifying traffic within an A2p service.

In FIG. Figure 2b shows a generalized sequence of SMPP TCP / IP calls for classifying traffic within a P2A service.

In FIG. Figure 3a shows a generalized algorithm of the serial-parallel mode of operation of the traffic classification system.

In FIG. 3b, a generalized algorithm for the parallel operation of a traffic classification system is presented.

In FIG. Figure 4 shows a generalized process of converting data by a traffic classification system.

Functional diagram of a device that implements the proposed method of network semantic analysis is presented in FIG. 1. Module 1 of the analysis rule compiler includes module 2 regex and module 3 neural net. The main function of module 1 is to assemble the analysis rules into a software module of the final configuration of the analysis rules and transfer it to module 7 of the configuration broker for further playback of a given number of software modules and transfer them to analytical nodes 8 for application to the message.

The memory of module 2 regex stores data and machine instructions with instructions to the processors of the compiled informal regular expression language - irregex and dynamic and / or static translation units containing commands and data of at least one standard regular expression language known from the prior art - regex. As regex languages, memory can contain several standard languages - these can be well-known regex libraries of Perl, Java, C ++ and other known from the prior art. Data coordination between the irrigex and regex languages is achieved by redefining the irregex programming interfaces (polymorphism) and the programming logic for converting the generated irregex structures to regex structures. The programming logic for converting irrigex structures to regex structures is included in the functionality of the informal language irrigex developed by the applicant and his know-how. A generalized method for converting irrigex structures to regex structures is to coordinate the data interfaces API and the irrigex language processing methods and the regex languages available in the memory while maintaining the semantics of the irrigex informal string template. The choice of a specific regex language can be carried out by the system administrator in module 5 of the regex settings.

The memory of module 3 of the neural net contains the data of the neural network structure (neural network). There are a large number of software products (neuro-simulator programs) that provide tools for designing neural network structures for analyzing Keras, SyntaxNet, Microsoft Cognitive Toolkit (CNTK) text platforms, and others known in the art. A neural network can be designed independently in well-known programming languages, this option is preferred and is used by the applicant since provides the ability to programmatically convert (transform) a threshold value of a neural network in accordance with a user probability coefficient Pf obtained from module 6 of setting up neural net since not all neuroimitators provide the possibility of such a conversion. In the context of the proposed classification method, the threshold value is the value that determines the division of the set of input data of the traffic classification system into subsets, each of which is a system administrator defined semantic category of message classification (advertising, transactional, service, international, fraudulent, etc.) category ₁ fig. . 4 1b. As you know, the division of a set into classes (subsets) must obey the rule that the input data element falls into only one subset, and the union of all subsets must coincide with the set of input data. Depending on the number of predefined classification categories or the dimension of the classification space, the output elements of the neural network, in accordance with the activation function, form a threshold value for the separation of this space. For example, in the case of two classification categories - advertising and service message, the category space is a plane, and the threshold value is a line separating this plane and forming a subset of the classification categories. The values of the output neurons determine the coordinates of the distribution of messages on the category plane (for example, advertising traffic 0.5, service 0.3). If the system administrator assumes that in accordance with the line template the message should be related to advertising traffic, then he can set the prevailing probability coefficient P _f for it. 4 1s. A software threshold transformation algorithm performs line transformation - for example, a shift in the space of two-dimensional coordinates (classification categories), taking into account the prevailing influence of the classification category for which the system administrator has set a higher probability (confidence) coefficient Pf. After the shift, a larger number of messages fall into a subset of the advertising category. A larger number of classification categories implies a more complex transformation logic in the general case similar to that described above. The transformation of the threshold value is possible by known methods: by converting the activation function Fa (X, Pf) of FIG. 4 1c, 5a and / or by changing the values of the weights of the bias neurons, other parameters of the neural network in accordance with Pf, includes the complex logic developed by the authors and is the know-how of the applicant. The threshold conversion algorithm allows the system administrator to quickly refine the classification results online without the need for retraining and testing the neural network. In another embodiment, for example, when using third-party vendor neural networks, it is impossible to influence the architecture of which it is impossible to influence the threshold value conversion, the adjustment of the results of the classification of the neural network is implemented by programmatically setting the acceptable boundary for the classification classification reliability of FIG. 4 1s, 5b. In this case, results that exceed the established confidence limit Pf fall under the confidence interval. Neural network training is carried out using training data sets that are also transmitted to the input of the neural network from module 6.

The user interface module 4 is intended for interaction with the system administrator (user) and, in various versions, can have a command line interface and / or an interface executed in the form of graphic images, includes visual interactive tools for monitoring various traffic channels (SMPP, SMTP, HTTP, etc. d.). The user interface module 4 includes a regex configuration module 5 allowing the system administrator to determine the message classification categories of FIG. 4 1b for example: a transaction category for identifying an SMS request for receiving a login / password, an advertising category for identifying SMS with advertising offers (notifications), a service category for SMS user interactions with the operator of the SMS, international and others. Module 5 regex settings allows the administrator to define simplified informal string templates user template FIG. 4 1a which are preferable for him to apply to the message, taking into account the current format of the syntax and semantics of the messages for each specific category. The regex configuration module 5 allows the administrator to determine the probability coefficient of assigning the message to a certain category user factor Pf of FIG. 4 1s. The system administrator defines informal user-template strings in FIG. 4 1a outside the regex language regex format rules. The probability coefficient Pf is not rigidly “tied” to an informal row template, because during subsequent processing, the user template is converted to the regex language format of FIG. 4 3., a Pf is converted into a transformation of the threshold value of FIG. 4 5a, 5b. The setting data is applied to the message independently of FIG. 4 8, 10. The indirect relationship of their interaction on the final classification of the message is determined by the fact that the processing of the message in module 3 neural net of FIG. 4 9 is made after applying the rules of the regex module 2 of FIG. 4 8. i.e. after classifying the message by the clear regex algorithms according to the user pattern of FIG. 3a 6-10, 3b 5-9, the subsequent classification result of neural net is specified in FIG. 3a 11, 3b 10 according to the Pf “confidence coefficient” of FIG. 3a, 15-18, 3b 14-17 of the user to apply their template. The ability to enter an arbitrary format of template strings intuitively at the discretion of the system administrator, eliminates the need to delve into the rules and dialects of the regex languages, and also provides the ability to quickly change the classification parameter (template string) and establish trust in it Pf with a little predictable format change messages (syntax, semantics, message schemes). Subsequently, after the transformations in the regex module 2, the changed template-string is applied to the meaningful field fields (attributes) of the message of FIG. 4 8. Such fields may be, for example, sender, recipient, message text and may include rarely used phrases, expressions, symbols, etc. The neural net 6 configuration module additionally includes an interface for setting training settings and testing the neural network, as well as a data warehouse for storing a historical array of messages and training data. Template strings and probabilistic coefficients the interface module 4 transmits, respectively, to modules 2, 3 of module 1 of the analysis compiler for further processing.

Module 7 - the configuration broker acting as the coordinating module receives the software module for the configuration of analysis rules generated by the analysis rules compiler 1, reproduces the required set of configurations and distributes them to the analytical nodes 8. The hardware and software logic of the configuration broker creates and maintains the required number of analytical nodes depending on the analyzed traffic type system (SMS, USSD, mail, etc.) and distributes analytical nodes depending on the load in addition to the balancer load driver 9, distributes between the analytical nodes 8 software modules for the configuration of the analysis rules, writes / rewrites them to the memory of the analytical nodes. The hardware and software logic of the configuration broker allows processing a message within a single network session (sender-receiver) by several analytical nodes and / or processing by a single analytical node of messages of different established network sessions. In the general case, the logic of the distribution of the configuration of the analysis rules for the analytical nodes 8 is determined by the type of the analyzed traffic, the load (number of incoming messages) for each type of traffic, and the syntactic and semantic affiliation of the generated configuration. For example, the service structure of SMS traffic that is less susceptible to changes (one-time password direction-service traffic category) can be analyzed by one analytical node 8 within different network sessions.

Analytical node 8 processes messages in accordance with the configuration of the analysis rules, provides interfaces for receiving a certain type of traffic in accordance with the protocol (SMPP for SMS, USSD, SMTP for mail, etc.). The message is collected from network packets, parsed by significant fields, and the configuration of the analysis rules is applied according to the commands and data of the processor process. The analytical node contains a pool of such processes, the logic of their creation, placement in memory and deletion. A processor process is a set of executed machine instructions stored in memory and which is part of a set of instructions for a processor device of an analytical unit. The processor process pool additionally provides load balancing to measures applied by the logic of load balancer 9 and configuration module 7. After processing the message, the analytical node classifies the message according to its predefined category (advertising, transactional, service, international, fraudulent, etc.) and directs message to the recipient.

Load balancer 9 provides the distribution of network load (forwarding client network packets) between analytic nodes 8. Forwarding can be implemented dynamically at the transport level by the well-known DNS-balancing technology, which provides for the assignment of several IP addresses to one domain name and the choice of a specific IP address depending on the rules balancing (for example, an algorithm for cyclic bypass of IP addresses.) ". In another implementation, the load balancer 9 statically assigns client IP addresses the specific IP addresses of the analytic nodes 8 (for example, Tanenbaum E., Weatheroll D. Computer networks. 5th ed. - St. Petersburg: Peter, 2012. p. 783, 787.) . In a preferred implementation, the analytical nodes 8 are spaced across different network nodes to ensure the fault tolerance of the service using HA technology (High Availability) of high availability clusters. In this case, the load balancer 9 can be built on the basis of proxy servers (routers) that establish redundant network connections to analytical nodes 8 to ensure uniform distribution of client requests. Additionally, the load balancer 9 implements message forwarding according to the type of application protocol of FIG. 1 - network packets of the SMTP protocol are routed to analytical nodes 8 processing SMS, USSD messages, SMPP packets are addressed to analytical nodes processing email messages. Client network nodes send messages to the network address of load balancer 9 through a generalized gateway (SMS aggregator for a2p service or a PCEF operator's gateway for P2a). Physically, load balancer 9 is implemented by the network topology by including additional routers with programmatic logic for routing network packets. In order to simplify FIG. 1, this architecture is functionally included in module 9, and in FIG. 1 not disclosed.

Hardware modules 1, 4, 7, 8, 9 can be executed on one network node or different, can be present in the basic network of SPRS and / or outside it. Modules 1, 4, 7, 8, 9 themselves are a complex of software and hardware (computers) von Neumann architecture of a universal or specialized form and in the general case contain:

The network card controller, implemented in the form of a card containing a processor memory and auxiliary logic, configured to process incoming and outgoing network packets at a transmission rate. The central processing unit can be implemented in a single / multiprocessor version, controls the operation of the unit, executes instructions and processes the data stored in memory. The memory of the corresponding nodes contains (compiled) blocks of the source code (compilation units) converted to the internal machine representation: the interface module, the informal and formal module of regex regular expression languages, neural network neural net, configuration broker, analytical nodes. In addition to this, the interface module 4 contains a video controller — a microcircuit that forms a video image on the monitor of the system administrator. The monitor is capable of displaying an image including a graphical interface and / or command line interface providing traffic channel management tools (SMPP, SMTP, other known from the prior art), defining message classification categories, defining and displaying simplified user-specific substring search string patterns in a string, displaying the administrator’s input of the system of probabilistic coefficients, visual control by training and testing the neural network. Input devices (keyboard, mouse, etc.) and the controller of the input device, which is responsible for processing data entered by the administrator from input devices. The data storage (hard disk) of the interface module 4 is intended for storing historical data for the purpose of its post-processing by the neural net module 3, training samples and other data, and the hard disk controller for receiving, transmitting and processing data from the data storage. A bus-set of conductors connecting the CPU to the memory, data storage devices and input-output.

FIG. 2 illustrates a general service design A2p, as one skilled in the art will recognize, but not limited to FIG. 2, the invention can be used in P2A, A2A, P2P services. In FIG. 2 as SMS sent to the subscriber, bank SMS mailings, SMS advertising offers, SMS notifications of social networks and any other known from the prior art can be used. TSC (Traffic Classification System) - the traffic classification system monitors all SMS messages sent to the network by programs generating SMS messages and running on network nodes - ESME ₁ - ESME _n-1 . As network nodes can serve the server of various business entities - banks, shops, etc. (ESMEn).

In FIG. Figure 2a shows a generalized sequence of SMPP TCP / IP calls of a2p traffic for receiving, analyzing and sending SMS messages of the SMPP protocol (3GPP 3G TS 23.039 specification). The example illustrates SMS messages in the direction from the external network node ESME to the MS of the subscriber of the mobile radio communication system (SPRS).

The dashed line shows signaling calls, continuous TCP / IP calls.

At stages 1-2, a standard signaling dialog for establishing a connection between the ESME and SMSC of the SPRS subscriber takes place. According to well-known rules, signal messages of the SMPP protocol are stacked in the OSI protocol stack and transmitted over the TCP / IP protocol to the network. After the connection is established, the external ESME node generating the SMS message according to the same rules places the deliver_sm, data_sm SMS message on the OSI protocol stack, fragmentes the TCP / IP packets and sends it to the network. By definition, TCP / IP packets are routed to the IP address of the load balancer of the traffic classification system of FIG. 1 9. Typically, the redirection of SMS messages from different ESMEs to the IP address of the load balancer can be implemented through a network intermediary that aggregates SMS messages from various ESMEs (so-called SMS aggregators, not shown in Fig.). The load balancer, in accordance with the forwarding algorithm, forwards packets to the IP address of the corresponding analytical node of FIG. 1 8. The analytic TCS processor process applies the analysis algorithm to SMS messages (SMS PDU analysis and processing) and then sends SMS to the network to subscriber’s SMS 4 (SMS Center), and the message classification attribute is sent to the interested SPRS node, for example, to the billing node SCP 5. Next, the standard signal exchange of message delivery 6-7 and delivery confirmation takes place 8. The sign of classification of the message classification mark to a certain type of traffic is used by the SPRS operator for subsequent business decisions. In another implementation, TCS saves all received SMS messages in the data store of user interface 4 and carries out their post-processing by modules 2 regex and 3 neural net 3, after which it transfers the classification results to the interested operator node. This mode can be applied in addition to the online classification to refine the classification results obtained in real time in FIG. 2a is not shown.

In FIG. Figure 2b shows an example of SMPP TCP / IP P2A traffic calls for receiving, analyzing and sending SMS messages using the SMPP protocol (3GPP 3G TS 23.039 specification). On the example of SMS messages in the direction from the SMSC operator SPRS to an external ESME node.

The dashed line shows signaling calls, continuous TCP / IP calls.

The clients of the traffic classification system in the SMS message classification option are mainly SPRS operators, and the network nodes are mobile subscriber stations (MS Mobil Station), short message service centers (SMSC Short Message Service Center) of the SPRS operator, service or application VAS Value Added Services ) SPRS operators or other external nodes (ESME External Short Message Entities). Clients send SMS messages to the network IP address of the load balancer 9, which performs a network packet routing algorithm for load balancing (not shown in Figs. 3a, 3b). Client packet redirection can be implemented on the PCEF gateway node of the SPRS operator.

The SPRS subscriber sends an SMS message from his MS, a number of calls 1-2 are made using signaling protocols for the delivery of outgoing SMS to SMSC. SMSC starts a typical SMPP request / response sequence as an SMS sender to an external ESME 3-4 node. After establishing a connection, 3-4 SMSC puts the SMS message deliver_sm, data_sm on the OSI protocol stack, fragmentes it onto TCP / IP packets and sends it to the network through the PCEF 5 SPRS gateway. PCEF at the transport level replaces the IP address of the TCP packet with the IP address of the load balancer 9 traffic classification systems 6. After routing packets by the load balancer, 9 packets arrive at the network interface of the analytic node 8 TCS where they are collected in SMS PDUs and then analysis and processing (SMS PDU analysis and processing) is performed. After classifying the message, the analytic node sends the message to the IP address of ESME 7, and sets the sender IPEF gateway address PCEF as the sender address. After receiving the ESME SMS message, an SMS 8 confirmation dialog is received, and the TCS (Traffic Classification System) traffic classification system sends to the address of the interested node (for example, the SCP billing node) the classification symptom of SMS message classification mark 8. Post-processing of the saved message array within P2A traffic can be carried out similarly as described above for A2P traffic.

FIG. 3a illustrates a generalized algorithm for the operation of a traffic classification system by the example of a series-parallel operation mode of a traffic classification system. At stage 1, the analytic node 8 assigned for processing SMS messages receives an SMS message — network packets are captured, packets are aggregated into streams, packets (streams) are classified according to the application layer protocol, data extraction, and other standard DPI traffic analysis operations are performed. At stage 2, the process pool manager initiates a process-handler that checks the message size, parses the message into significant fields for analysis (text, sender, recipient, service data, etc.) forms the corresponding data structure with separation into significant fields and places it in the analytical memory node 8. At stage 3, the program logic of the analytical node provides for the transmission of the message structure to the interface module 4 for recording in the data warehouse 4 in order to accumulate historical data and post-processing. Stage 5 offers the administrator the choice of a classification algorithm with Regex clear logic algorithms or the Neural net heuristic algorithm. At step 6, the system administrator is given the option to change the rules for analyzing the message. For example, if in messages in a random order, not possible for formalization (expression in the program logic of the algorithm), the syntax or semantics of the message changes, symbols of another alphabet appear and / or new words and phrases borrowed from other languages appear (for example, deadline, public relations , zoom, etc.). In this case, at step 7, the system administrator, at his discretion, introduces simplified string patterns that are intuitive to him, which, from his point of view, are acceptable for recognizing the changed semantics of the message. The input of informal templates-strings is carried out by the technical means of the regex module of the user interface module 5 - the administrator defines the informal user-template strings-templates. At the same time, it can determine the probabilistic coefficients user factor Pf for assigning messages to a predefined category — the type of traffic (category ₁ ), FIG. 3a, 3b. The administrator controls the correctness of the input on the monitor using the visual controls (graphical interface) drawn by the video controller of the user interface module 4. At step 8, user template data converted to a machine view is transmitted and stored in the memory of module 2 regex and then on a set of machine instructions of an informal regular expression language irrigex module 2 converts custom patterns into regular expressions of the already formal regex language. The transformation includes the programmatic generation of the irrigex struct data structure of the irrigex informal language and its transformation into the regex struct structure corresponding to the templates (regular expressions) of the regex formal expression regular language. At stage 9, from the regex struct structure, the analysis rules compiler 1 generates the final configuration of the analysis rules config - the program module is an object code file with instructions for analyzing the significant fields of the message and passes it to the configuration broker 7 to be written to memory, which plays the assigned many copies of the object code file configuration and passes it to the designated analytical nodes 8. At step 10, the analytical node 8 places the configuration in the memory of the corresponding process-handler, which applies it To process the text of the significant message fields, it then generates a sign of classifying the message as a predefined category, type of traffic - step 11. Next, in step 12, the significant fields of the string message can be transferred to module 3 neural net to the input of the neural network (steps 14-18) to clarify the classification (step 11) or the message is sent to the network for sending to the recipient 13. Such a “loop” allows you to specify the category of the message online using neural net after applying the regex rules. If significant fields of the string message are transmitted to the input of the neural network, the neural net module 3 uses the machine representation of the probability coefficient Pf obtained from the neural net configuration module 6, step 15. After the neural network classification algorithm is processed, steps 16, 17, the program algorithm for converting the threshold value of the neural net network according to the coefficient Pf - step 18. Next, according to the classification attribute generated by module 3 neural net, the processor processes the message category and then transfers it to the network for sending - steps 11, 12. Within one process - the handler during steps 14-18, steps 1-10 are applied to the next message, this achieves serial-parallel message processing.

FIG. 3b illustrates a block diagram of a parallel message processing. In this option, after step 3, clear classification algorithms based on the Regex rules — steps 5–9 and heuristic neural network classification algorithms Neural net — steps 13–17 are applied to the significant fields of the string message in parallel. At step 10, the program algorithm of the processor process waits for the completion of the execution of both branches of the algorithm, steps 13-17 assume the transfer (copying) of the significant fields of the string message to module 3 neural net and the execution of the classification algorithm for the neural network. After that, a message classification symptom is formed (the program logic of steps 5–9 and 13–17 are performed similarly to the variant of serial-parallel processing). Further, the message and the classification attribute are sent to the recipients - steps 10-12.

FIG. 4 illustrates a data processing diagram of a traffic classification system. SMS pdu flow, after working out the network load balancing logic by module 9 (not shown in Fig. 4), arrives at the network interface of the analytic node 8. Through the software interface of the sockets (network node address and the assigned port of the processor process), the analytical node receives a network packet 6 performs standard operations (DPI Deep Packet Inspection) for classifying packets, aggregating them into streams, and generates an SMS struct 7 data structure, which is a machine representation of OF DATA SMS message - the length of the length, sender sender, recipient, receiver, message text - string: string, including significant for analysis and classification of semantic field field _n. The user interface module 4 contains in memory the data defined by the system administrator: message classification categories - category ₁ 1b, informal line template - user template 1a, probability coefficient for assigning a message to a certain category - user factor Pf 1с. The regex module 2, based on the informal template-string 1a, according to the program algorithm of the informal regular expression language irrigex generates an irrigex struct 2 structure that includes data and methods for various operations such as searching for the occurrence of a template, performing a string replacement, etc., and stores it in the module's memory. In accordance with the user settings for the selected library of the standard language regex, the program algorithm of module 2 converts the data of the structure of the informal language irrigex struct 2 into the data structure of the corresponding standard language of regular expressions regex struct 3 that defines the rules for text analysis. The program algorithm of the analysis rules compiler 1 collects the config file 4 - the software module for the analysis rules configuration that includes the data and methods for processing them to methods (..) of the regex struct 3. Configuration broker 7 reproduces (copies) the number of config files specified by the program algorithm and distributes them by analytical nodes 8 (not shown in FIG. 4). The processor process, according to a program algorithm, applies the rules for analyzing the configuration file config to the meaningful fields of the string 8 message and generates a classification attribute based on the result, i.e. assigns a message to one of the predefined categories category ₁ 1b. To classify a message by a neural network, the process handler sends the significant fields of the string message to module 3 neural net. Significant fields of the message field _n are fed to the input elements of the neural network 9, after the classification logic is executed, the output elements X _{1 of the} neural network generate the corresponding probability coefficients Fa ₁ (X ₁ ) for classifying the message into a certain category 1. The software module for converting the threshold value of module 3 neural net converts function of the output elements X ₁ (threshold value) taking into account the coefficient Pf 1с - Fa ₁ (X ₁ , Pf) 5а. This ensures the influence of the user probability coefficient Pf classifying the message to a certain category on the classification result. After that, a sign is formed for classifying the message, assigning it to a certain category 10. In another embodiment 5b, the software algorithm of module 3 neural net assigns a sign for classifying messages in the category ₁ , the threshold value of which P _{1-1 of the} corresponding output neuron X ₁ prevails and exceeds the confidence level the interval set by the user coefficient Pf.

The presented architecture of the traffic classification system involves the separation of modules across different network nodes. The system performance is achieved by processing messages with regex rules only on the analytical node 8. Performance scaling, along with the well-known measures taken by the load balancer, is achieved by reproducing and redistributing the configuration of the analysis rules by the broker of configurations to the analytical nodes and maintaining their required number. The system architecture allows the administrator to perform steps 6-10, 14-18 of FIG. 3a and 5-9, 13-17 of FIG. 3b in series-parallel and parallel mode, respectively. The system architecture allows you to apply custom settings - changing the operating mode, disabling / enabling regex and / or neural net processing, entering templates and probability coefficients, without interrupting the analysis of the online message flow.

The main property and advantage of the system proposed by the authors is the flexibility and universality of the classification classification by ordinary administrators of network nodes through the use of the author's informal regular expression language irregex, which performs its logic in the 3 regex module. The functionality of the simplified input of text recognition templates allows you to remove restrictions on the service of the device by highly specialized highly qualified specialists and provide the opportunity for its operation to ordinary telecommunication specialists. Currently, in well-known text analysis solutions, when changing the communication scheme, developers of semantic analysis solutions are inevitably forced to engage in the laborious, not always possible refinement of the architecture of the semantic analysis solution. An accidental change in the message scheme and structure in the initial server settings by default cannot be determined, and it is not possible to foresee formalizing all possible message formats for obvious reasons. The functionality of module 4 of the user interface available for configuration translates the server proposed by the authors from the category of specialized equipment to the category of telecommunication network nodes available for configuration by ordinary experts in telecommunications. In addition, the inclusion of the informal language irregex in the system architecture made it possible to interact with any various standard regex languages and connect them for analysis in accordance with the user's preferences. Moreover, the inclusion of user probability coefficients in the classification process, and the implementation of the neural net module with the ability to adjust the results of the neural network (its own architecture or third-party tools) allows the system administrator to quickly respond to changes in the scheme and semantics of the message and quickly “tweak” the results of neural classification. Moreover, the classification method, both in serial-parallel mode and in parallel, provides a significant increase in the classification accuracy due to the synergy of the regex and neural net algorithms. What is especially important, the method and architecture of the traffic classification system provides indirect interaction of user settings, while the system administrator can configure them independently.

The proposed traffic classification system is demonstrated above using SMPP traffic as part of the interaction of a2p, p2a. As it is clear to specialists, the proposed solution can be used for semantic analysis of the flow of messages p2p, a2a services, mainly small amounts of text. As well as other standards and applications (including, for example, the SMPT specification for mail e-mail services), without going beyond the scope of legal protection of the proposed method for traffic classification and device architecture for its implementation.

The present invention was tested in PJSC Megafon and PJSC VimpelCom, as a result of the work, the claimed technical effect is confirmed.

Claims (8)

1. The method of traffic classification, according to which a natural language message is received, a message scheme is determined, the message is divided into meaningful syntactic and semantic fields, a plurality of nodes are provided for analyzing meaningful message fields to which text analysis rules are applied depending on the application message protocol, characterized in that for classifying messages into certain categories, an informal template-string of an informal language for searching and processing a substring in a string and probability A significant coefficient of assigning a message to a certain category, converts an informal template string into a regular expression of a standard language for searching and processing substrings in a string, converts a regular expression of a standard language into a program module for analyzing text analysis rules containing data and methods for processing strings, dynamically creates many configuration program modules analysis rules and distribute them across many nodes to analyze significant message fields, apply the configuration of analysis rules to they message fields, send a message to the input of the neural network, and the result of the classification of the message by the neural network is adjusted in accordance with a certain probabilistic coefficient of classifying the message to a certain category. 2. A method for classifying traffic according to claim 1, characterized in that the determination of the informal template-string of the informal language for searching and processing the substring in the string and the probabilistic coefficient of classifying the message to a certain category is carried out during the processing of the message. 3. The method of traffic classification according to claim 1, characterized in that a plurality of software modules for configuration of the analysis rules are generated and distributed across a plurality of nodes for analysis of significant message fields in proportion to the network load due to the number of messages being analyzed. 4. The method of classifying traffic according to claim 1, characterized in that the result of the classification of the neural network is adjusted in accordance with a certain probabilistic coefficient of classifying the message to a certain category, transformation of the threshold value for classifying the neural network. 5. The method for classifying traffic according to claim 1, characterized in that the result of the classification of the neural network is adjusted in accordance with a certain probabilistic coefficient of classifying the message to a certain category, setting the confidence level of the output elements of the neural network. 6. A traffic classification system, including a coordinating module, an analysis rule definition module, a machine learning module, at least one module for applying the analysis rules to significant message fields, characterized in that it further includes an administrator or system user interface configured to determine classification categories messages, informal line patterns applied to message analysis, probabilistic coefficients for assigning a message to a certain category, and additionally includes an analysis rule compiler module, configured to create an analysis rule configuration program module and consisting of a regular expression language module and a neural network module, the regular expression language module containing and executing algorithms of the informal regular expression language and at least one formal regular expression language and made with the possibility of obtaining an informal template-string and converting it into a regular expression of the formal language of regular expressions, and mod the neural network ul is configured to obtain a probabilistic coefficient of assigning a message to a certain category and adjust the result of the operation of the neural network based on it, and the coordinating module is configured to receive a software module for analyzing the configuration of rules, creating a variety of software modules for analyzing the configurations and distributing them among the many modules for applying rules analysis to meaningful message fields. 7. The traffic classification system according to claim 6, characterized in that the neural network module contains in memory and implements an algorithm for transforming the threshold value of the neural network in accordance with the obtained probability coefficient for assigning a message to a certain category. 8. The traffic classification system according to claim 6, characterized in that the neural network module contains in memory and executes an algorithm for establishing the boundary of the reliability of the output elements of the neural network in accordance with the obtained coefficient of assigning a message to a certain category.

Images