WO2021164340A1

WO2021164340A1 - Data processing method and device therefor

Info

Publication number: WO2021164340A1
Application number: PCT/CN2020/129007
Authority: WO
Inventors: 武维; 郭建伟; 李璠; 李建平
Original assignee: 华为技术有限公司
Priority date: 2020-02-17
Filing date: 2020-11-16
Publication date: 2021-08-26
Also published as: CN113271263B; CN113271263A

Abstract

Disclosed in embodiments of the present application is a data processing method. The method in the embodiments of the present application can be used in network data transmission, and comprises: a first network device obtains data to be inspected; the first network device obtains w first feature regions according to the data to be inspected, the first feature regions comprising data of at least one byte in the data to be inspected, and w being a positive integer; the first network device obtains application correlation degree information, the application correlation degree information indicating correlation degrees between the w first feature regions and application categories; the first network device determines, according to the w first feature regions and the application correlation degree information, an application category corresponding to the data to be inspected. According to the embodiments of the present application, an application category corresponding to data to be inspected can be determined without plaintext analysis, thereby improving the security of user data.

Description

Data processing method and equipment

This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office of China, the application number is 202010097474.8, and the invention title is "a data processing method and its equipment" on February 17, 2020, the entire content of which is incorporated by reference In this application.

Technical field

The embodiments of the present application relate to the field of network communication technology, and specifically relate to a data processing method and equipment.

Background technique

With the continuous improvement of service technology, in order to satisfy operators' subdivision management of pipeline data packet flow, application identification of pipeline data packet flow has become more and more important. Network application identification is the core technology of operator service modeling. It distinguishes data packet flows belonging to different application types for data analysis and improves customer satisfaction with network service quality. In order to complete the application identification of the pipeline data packet flow, the industry generally adopts an identification technology based on deep packet inspection (DPI).

The DPI-based technology performs in-depth data analysis on the data stream, adds application layer data analysis, and finds the domain name information of the server in the parsed application layer data to identify the application category corresponding to the traffic in the network.

In the process of parsing, DPI-based technology uses plaintext parsing to parse the data packets in the pipeline, and plaintext parsing will affect the security of user data.

Summary of the invention

The embodiment of the present application provides a data processing method, which is used to identify the message in the pipeline code stream by the first network device according to the obtained application correlation information without performing plaintext parsing on the message when the application is identified in the network. The corresponding application category improves the security of user data.

The first aspect of this application provides a data processing method.

When it is necessary to identify the application category corresponding to the data stream in the network pipeline, the first network device will obtain the data to be detected in the pipeline data, that is, the data to be detected includes byte data in the pipeline data.

After the first network device obtains the to-be-detected data, the first network device processes the to-be-detected data to obtain one or more first characteristic regions, where the first characteristic region includes at least one byte in the to-be-detected data The data.

The first network device obtains application relevance information stored in the system, where the application relevance information is used to indicate the relevance between the one or more first feature regions and the application category in the application relevance information.

After the first network device obtains the application relevance information, the first network device determines the application category corresponding to the one or more first characteristic areas according to the one or more first characteristic areas and the application relevance information, Then determine the application category corresponding to the data to be detected.

In the embodiment of this application, when the first network device performs application identification, it processes the to-be-detected data obtained from the pipeline code stream to obtain the first characteristic area, and according to the obtained application correlation information and the first The characteristic area determines the application category of the data to be detected, and the application category corresponding to the data to be detected can be determined without clear text analysis, which improves the security of user data.

Optionally, in a possible implementation manner, the first network device determines the application category corresponding to the first characteristic area according to the application correlation information and the w first characteristic areas, and the first characteristic area and the corresponding application For the regional correlation between the categories, the first network device counts the sum of the regional correlations of the first feature region corresponding to each application category based on the application category.

The first network device determines that the to-be-detected data corresponds to the first application category based on the maximum value of the sum of the regional correlations of the first feature area corresponding to the first application category.

In the embodiment of the present application, the first network device determines the area relevance corresponding to the first characteristic area according to the application relevance information, and determines the application category corresponding to the data to be detected according to the area relevance, which improves the feasibility of the solution.

Optionally, in a possible implementation manner, the application correlation information further includes the correlation information of p third characteristic regions, where the correlation information of the third characteristic region includes the third characteristic region and the third characteristic region. The corresponding application category and the regional correlation between the third characteristic area and the application category corresponding to the third characteristic area, where the p third characteristic areas include at least one first characteristic area in the w first characteristic areas.

In the embodiment of the present application, by limiting the application relevance information to also include the relevance information of the third characteristic region, the feasibility of the solution is improved.

Optionally, in the first network device, based on the sum of the regional correlation of the first feature region corresponding to the first application category is the maximum value, and the maximum value is greater than a preset threshold, it is determined that the data to be detected corresponds to the first application category.

In the embodiment of the present application, the device on the first network determines that the value of the sum of the correlation degrees of the first feature area needs to be higher than the preset threshold before the first network device determines that the first application category is the application category corresponding to the data to be detected , Because when the sum of the correlation degrees of the first feature region is still lower than the preset threshold, it indicates that there is no information that is strongly related to the application category in the application correlation information in the data to be detected, so the data to be detected The corresponding application category may not be in the application relevance information, so it is necessary to set the sum of the relevance of the first feature area to be higher than the preset threshold in order to determine the application category corresponding to the data to be detected, thereby improving the solution determination The accuracy of the data to be tested.

Optionally, in a possible implementation manner, the acquired data to be detected includes at least the first K bytes of a message, and the first network device responds to the first K bytes including at least one message. Sliding window processing is performed on the to-be-detected data to obtain w first feature regions.

In the embodiment of the present application, the first network device processes the to-be-detected data by means of a sliding window to obtain the first characteristic region, which improves the feasibility of the solution.

Optionally, in a possible implementation manner, the first characteristic area includes continuous s bytes of data, and the s is a positive integer greater than 1.

In the embodiment of the present application, the feasibility of the solution is improved by limiting the specific data format of the first characteristic area.

Optionally, in a possible implementation manner, before the first network device obtains the to-be-detected data from the pipeline data, the first network device generates the application correlation information.

When the first network device prepares to generate application relevance information, the first network device obtains byte data corresponding to the first application category, that is, the byte data corresponding to the first application category is the first data.

The first network device inputs the first data into the trained first model. The first model will output the predicted application category. The first model is trained by the first network device, or it can be sent after training by other devices. For the first network device, the predicted application category information is the first application category.

After the first network device obtains the first application category, the first network device obtains n second characteristic regions based on the first application category and the first model, and the second characteristic regions include q adjacent bytes in the first data , N and q are positive integers.

After the first network device obtains the n second feature regions, the first network device determines the regional relevance of the second feature region and the first application category, and generates application relevance information, where the application relevance information includes the second feature The regional correlation between the region and the second feature region.

In the embodiment of the present application, the first network device obtains the relevant byte data of the first application category and inputs the data into the trained first model to obtain the predicted application category information, and generates the predicted application category information according to the predicted application category information. The application of relevance information improves the feasibility of the solution.

Optionally, in a possible implementation manner, the application correlation information further includes second characteristic region correlation information, and the second characteristic region correlation information includes a second characteristic region, and the first characteristic region corresponding to the second characteristic region Application category, and the regional correlation between the second feature area and the first application category. The n second feature areas contain at least one first feature area in the w first feature areas, that is, the data to be detected corresponds to The application category of is the first application category.

Optionally, in a possible implementation manner, the first network device obtains h first characteristic values based on the first application category and the first model. For example, the first network device may calculate the first characteristic value according to the first model. An application category, h first feature values are obtained, and the h first feature values are used to indicate the correlation between the first application category and the first feature point in the first data, and the first feature point includes at least the first feature point in the first data One byte of data, the h is a positive integer.

After the first network device obtains the h first characteristic values, the first network device obtains n second characteristic regions according to the h first characteristic values.

In the embodiment of the present application, the first network device obtains h first feature values by processing the first application category, and obtains n second feature regions according to the h first feature values, which improves the feasibility of the solution.

Optionally, in a possible implementation manner, the first network device obtains z target feature points in the first data according to h first feature values, and a feature corresponding to a target feature point in the first data The value is one of the first z eigenvalues in the h first eigenvalues sorted from largest to smallest, where z is a positive integer, and z is an integer less than or equal to h.

After the first network device obtains z target feature points, the first network device obtains n second feature regions according to the z target feature points, that is, each second feature region includes at least one target feature point.

In the embodiment of the present application, the first network device obtains z target feature points in the first data according to the h first feature values, and obtains n second feature regions according to the z target feature points, because one target feature The feature value corresponding to the point is one of the first few feature values arranged in descending order of h first feature values, because the feature value indicates the degree of association between the feature point and the application category, the feature value The higher the higher, the higher the degree of association. Therefore, the higher the degree of association between the n second feature regions obtained from the target feature point and the application category, and the application correlation information generated based on the n feature regions will be used in the subsequent The higher the accuracy rate when determining the application category.

Optionally, in a possible implementation manner, the midpoint of the second feature region is the target feature point.

In the embodiment of the present application, the feasibility of the solution is improved by explaining the composition method of the second characteristic region.

Optionally, in a possible implementation manner, the first network device is based on the number of times each characteristic area in the n second characteristic areas appears in the corresponding application category, and each of the n second characteristic areas. The number of feature regions corresponding to the application category corresponding to the feature region in the n second feature regions, and the region correlation degree of each feature region in the n second feature regions is obtained, and each feature region in the n second feature regions The regional correlation degree of represents the correlation degree between each feature region of the n second characteristic regions and the first application category, that is, the higher the regional correlation degree, the higher the correlation degree with the first application category.

The first network device generates application relevance information according to the area relevance of each of the n second characteristic areas.

In the embodiment of the present application, the first network device generates application relevance information according to the area relevance corresponding to each characteristic area in the n second characteristic areas, which improves the feasibility of the solution.

Optionally, in a possible implementation manner, in the first data acquired by the first network device, n second features are obtained by using q consecutive feature points with each target feature point as the midpoint among the z target feature points Area, the m is a positive integer less than n.

In the embodiment of the present application, the second network device obtains the second feature area by taking the target feature point as the midpoint, which improves the feasibility of the solution.

Optionally, in a possible implementation manner, when there are two different feature regions in the n second feature regions, the sixth feature region and the fourth feature region, the two feature regions have a high degree of similarity, that is, The repetition ratio of the feature points of the two different feature regions is greater than the first preset threshold, and the two different feature regions correspond to the same application category in the first application category, the first network device deletes these two features The feature region that appears less frequently in the first feature region in the region.

In the embodiment of the present application, when the similarity of two different feature regions in the n second feature regions is high, the first network device deletes the feature that appears less frequently in the n second feature regions Region, avoiding the repeated calculation of the region correlation degree for some highly similar feature regions when calculating the region correlation degree, which improves the accuracy of calculating the region correlation degree.

Optionally, in a possible implementation manner, among the n second characteristic areas, if a certain characteristic area corresponds to at least two application categories in the first application category, the first network device deletes the Related information, this characteristic area is the fifth characteristic area.

In the embodiment of this application, the first network device deletes the characteristic areas corresponding to at least two application categories in the n second characteristic areas, because when there are characteristic areas corresponding to more than two application categories, it means that the characteristic areas represent different categories. Therefore, it cannot represent the strongly related features of a specific application category. Therefore, after the first network device deletes the feature area corresponding to more than two application categories, the accuracy of the solution to determine the data to be detected can be improved. .

Optionally, in a possible implementation manner, the application correlation information may be displayed in the form of a heat map, and the larger the feature value corresponding to the feature point in the heat map, the more vivid the color of the feature point.

In the embodiment of the present application, the application relevance information is displayed in the form of a heat map, so that the result of the application relevance information can be seen more intuitively.

Optionally, in a possible implementation manner, after the first data is acquired, the first K bytes of information of the first data may be intercepted, and the value of K includes 784 or 1024.

In the embodiments of the present application, by setting specific values, the feasibility of the solution is improved.

Optionally, in a possible implementation manner, after the data to be detected is acquired, the first K bytes of information of the data to be detected may be intercepted, and the value of K includes 784 or 1024.

The second aspect of the application provides a data processing method.

The second network device obtains the byte data corresponding to the first application category, that is, the byte data corresponding to the first application category is the first data.

The second network device inputs the first data into the trained first model. The first model will output the predicted application category. The first model is trained by the second network device, or it can be sent after training by other devices. For the second network device, the predicted application category information is the first application category.

After the second network device obtains the first application category, the second network device obtains n second feature areas based on the first application category and the first model, and each of the n second feature areas includes the first application category. Q adjacent bytes in a data, n and q are positive integers.

After the second network device obtains the n second feature regions, the second network device determines the regional relevance of the second feature region and the first application category, and generates application relevance information, where the application relevance information includes the second feature The regional correlation between the region and the second feature region.

In the embodiment of the present application, the second network device obtains the relevant byte data of the first application category and inputs the data into the trained first model to obtain predicted application category information, and generates the predicted application category information according to the predicted application category information. The application of relevance information improves the feasibility of the solution.

Optionally, in a possible implementation manner, the second network device obtains h first characteristic values based on the first application category and the first model. For example, the second network device may calculate the first characteristic value according to the first model. An application category, h first feature values are obtained, and the h first feature values are used to indicate the correlation between the first application category and the first feature point in the first data, and the first feature point includes at least the first feature point in the first data One byte of data, the h is a positive integer.

After the second network device obtains the h first characteristic values, the second network device obtains n second characteristic regions according to the h first characteristic values.

In the embodiment of the present application, the second network device obtains h first feature values by processing the first application category, and obtains n second feature regions according to the h first feature values, which improves the feasibility of the solution .

Optionally, in a possible implementation manner, the second network device obtains z target feature points in the first data according to h first feature values, and a feature corresponding to one target feature point in the first data The value is one of the first z eigenvalues in the h first eigenvalues sorted from largest to smallest, where z is a positive integer, and z is an integer less than or equal to h.

After the second network device obtains z target feature points, the second network device obtains n second feature regions according to the z target feature points, that is, each second feature region includes at least one target feature point.

In the embodiment of the present application, the second network device obtains z target feature points in the first data according to the h first feature values, and obtains n second feature regions according to the z target feature points, because one target feature The feature value corresponding to the point is one of the first few feature values arranged in descending order of h first feature values, because the feature value indicates the degree of association between the feature point and the application category, the feature value The higher the higher, the higher the degree of association. Therefore, the higher the degree of association between the n second feature regions obtained from the target feature point and the application category, and the application correlation information generated based on the n feature regions will be used in the subsequent The higher the accuracy rate when determining the application category.

In the embodiment of the present application, the feasibility of the solution is improved by limiting the composition of the second characteristic area.

Optionally, in a possible implementation manner, the second network device is based on the number of times each characteristic area in the n second characteristic areas appears in the corresponding application category, and each of the n second characteristic areas The number of feature regions corresponding to the application category corresponding to the feature region in the n second feature regions, and the region correlation degree of each feature region in the n second feature regions is obtained, and each feature region in the n second feature regions The regional correlation degree of represents the correlation degree between each feature region of the n second characteristic regions and the first application category, that is, the higher the regional correlation degree, the higher the correlation degree with the first application category.

The second network device generates application relevance information according to the area relevance of each of the n second characteristic areas.

In the embodiment of the present application, the second network device generates application relevance information according to the area relevance corresponding to each characteristic area in the n second characteristic areas, which improves the feasibility of the solution.

Optionally, in a possible implementation manner, in the first data acquired by the second network device, n second features are obtained by using q consecutive feature points with each target feature point in the z target feature points as the midpoint. Area, the m is a positive integer less than n.

In the embodiment of the present application, when the similarity of two different feature regions in the n second feature regions is very high, the second network device deletes the feature that appears less frequently in the n second feature regions Region, avoiding the repeated calculation of the region correlation degree for some highly similar feature regions when calculating the region correlation degree, which improves the accuracy of calculating the region correlation degree.

Optionally, in a possible implementation manner, among the n second characteristic areas, if a certain characteristic area corresponds to at least two application categories in the first application category, the second network device deletes the Related information, this characteristic area is the fifth characteristic area.

In the embodiment of the present application, the second network device deletes the characteristic areas corresponding to at least two application categories in the n second characteristic areas, because when there are characteristic areas corresponding to more than two application categories, it means that the characteristic areas represent different categories. Therefore, it cannot represent the strong correlation feature of a specific application category. Therefore, after the second network device deletes the feature area corresponding to more than two application categories, the accuracy of the solution to determine the data to be detected can be improved. .

Optionally, in a possible implementation manner, the application correlation information may be displayed in the form of a heat map, and the larger the feature value corresponding to the feature point in the heat map, the brighter the color of the feature point.

Optionally, in a possible implementation manner, after the second network device obtains the application relevance information, the second network device sends the application relevance information to the first network device.

In the embodiment of the present application, after the second network device obtains the application relevance information, the application relevance information is sent to the first network device, which improves the feasibility of the solution.

The third aspect of this application provides a network device.

The obtaining unit is used to obtain the data to be detected;

A processing unit, configured to obtain w first characteristic regions according to the data to be detected, the first characteristic regions include at least one byte of data in the data to be detected, and w is a positive integer;

The determining unit is configured to determine the application category corresponding to the data to be detected according to the w first feature regions and the application correlation information, and the application correlation information indicates the correlation between the first feature region and the application category.

The determining unit is specifically configured to determine the application category corresponding to the first feature area and the regional correlation between the first feature area and the corresponding application category according to the w first feature areas and application correlation information;

A statistical unit, configured to count the sum of the regional correlations of the first feature region corresponding to each application category based on the application category;

The determining unit is further configured to determine that the to-be-detected data corresponds to the first application category based on that the sum of the regional correlations of the first feature area corresponding to the first application category is the maximum value.

Optionally, the application correlation information includes the correlation information of p third characteristic regions, where the correlation information of the third characteristic region includes the third characteristic region, the application category corresponding to the third characteristic region, and the relationship between the third characteristic region and the third characteristic region. The regional correlation between the corresponding application categories; the p third characteristic regions include at least one characteristic region among the w first characteristic regions.

Optionally, the data to be detected includes the first K bytes of at least one message;

The processing unit is specifically configured to perform sliding window processing on the first K bytes of at least one message to obtain w first characteristic regions.

Optionally, the first characteristic area includes s consecutive bytes, and s is an integer greater than 1.

Optionally, the acquiring unit is further configured to acquire first data, where the first data includes byte data corresponding to the first application category;

Network equipment also includes:

The input unit is used to input the first data into the first model, where the output of the first model is the first application category;

The processing unit is further configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;

The determining unit is further configured to determine the regional correlation between the second characteristic area and the first application category;

Network equipment also includes:

The generating unit is configured to generate application relevance information based on the relevance of the second characteristic area and the area of the first application category.

Optionally, the application relevance information includes second feature area relevance information, the second feature area relevance information includes a second feature area, the first application category corresponding to the second feature area, and the second feature area and the first application category Regional relevance;

The n second characteristic regions include at least one first characteristic region among the w first characteristic regions, and the application category corresponding to the data to be detected is the first application category.

The fourth aspect of the present application provides a network device.

An acquiring unit, configured to acquire first data, where the first data includes byte data corresponding to the first application category;

The processing unit is configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;

The determining unit is used to determine the regional correlation between the second characteristic area and the first application category;

Optionally, the application relevance information includes second feature area relevance information, the second feature area relevance information includes a second feature area, the first application category corresponding to the second feature area, and the second feature area and the first application category Regional relevance.

Optionally, the processing unit is specifically configured to obtain h first feature values based on the first application category and the first model, where the first feature value indicates the correlation between the first application category and the first feature point in the first data, and the first The characteristic point includes one byte of data in the first data, and h is a positive integer;

The processing unit is specifically configured to obtain n second characteristic regions according to the h first characteristic values.

Optionally, the obtaining unit is further configured to obtain z target feature points according to the h first feature values, and the feature value of the target feature point is the first z of the h first feature values arranged in descending order of value. One of the eigenvalues, z is a positive integer, and z is an integer less than or equal to h;

The processing unit is specifically configured to obtain n second feature regions according to z target feature points, and each second feature region includes at least one target feature point.

Optionally, the midpoint of the second feature region is the target feature point.

Optionally, the n second feature regions include a sixth feature region and a fourth feature region, if the ratio of feature points in the sixth feature region and feature points in the fourth feature region is greater than the first preset threshold, and The number of times that the sixth characteristic area appears in the characteristic area of the corresponding application category in the first application category is greater than the number of times the fourth characteristic area appears in the characteristic area of the corresponding application category in the first application category, then the network device further includes:

The processing unit is used to delete the information of the fourth characteristic area.

Optionally, the n second characteristic regions include a fifth characteristic region, and if the fifth characteristic region corresponds to at least two application categories in the application relevance information, the processing unit is further configured to delete the information of the fifth characteristic region.

The fifth aspect of the present application provides a network device.

At least one processor and a memory, the memory stores program code, and the processor calls the program code to execute the method described in the implementation manner of the first aspect of the present application.

The sixth aspect of the present application provides a network device.

At least one processor and a memory, the memory stores program code, and the processor calls the program code to execute the method described in the implementation manner of the second aspect of the present application.

The seventh aspect of the present application provides an application identification system, including a first network device and a second network device.

The first network device is used to execute the method described in the implementation manner of the first aspect of the present application.

The second network device is used to execute the method described in the implementation manner of the second aspect of the present application.

The second network device is used to send application relevance information to the first network device.

The eighth aspect of the present application provides a computer storage medium. The computer storage medium stores instructions. When the instructions are executed on the computer, the computer executes the same as the first aspect of the present application, and/or the second Aspects implement the method described in the mode.

The ninth aspect of the present application provides a computer program product. When the computer program product is executed on a computer, the computer executes the method described in the first aspect of the present application and/or the implementation manner of the second aspect.

It can be seen from the above technical solutions that the embodiments of the present application have the following advantages:

The first network device obtains the data to be detected, and processes the data to be detected to obtain the first characteristic area, and determines the application category of the data to be detected according to the obtained application correlation information and the first characteristic area, without the need to parse the data in plaintext , Improve the security of user data.

Description of the drawings

Figure 1 is a schematic diagram of a network architecture in an embodiment of the application;

Figure 2 is a schematic flowchart of a data processing method in an embodiment of the application;

3 is a schematic flowchart of another data processing method in an embodiment of the application;

FIG. 4 is a schematic diagram of the structure of a network device in an embodiment of the application;

FIG. 5 is a schematic structural diagram of another network device in an embodiment of this application;

FIG. 6 is a schematic structural diagram of another network device in an embodiment of this application;

FIG. 7 is a schematic structural diagram of another network device in an embodiment of this application;

Fig. 8 is a schematic structural diagram of another network device in an embodiment of this application.

Detailed ways

The embodiment of the application provides a data processing method and device, which are used in the application identification of pipeline data by obtaining the data to be detected in the pipeline code stream, and processing the data to be detected to obtain the first characteristic area, and according to the application The relevance information and the first feature area determine the application category of the data to be detected, without the need to parse the data in plain text, which improves the security of user data.

Please refer to Figure 1, which is a schematic diagram of the network architecture provided for this application.

The embodiment of the present application provides an exemplary network architecture.

The network architecture includes at least the first network device 101.

The first network device 101 can be connected to a network pipe, which is used to transmit data. The network pipe can be a network pipe in a local area network, a network pipe in a wide area network, or a network pipe in other scenarios. There is no limitation here.

For example, the first network device 101 can be installed between the router and the core network, connected by wired or wireless, can also be installed between the core network and the firewall, or can be installed in the local area network, as long as the first network device 101 is connected Just go to the network pipeline, such as the convergence node of the network traffic, the node where the network traffic flows through, etc. The specifics are not limited here.

The first network device 101 is configured to generate application relevance information, and then obtain the data to be detected online in real time, and determine the application category of the data to be detected through the application relevance information.

Specifically, the first network device 101 is configured to identify the application category corresponding to the message in the data transmission pipeline according to the application correlation information, and distinguish the data packet traffic belonging to different application types for data analysis. The first network device 101 can be a server with a separate function, such as a separate application identification server, or can be integrated into an existing server, such as integrated in a network management server, or integrated in a network monitoring server, or integrated in traffic management The server is medium, and the specific server format is not limited here.

For example, the base station receives the data sent by the terminal and transmits the data to the route through the network channel. After the route transfers the data, the data is transmitted to the core network, and the core network then transmits the data that needs to be transmitted to the data destination, passing through the firewall, and finally arrives at the receiver. Data party. In this process, the first network device 101 is connected to the network pipeline, such as the convergence node of the network traffic, the node that the network traffic flows through, etc. The first network device 101 mirrors the place where the data flows in the communication network. Part of the data is used for application identification analysis.

It should be noted that, in the embodiment of the present application, in the data transmission scenario, one first network device 101 may exist alone, or multiple first network devices 101 may exist at the same time, and the details are not limited here. .

Optionally, the network architecture may further include a terminal device 103. When the first network device determines the application category of the data to be detected, the first network device 101 may send the data of the application category to the terminal device 103, so that the terminal device 103 may receive the data of the application category, and then process the data of the application category, for example, display the data of the application category. The specific processing method is not limited here.

It can be understood that the terminal device 103 may be a computer device, or other devices, such as a network management device, which is not specifically limited here.

Optionally, the network architecture may further include a second network device 102, and the second network device 102 may work offline and independently, or may be connected to the first network device. The second network device 102 can be used on the offline side, that is, to obtain the first data used to train the model, and then train the first model through the first data, and obtain the first model according to the trained first model and the first data. Application relevance information. The second network device 102 is also used to send application relevance information to the first network device, which is not specifically limited here.

Optionally, the first network device 101 may also be used on the offline side to obtain application correlation information, then the network architecture does not include the second network device 102.

For ease of understanding, the embodiments of this application provide basic explanations of the following terms:

Network pipe: A collective name for equipment used to carry network data packets.

Application identification: Identify which application category the traffic in the pipeline belongs to, for example, the pipeline traffic belongs to APP1, APP2, etc.

Code stream: the data packet stream in the network.

Heat map: A visual way to express the importance of data through color changes. For example, in the heat map, the brighter the data, the greater the impact on the result of application recognition.

Active area: the location area where the data in the heat map has a greater influence, indicating the brighter location area in the heat map.

Pull test: similar to a network data crawler, intercepting data packet information from the network.

The following describes the data processing method in the embodiment of the present application in conjunction with the data transmission framework of FIG. 1.

For ease of description, in the embodiments of the present application, the first network device and the second network device instead of the network device are used as an example for description.

In the embodiment of the present application, the first network device can obtain application relevance information through the first model training, and then determine the application category corresponding to the message in the pipeline data through the application relevance information, and can also receive applications sent by other network devices The relevance information is used to determine the application category corresponding to the message in the pipeline data through the application relevance information sent by other network devices. Therefore, there are several specific implementation manners of the embodiments of the present application, which are described below.

1. The first network device generates application correlation information.

Please refer to FIG. 2, which is a schematic flowchart of an embodiment of the data processing method provided by this application.

It should be noted that this embodiment can be divided into an online side and an offline side. The online side is the online real-time identification of the application category corresponding to the online data stream, and the offline side is the training model to obtain application relevance information. In the process, the application correlation information can be used on the online side to identify the application category corresponding to the online data stream. First, the offline side will be described.

In step 201, the second network device obtains the first data.

The second network device obtains the data stream corresponding to the first application category, and the data stream includes byte data corresponding to the first application category. Optionally, the second network device may obtain the data stream in the pipeline data by means of plug-in testing, It is also possible to collect multiple data streams through other devices, and then uniformly send them to the second network device, which is not specifically limited here.

When the second network device obtains a data stream corresponding to an application category, the data stream obtained by the second network device may be as follows:

Data stream 1: 82 0a 2a 2e 67 76 74 32…… =====>app1

It should be understood that the second network device may also obtain data streams corresponding to multiple application categories, as shown below:

Data stream 2 53 88 01 bb b8 bc 6a 14…… =====>app2

Data stream 3 29 6f 6d d3 9c 80 10…… =====>app1

It should be noted that, in the case where the embodiment of the present application is not described, the second network device acquires and processes the data of the first application category as an example for description. It should be understood that the acquisition and processing of data of multiple application categories is similar, and this application does not constitute a limitation.

When the data stream is transmitted in the pipeline, it is transmitted in the form of binary data. When the data stream is obtained, the display mode of the data stream can be binary or converted hexadecimal, which is not specifically done here. For limitation, this application uses hexadecimal as an example for description. The second network device intercepts the first K bytes of data of the data stream, and the intercepted first K bytes of data includes data corresponding to address information, data corresponding to domain name information, and other basic information-related data. For example, K=784, when the second network device obtains a data stream from the pipeline data, it intercepts the first 784 bytes of the data stream. In addition, this application is described in units of bytes, and this application may also be described in units of bits, etc., which is not specifically limited here.

It should be noted that in the actual application process, the second network device may not intercept the first K bytes of data of the data stream, but use the data stream for subsequent processing, which is not specifically limited here.

It should be noted that when the second network device intercepts the first K bytes of data of the data stream, the first data includes the first K bytes of data of the data stream. When the second network device does not perform the data stream When intercepting, the first data is the data stream.

It should be noted that when there are byte data of multiple data streams, the first data includes byte data of the multiple data streams.

In step 202, the second network device trains the first model.

The second network device builds a multi-layer convolutional neural network. It is understandable that the multi-layer convolutional neural network can be three or five layers, it can be a VGG type neural network, or it can be a ResNet The type of neural network is not limited here.

For example, when the constructed convolutional neural network has five layers, the structure of the five-layer convolutional neural network is an input layer, a first hidden layer, a second hidden layer, a third hidden layer, and an output layer in order. The number of nodes in the input layer is equal to K, which is the same as K in the first K bytes of information in the intercepted message by the second network device.

The number of nodes in the output layer of the neural network is the number of application categories. When the model is used to train data of one application category, the number of nodes in the output layer is one node. When the model is used to train data of multiple application categories, the number of nodes in the output layer is the corresponding multiple nodes.

The input layer data adopts convolution operation, and the linear rectification function (rectified linear unit, ReLU) is used to generate the first hidden layer, the first hidden layer is convolution operation, and the ReLU activation function is used to generate the second hidden layer. Layer, for the second hidden layer, use global average pooling (GAP) operation to generate the third hidden layer, and use the fully connected operation for the third hidden layer, and activate it through the normalized exponential function softmax Function to generate output layer data.

Input the acquired first data into the constructed neural network, that is, input the first data into the first model. Optionally, before inputting the first data to the first model, the first data may be normalized to obtain normalized data for training of the first model. For example, the normalization can be achieved by the following method: One:

Normalized data = first data/255

After the first data is input to the first model, the corresponding prediction category is obtained through the forward operation of the first model, the cross entropy loss value of the prediction category and the first application category is calculated, the gradient descent method is executed, and the model parameters are updated. When the maximum number of training iterations is reached or when the accuracy of the output prediction category reaches a preset threshold, the training of the first model is completed. It should be understood that when the training of the first model is completed, the data corresponding to the first application category is input to the first model, and the output of the first model is the first application category.

In step 203, the second network device obtains h first feature values based on the first application category and the first model.

The second network device obtains h first feature values based on the first application category and the first model. The first feature value represents the correlation between the first feature point in the first data and the first application category. The first feature The point refers to one byte of data, and the larger the feature value corresponding to the first feature point, the higher the correlation with the first application category.

It should be understood that the first feature point may also refer to multiple bytes of data, such as 2 bytes, etc., and this application does not constitute a limitation.

The second network device can obtain the h first feature values in a variety of ways. For example, the second network device obtains the connection weight value based on the first application category and the data of the last hidden layer in the architecture of the first model. The obtained connection weight value is multiplied with the corresponding penultimate hidden layer value to obtain the weighted feature information. The weighted feature information is added, and the first data is up-sampling to obtain the h The first characteristic value.

It is understandable that under different model architectures, the h first eigenvalues can also be obtained in different ways. This embodiment is a schematic example, and the method for obtaining the h first eigenvalues is not specifically described. The limit.

In step 204, the second network device obtains z target feature points according to the h first feature values.

After obtaining the h first feature values, the second network device obtains the first z feature values of the h first feature values, where z is a positive integer less than or equal to h, thereby obtaining the z features Z feature points corresponding to the value. Take the z feature points as z target feature points.

For example, if the h (h=10) first eigenvalues are 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.95, then the data size in the first eigenvalue is ranked first. (z=5) feature values, then get 0.6, 0.7, 0.8, 0.9, 0.95, the corresponding feature points of 0.6, 0.7, 0.8, 0.9, 0.95 in the first data are 5E, 1C, B2, E0 , A6, that is, the z (z=5) target feature points are 5E, 1C, B2, E0, A6.

In the actual application process, the eigenvalues of different feature points may be the same, for example:

h(h=10) the first eigenvalues are 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.9, 0.95, then the data size in the first eigenvalue is ranked first z(z = 5) feature values, then get 0.7, 0.8, 0.9, 0.9, 95, the corresponding feature points of 0.7, 0.8, 0.9, 0.9, 0.95 in the first data are 6E, 3C, B5, E2, A7 , That is, the target feature points of z (z=5) are 6E, 3C, B5, E2, A7.

In step 205, the second network device obtains n second feature regions according to z target feature points.

After the second network device obtains z target feature points, the second network device intercepts one or more consecutive feature points including at least one target feature point in the first data to obtain the second feature area, and so on, There will be n second feature regions, where n is a positive integer greater than or equal to z. The following will take the second feature region including q consecutive feature points as an example for description, and q is an integer greater than or equal to 1. It should be understood that for different second feature regions, the value of q may be different.

Optionally, the center point of the second feature region is the target feature point.

For example, taking each of the z target feature points in the first data as the center point, and intercepting a feature point on the left and right sides, and the value range of a is a ∈ [B1, B2], a total of a*( B2-B1+1) the second feature area. The second feature area contains (2a+1) feature points. It should be understood that n=a*(B2-B1+1) and q=2a+1.

It should be noted that step 203 to step 205 are steps performed on one data stream. When there are multiple data streams, step 203 to step 205 are repeated. For data streams of multiple application categories, the processing of step 203 to step 205 is performed on the data streams corresponding to the multiple application categories, respectively.

In step 206, the second network device determines the regional correlation between the second characteristic area and the first application category.

After processing the multiple data streams, the second network device further determines the regional correlation between the second characteristic area and the application category corresponding to the second characteristic area.

For the case where multiple data streams correspond to the first application category: the second network device counts the number of the same second characteristic area in n second characteristic areas, and further obtains the n corresponding to the second characteristic area in the first application category. The probability of occurrence in the second characteristic area, thereby obtaining the regional correlation degree between the second characteristic area and the first application category. As shown in Table 1a:

Table 1a

Take the second feature area "82, 0a, 2a, 2e, 67, 76, 74, 32" in Table 1a as an example for illustration. The number of the second feature area (also called the number of occurrences) is 80, the The second feature area corresponds to the first application category app1. The total number of second feature areas of the first application category is 100, and the area correlation between the second feature area and its corresponding first application category is 80/100 , Which is 0.8.

For the case where multiple data streams correspond to multiple application categories: the second network device separately counts the number of the same second feature area in the second feature area corresponding to each application category in the multiple application categories, and further obtains the second feature The probability of the region appearing in the total amount of the second feature region of the corresponding application category, thereby obtaining the regional correlation between the second feature region and the corresponding application category. As shown in Table 1b:

Table 1b

Take the second feature area "53, 99, 55, b9, b4, b8, 3a, 25" in Table 1b as an example for illustration. The number of the second feature area is 30, and the second feature area corresponds to the second feature area. Application category app2, the total number of second feature areas of the second application category app2 is 300, and the regional correlation between the second feature area and the corresponding second application category app2 is 30/300, that is, 0.1. It should be understood that, in this case, the second network device may perform statistics and calculations on the second characteristic regions of each application category.

It should be noted that in the actual application process, there may also be a category preference weight for a certain characteristic area, that is, when the category preference weight value is set when calculating the area relevance, the method for calculating the area relevance can also be (a certain The number of times that a characteristic area appears in all characteristic areas in its corresponding application category*category preference weight value)/the number of all characteristic areas in the application category is not specifically limited here.

Optionally, when the second network device counts the number of occurrences of each characteristic area in the first data in the n second characteristic areas and the application category to which it belongs, if the n second characteristic areas include the sixth characteristic area and the first characteristic area Four characteristic regions, if the proportion of the feature points in the sixth characteristic region and the characteristic points in the fourth characteristic region being repeated is greater than the first preset threshold, and the sixth characteristic region is the characteristic region of the application category corresponding to the first application category If the number of times that the fourth characteristic area appears in the characteristic area of the corresponding application category in the first application category is greater than the number of times that the fourth characteristic area appears in the characteristic area of the corresponding application category in the first application category, the second network device deletes the information of the fourth characteristic area. It should be noted that if the number of occurrences of the two characteristic regions is equal, one of the characteristic regions will be arbitrarily deleted, and the details are not limited here.

When there are two feature regions with extremely high similarity, it is determined that the two feature regions are relatively close in position in the first data. Therefore, the feature regions that appear less frequently among the two feature regions with high similarity are deleted. It is helpful to improve the accuracy when calculating the regional correlation.

Optionally, when the second network device counts the number of occurrences of each characteristic area in the first data in the n second characteristic areas and the application category to which it belongs, if the n second characteristic areas further include the fifth characteristic area, And the fifth characteristic area corresponds to two or more application categories, the fifth characteristic area is deleted.

When a feature area corresponds to more than two application categories, it means that the feature point corresponding to the feature area is not the basic feature of a certain application category. Therefore, deleting the feature area can improve the efficiency of determining the data stream online.

In step 207, the second network device generates application relevance information based on the relevance of the second characteristic area to the area of the first application category.

It should be understood that if the second network device deletes the fifth characteristic area and/or the fourth characteristic area in step 206, the application correlation information does not include the information of the characteristic area.

After the second network device obtains the area relevance of the characteristic areas in the n second characteristic areas, the second network device generates application relevance information according to the area relevance of the characteristic areas in the n second characteristic areas.

For the case where multiple data streams correspond to the first application category: the application relevance information includes the area relevance information of the second feature area, the area relevance information of the second feature area includes the second feature area, and the second feature area corresponds to The first application category, and the regional correlation between the second feature area and the first application category. For example, the application relevance information can be as shown in Table 2a,

特征区域Feature area	所属应用类别和区域相关度Application category and regional relevance
08 0a 2a 2e 67 53 2408 0a 2a 2e 67 53 24	<app1,0.8><app1,0.8>
53 88 01 bb b8 bc 6a 1e53 88 01 bb b8 bc 6a 1e	<app1,0.1><app1,0.1>
…….…….	……...

Table 2a

For the case where multiple data streams correspond to the first application category: the second network device respectively generates application relevance information according to the regional relevance of each of the n second feature areas of different application categories. The application relevance information includes the area relevance information of the second feature area, and the area relevance information of the second feature area includes the second feature area, the application category corresponding to the second feature area, and the second feature area and the second feature area. The regional correlation between the corresponding application categories. For example, the application relevance information can be as shown in Table 2b,

特征区域Feature area	所属应用类别和区域相关度Application category and regional relevance
08 0a 2a 2e 67 53 2408 0a 2a 2e 67 53 24	<app1,0.8><app1,0.8>
53 88 01 bb b8 bc 6a 1e53 88 01 bb b8 bc 6a 1e	<app2,0.2><app2,0.2>
…….…….	……...

Table 2b

It is understandable that the application relevance information can also exist in other forms, as long as the application relevance information can indicate the association relationship between the feature area and the application category and the regional relevance of the feature area under the application category, for example, The application relevance information is expressed in the form of a heat map. It is understandable that the application relevance information can also be expressed in other ways, such as a one-dimensional vector or a table, which is not specifically limited here.

Steps 201 to 207 describe the method on the offline side in this embodiment, and the following steps describe the method on the online side in this embodiment.

Please refer to Figure 3, which is a schematic diagram of the process on the online side of this application.

In step 301, the first network device obtains the data to be detected.

When the application relevance information is generated by the second network device, the first network device receives the application relevance information sent by the second network device. When the first network device needs to identify and classify the data packets in the pipeline data, the first network device acquires the data to be detected in the pipeline data.

It should be noted that the first network device may obtain the data to be detected by dialing and testing by itself, and may also receive the data to be detected sent by other gateway devices, which is not specifically limited here.

In the actual application process, the data to be detected obtained by the first network device may be a binary data packet or a hexadecimal data packet, and the specifics are not limited here.

In step 302, the first network device obtains w first characteristic regions according to the data to be detected.

After the first network device obtains the data to be detected, it intercepts the first K bytes of information of the message, that is, intercepts the same byte information as when training the model on the offline side, and then uses the sliding window method according to the K bytes The information generates w first feature regions, where w is a positive integer greater than or equal to 1.

For example, for the data to be detected: 53 88 01 bb b8 bc 6a 1e 08 0a 2a 2e 67 53 24... When the size range of the sliding window is [6, 10], the value of the sliding window can be 6, 7 ,8,9,10. When the size of the sliding window = 6, the sliding step is 1, and the following feature regions will be generated:

When the size of the sliding window = 7, and the sliding step length is 1, the following feature regions are generated:

By analogy, several characteristic regions will be obtained, and the several characteristic regions are the first characteristic regions.

It is understandable that the w first feature regions can also be obtained in other ways, for example, the w first feature regions can be obtained by AC (Aho–Corasick, AC) automata algorithm or prefix tree algorithm, which is not specifically done here. limited.

When the w first feature regions are obtained through the AC automata algorithm or the prefix number algorithm, the AC automata algorithm needs to be constructed according to the application correlation information, and then the w first feature regions are obtained through the AC automata algorithm, that is, according to Apply the existing feature regions in the correlation information to automatically obtain w first feature regions that match it.

It is understandable that the characteristic area can also be obtained in other ways, as long as a collection of bytes of different sizes is obtained, which is not specifically limited here.

It should be noted that when the first K bytes of information of the data stream are not intercepted, the first characteristic area can be obtained by processing the byte information of the data stream.

In step 303, the first network device determines the regional correlation between the first characteristic region and the corresponding application category according to the application correlation information and the first characteristic region.

It can be seen from the embodiment shown in FIG. 2 that when the application correlation information includes the area correlation information of p third characteristic regions, the correlation information of the third characteristic region includes the third characteristic region and the application category corresponding to the third characteristic region. , And the regional correlation between the third characteristic area and the corresponding application category, and when the p third characteristic areas include at least one characteristic area in the w first characteristic areas, the first network device is related to the application Find the area correlation information corresponding to each feature area in the w first feature areas in the degree information, such as the corresponding application category, and the area correlation with the application category. When a feature area in the first feature area does not If the corresponding application category is found, the value of the regional relevance corresponding to the characteristic region is 0.

The first network device determines the application category corresponding to the first characteristic area and the area between the first characteristic area and the corresponding application category according to the w first characteristic areas and the application correlation information relativity;

The first network device counts the sum of the regional correlation degrees of the first characteristic area corresponding to each application category based on the application category;

The first network device determines that the data to be detected corresponds to the first application category based on that the sum of the regional correlations of the first characteristic areas corresponding to the first application category is the maximum value.

The first network device determines the application category corresponding to the first feature area and the area correlation between the first feature area and the corresponding application category according to the w first feature areas and application correlation information; and makes statistics based on the application category The sum of the regional relevance of the first feature area corresponding to each application category, so as to obtain the total regional relevance corresponding to each application category, for example, as shown in Table 3a below,

Table 3a

Take the application category "app1" in Table 3a as an example. The feature area corresponding to this app1 is "65, 6a, 77, 8e, 67, 6b, 45, 33", and "33, 11, 96, 5e, 6b, 3e, 45, 33", and the regional correlations corresponding to these two feature regions are 0.4 and 0.15, respectively, then the sum of the regional correlations corresponding to the "app1" is calculated to be 0.55. It should be understood that in this case, the first Second, the network device can perform statistics and calculations on the regional correlation degrees corresponding to each application category to obtain the total regional correlation degrees corresponding to each application category.

For example, the total area relevance of the first feature area corresponding to different application categories is shown in Table 3b below.

应用类别Application category	对应的总区域相关度Corresponding total area correlation
app1app1	0.850.85
app2app2	0.60.6
…….…….	……...

Table 3b

In step 304, the first network device determines that the data to be detected corresponds to the first application category based on that the sum of the regional correlations of the first characteristic regions corresponding to the first application category is the maximum value.

After the first network device obtains statistics of the total area relevance of the first feature area corresponding to different application categories, the first network device determines the data to be detected corresponding to the first feature area according to the maximum value of the sum of the area relevance of the first feature area Corresponds to the first application category.

Optionally, after determining that the sum of the area correlations of the first characteristic area is the maximum value, the first network device may also determine whether the sum of the area correlations of the first characteristic area is higher than a preset threshold. The sum of the area correlations of the first characteristic area is higher than the preset threshold, and the first network device determines that the application category corresponding to the first characteristic area is the application category corresponding to the data to be detected. If the sum of the regional relevance of the first characteristic area is lower than the preset threshold, the first network device determines that the application category corresponding to the data to be detected is not the application category in the application relevance information.

After determining the application category corresponding to the data to be detected, the first network device may display the result of the application category corresponding to the data to be detected in the display area of the first network device, or send the result to other devices, such as Terminal equipment for operation and maintenance personnel.

It should be noted that, when the first network device determines that the application category corresponding to the data to be detected is not the application category in the application relevance information, it can generate application relevance information corresponding to the application category through steps 201 to 207. Furthermore, the application relevance information corresponding to the application category can be integrated with the original application relevance information to form updated application relevance information.

In this embodiment, steps 201 to 207 can also be executed by the first network device. When executed by the first network device, then in step 301, when the first network device needs to use the application relevance information, it directly obtains the application Relevance information is sufficient.

In this embodiment, by intercepting the first K bytes of information of the data stream, for example, intercepting the first 1024 bytes of information of the data stream, the first 1024 bytes of information of the data stream include IP information, DNS information, and port information. And so on binary data ciphertext information, because this information can reflect certain characteristics of the application category, so the application correlation information is generated from the binary data of this information, and then the message data in the pipeline data is identified according to the application correlation information. The application category of the first network device has improved the accuracy of identifying application categories.

The data processing method in the embodiment of the application is described above, and the network device in the embodiment of the application is described below. Please refer to FIG. 4, which is a schematic structural diagram of an embodiment of the network device provided by this application.

The obtaining unit 401 is configured to obtain the data to be detected;

The processing unit 402 is configured to obtain w first characteristic regions according to the data to be detected, the first characteristic regions include at least one byte of data in the data to be detected, and w is a positive integer;

The determining unit 403 is configured to determine the application category corresponding to the data to be detected according to the w first feature regions and the application correlation information, and the application correlation information indicates the correlation between the first feature region and the application category.

In this embodiment, the operations performed by each unit of the network device are similar to those described in the foregoing embodiment shown in FIG. 2 and will not be repeated here.

Please refer to FIG. 5, which is a schematic structural diagram of another embodiment of the network device provided by this application.

The obtaining unit 501 is configured to obtain the data to be detected;

The processing unit 503 is configured to obtain w first characteristic regions according to the data to be detected, the first characteristic regions include at least one byte of data in the data to be detected, and w is a positive integer;

The determining unit 505 is configured to determine the application category corresponding to the data to be detected according to the w first feature regions and application correlation information, and the application correlation information indicates the correlation between the first feature region and the application category.

The determining unit 505 is specifically configured to determine the application category corresponding to the first feature area and the regional correlation between the first feature area and the corresponding application category according to the w first feature areas and application correlation information;

The statistics unit 504 is configured to count the sum of the regional correlation degrees of the first feature region corresponding to each application category based on the application category;

The determining unit 505 is further configured to determine that the to-be-detected data corresponds to the first application category based on that the sum of the regional correlations of the first feature area corresponding to the first application category is the maximum value.

The processing unit 503 is specifically configured to perform sliding window processing on the first K bytes of at least one message to obtain w first feature regions.

Optionally, the acquiring unit 501 is further configured to acquire first data, where the first data includes byte data corresponding to the first application category;

Network equipment also includes:

The input unit 502 is configured to input first data into a first model, where the output of the first model is the first application category;

The processing unit 503 is further configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;

The determining unit 505 is further configured to determine the regional correlation between the second characteristic region and the first application category;

Network equipment also includes:

The generating unit 506 is configured to generate application relevance information based on the relevance of the second characteristic area and the area of the first application category.

In this embodiment, the operations performed by each unit of the network device are similar to those described in the foregoing embodiments shown in FIG. 2 and FIG. 3, and will not be repeated here.

Please refer to FIG. 6, which is a schematic structural diagram of another embodiment of a network device provided by this application.

The acquiring unit 601 is configured to acquire first data, where the first data includes byte data corresponding to the first application category;

The input unit 602 is configured to input first data into a first model, where the output of the first model is the first application category;

The processing unit 603 is configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;

The determining unit 604 is configured to determine the regional correlation between the second characteristic area and the first application category;

The generating unit 605 is configured to generate application relevance information based on the relevance of the second characteristic area and the area of the first application category.

In this embodiment, the operations performed by each unit of the network device are similar to those described in the foregoing embodiment shown in FIG. 3, and will not be repeated here.

Please refer to FIG. 7, which is a schematic structural diagram of another embodiment of the network device provided by this application.

The obtaining unit 701 is configured to obtain first data, where the first data includes byte data corresponding to the first application category;

The input unit 702 is configured to input first data into a first model, where the output of the first model is the first application category;

The processing unit 703 is configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;

The determining unit 704 is configured to determine the regional correlation between the second characteristic area and the first application category;

The generating unit 705 is configured to generate application relevance information based on the relevance of the second characteristic area to the area of the first application category.

Optionally, the application correlation information includes second characteristic area correlation information, the second characteristic area correlation information includes a second characteristic area, the first application category corresponding to the second characteristic area, and the second characteristic area and the first application category Regional relevance.

Optionally, the processing unit 703 is specifically configured to obtain h first feature values based on the first application category and the first model, where the first feature values indicate the correlation between the first application category and the first feature point in the first data, and A characteristic point includes one byte of data in the first data, and h is a positive integer;

The processing unit 703 is specifically configured to obtain n second feature regions according to the h first feature values.

Optionally, the acquiring unit 701 is further configured to acquire z target feature points according to the h first feature values, and the feature value of the target feature point is the first z of the h first feature values arranged in descending order of value. One of the eigenvalues, z is a positive integer, and z is an integer less than or equal to h;

The processing unit 703 is specifically configured to obtain n second feature regions according to z target feature points, and each second feature region includes at least one target feature point.

The processing unit 703 is configured to delete the information of the fourth characteristic region.

Optionally, the n second characteristic regions include a fifth characteristic region, and if the fifth characteristic region corresponds to at least two application categories in the application relevance information, the processing unit 703 is further configured to delete the information of the fifth characteristic region.

Referring to FIG. 8, another embodiment of the network device in the embodiment of the present application includes:

The network device or the media server in the embodiment of the present application can also be implemented in the manner of the computer device (or system) in FIG. 8. FIG. 8 is a schematic diagram of a computer device provided by an embodiment of this application. The computer device includes at least one processor 801, a communication bus 802 and a memory 803, and may also include at least one communication interface 804 and an I/O interface 805.

The processor may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program of this application.

The communication bus may include a path to transfer information between the above-mentioned components. The communication interface uses any device such as a transceiver to communicate with other devices or communication networks, such as Ethernet, wireless access network (RAN), wireless local area network (Wireless Local Area NetworKs, WLAN), etc.

The memory can be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM), or other types that can store information and instructions Dynamic storage devices can also be Electrically Erasable Programmable Read-Only Memory (EEPROM), CD-ROM (Compact Disc Read-Only Memory, CD-ROM) or other optical disc storage, optical disc storage ( Including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program codes in the form of instructions or data structures and can be stored by a computer Any other media taken, but not limited to this. The memory can exist independently and is connected to the processor through a bus. The memory can also be integrated with the processor.

Wherein, the memory is used to store application program code for executing the solution of the present application, and the processor controls the execution. The processor is configured to execute the application program code stored in the memory.

In a specific implementation, the processor may include one or more CPUs, and each CPU may be a single-core processor or a multi-core processor. The processor here may refer to one or more devices, circuits, and/or processing cores for processing data (for example, computer program instructions).

In specific implementation, as an embodiment, the computer device may further include an input/output (I/O) interface. For example, the output device may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector, etc. . The input device can be a mouse, a keyboard, a touch screen device, or a sensor device.

The above-mentioned computer equipment may be a general-purpose computer equipment or a special-purpose computer equipment. In a specific implementation, the computer equipment can be a desktop computer, a portable computer, a network server, a PDA (Personal Digital Assistant, PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device, an embedded device, or the like in Figure 7 Structure of the equipment. The embodiments of this application do not limit the type of computer equipment.

The first network device, the second network device or the terminal device in FIG. 1, FIG. 2 or FIG. 3 may be the device shown in FIG. 8, and one or more software modules are stored in the memory. The network device and the terminal device can implement the software module through the processor and the program code in the memory to complete the method executed by the network device or the terminal device in the foregoing embodiment.

In this embodiment, the processor 801 can execute the operations performed by the first network device or the second network device in the embodiments shown in FIG. 2 and FIG. 3, and details are not described herein again.

The embodiments of the present application also provide a system for identifying applications. The system includes a first network device and a second network device.

The first network device is used to execute the method for executing the first network device in the embodiment shown in FIG. 3, and details are not described herein again.

The second network device is used to execute the method executed by the second network device in the embodiment shown in FIG. 2, and details are not described herein again.

In addition, the second network device is further configured to send application relevance information to the first network device.

In a possible design, the first network device is further configured to send the application category corresponding to the data to be detected to the terminal device.

The embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a computer, the method process related to the network device in any of the foregoing method embodiments is implemented.

It should be understood that the processor mentioned in the network device in the above embodiment of this application, or the processor provided in the above embodiment of this application, may be a central processing unit (CPU) or other general-purpose processors. , Digital signal processor (digital signal processor, DSP), application specific integrated circuit (ASIC), ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gates or transistor logic Devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.

It should also be understood that the number of processors in the network device in the above embodiments of the present application may be one or multiple, and may be adjusted according to actual application scenarios. This is only an exemplary description and is not limited. The number of memories in the embodiments of the present application may be one or multiple, and may be adjusted according to actual application scenarios. This is only an exemplary description and is not limited.

It should also be understood that the memory or readable storage medium mentioned in the network device in the above embodiments in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Sexual memory both. Among them, the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), and synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) ) And direct memory bus random access memory (direct rambus RAM, DR RAM).

It should also be noted that when the network device includes a processor (or processing unit) and a memory, the processor in this application may be integrated with the memory, or the processor and the memory may be connected through an interface, which can be based on actual conditions. The application scenario adjustment is not limited.

The embodiments of the present application also provide a computer program or a computer program product including a computer program. When the computer program is executed on a computer, the computer will enable the computer to realize the connection with the network device in any of the above-mentioned method embodiments. Method flow.

In each of the above-mentioned embodiments in FIG. 2 to FIG. 3, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part.

The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be stored by a computer or a data storage device such as a server or a data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).

Those skilled in the art can clearly understand that, for the convenience and conciseness of the description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.

If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium. , Including several instructions to make a computer device (which can be a personal computer, a server, or other network devices, etc.) execute all or part of the steps of the methods described in the various embodiments in Figures 2 to 6 of this application. The storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes.

The terms “first” and “second” in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects, and, in order to clearly describe the technical solutions of the embodiments of this application, in this application In the embodiments of, words such as "first" and "second" are used to distinguish the same or similar items that have basically the same function and effect. Those skilled in the art can understand that words such as "first" and "second" do not limit the quantity and order of execution, and words such as "first" and "second" do not limit the difference. It should be understood that the terms used in this way can be interchanged under appropriate circumstances, and this is merely a way of distinguishing objects with the same attributes in the description of the embodiments of the present application. In addition, the terms "include" and "have" and any variations of them are intended to cover non-exclusive inclusion, so that a process, method, system, product or device containing a series of units is not necessarily limited to those units, but may include Listed or inherent to these processes, methods, products, or equipment.

The names of messages/frames/information, modules or units, etc. provided in the embodiments of the present application are only examples, and other names can be used as long as the functions of the messages/frames/information, modules or units, etc. are the same.

The terms used in the embodiments of the present application are only for the purpose of describing specific embodiments, and are not intended to limit the present invention. The singular forms of "a", "said" and "the" used in the embodiments of the present application are also intended to include plural forms, unless the context clearly indicates other meanings. It should also be understood that, in the description of this application, unless otherwise specified, "/" means that the objects associated before and after are in an "or" relationship, for example, A/B can mean A or B; in this application, "and" "/Or" is just an association relationship describing the associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone. Among them, A and B can be singular or plural.

Depending on the context, the words "if" or "if" as used herein can be interpreted as "when" or "when" or "in response to determination" or "in response to detection". Similarly, depending on the context, the phrase "if determined" or "if detected (statement or event)" can be interpreted as "when determined" or "in response to determination" or "when detected (statement or event) )" or "in response to detection (statement or event)".

As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions recorded in the embodiments are modified, or some of the technical features are equivalently replaced; these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present application.

Claims

A data processing method, characterized in that it comprises:

The first network device obtains the data to be detected;

The first network device obtains w first characteristic regions according to the data to be detected, the first characteristic regions include at least one byte of data in the data to be detected, and w is a positive integer;

The first network device determines the application category corresponding to the data to be detected according to the w first feature regions and application correlation information, and the application correlation information indicates the difference between the first feature region and the application category. relativity.
The method according to claim 1, wherein the first network device determining the application category corresponding to the data to be detected according to the w first feature regions and the application correlation information specifically comprises:

The first network device determines the application category corresponding to the first characteristic area and the area between the first characteristic area and the corresponding application category according to the w first characteristic areas and the application correlation information relativity;

The first network device counts the sum of the regional correlation degrees of the first characteristic region corresponding to each application category based on the application category;

The first network device determines that the data to be detected corresponds to the first application category based on that the sum of the regional correlations of the first characteristic areas corresponding to the first application category is the maximum value.
The method according to claim 1 or 2, wherein the application relevance information includes area relevance information of p third characteristic areas, wherein the area relevance information of the third characteristic area includes a third characteristic Area, the application category corresponding to the third characteristic area, and the regional correlation between the third characteristic area and the corresponding application category; p of the third characteristic areas include the w first characteristics At least one characteristic area in the area.
The method according to any one of claims 1-3, wherein the data to be detected includes the first K bytes of at least one message;

The first network device obtains w first characteristic regions according to the data to be detected, which specifically includes:

The first network device performs sliding window processing on the first K bytes of the at least one message to obtain the w first characteristic regions.
The method according to any one of claims 1 to 4, wherein the first characteristic area comprises s consecutive bytes, and the s is an integer greater than 1.
The method according to any one of claims 1 to 5, wherein before the first network device obtains the data to be detected, the method further comprises:

Acquiring, by the first network device, first data, where the first data includes byte data corresponding to a first application category;

The first network device inputs the first data into a first model, where the output of the first model is the first application category;

The first network device obtains n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, and the n Is a positive integer, and the q is a positive integer;

Determining, by the first network device, an area correlation degree between the second characteristic area and the first application category;

The first network device generates the application relevance information based on the relevance of the second characteristic area and the area of the first application category.
The method according to claim 6, wherein the application correlation information includes the second characteristic region correlation information, the second characteristic region correlation information includes the second characteristic region, and the second characteristic region The first application category corresponding to the second characteristic area, and the regional correlation between the second characteristic area and the first application category;

The n second characteristic regions include at least one first characteristic region among the w first characteristic regions, and the application category corresponding to the to-be-detected data is the first application category.
A data processing method, characterized in that it comprises:

The second network device acquires first data, where the first data includes byte data corresponding to the first application category;

The second network device inputs the first data into a first model, wherein the output of the first model is the first application category;

The second network device obtains n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, and the n Is a positive integer, and the q is a positive integer;

Determining, by the second network device, an area correlation degree between the second characteristic area and the first application category;

The second network device generates application relevance information based on the relevance of the second characteristic area and the area of the first application category.
The method according to claim 8, wherein the application correlation information includes the second characteristic region correlation information, the second characteristic region correlation information includes the second characteristic region, and the second characteristic region The first application category corresponding to the two characteristic areas, and the regional correlation between the second characteristic area and the first application category.
The method according to claim 8 or 9, wherein the second network device obtaining n second characteristic regions based on the first application category and the first model comprises:

The second network device obtains h first feature values based on the first application category and the first model, and the first feature value indicates the difference between the first application category and the first feature point in the first data Correlation, the first feature point includes one byte of data in the first data, and the h is a positive integer;

The second network device obtains n second characteristic regions according to the h first characteristic values.
The method according to claim 10, wherein the obtaining, by the second network device, the n second characteristic regions according to the h first characteristic values comprises:

The second network device obtains z target feature points according to the h first feature values, and the feature value of the target feature point is the first z of the h first feature values arranged in descending order of numerical value. One of the eigenvalues, the z is a positive integer, and the z is an integer less than or equal to the h;

The second network device obtains the n second characteristic regions according to the z target characteristic points, and each of the second characteristic regions includes at least one target characteristic point.
The method according to claim 11, wherein the midpoint of the second feature area is the target feature point.
The method according to any one of claims 8 to 12, wherein the method further comprises:

The n second feature regions include a sixth feature region and a fourth feature region, if the ratio of the feature points in the sixth feature region and the feature points in the fourth feature region is greater than the first preset threshold , And the number of times that the sixth characteristic area appears in the characteristic area of the corresponding application category in the first application category is greater than that of the fourth characteristic area in the characteristic area of the application category corresponding to the first application category The number of occurrences, the second network device deletes the information of the fourth characteristic area.
The method according to any one of claims 8 to 13, wherein the method further comprises:

The n second characteristic regions include a fifth characteristic region, and if the fifth characteristic region corresponds to at least two application categories in the application relevance information, the second network device deletes the information of the fifth characteristic region.
A network device, characterized in that it comprises:

The obtaining unit is used to obtain the data to be detected;

A processing unit, configured to obtain w first characteristic regions according to the to-be-detected data, the first characteristic regions including at least one byte of data in the to-be-detected data, and the w is a positive integer;

The determining unit is configured to determine the application category corresponding to the data to be detected according to the w first feature regions and application correlation information, where the application correlation information indicates the correlation between the first feature region and the application category Spend.
The network device according to claim 15, wherein the determining unit is specifically configured to determine the application category corresponding to the first characteristic area according to the w first characteristic areas and the application correlation information, and The regional correlation between the first characteristic region and the corresponding application category;

A statistical unit, configured to count the sum of the regional correlations of the first feature region corresponding to each application category based on the application category;

The determining unit is further configured to determine that the to-be-detected data corresponds to the first application category based on that the sum of the regional correlations of the first characteristic regions corresponding to the first application category is the maximum value.
The network device according to claim 15 or 16, wherein the application correlation information includes the correlation information of p third characteristic regions, wherein the correlation information of the third characteristic region includes the third characteristic region , The application category corresponding to the third characteristic area, and the regional correlation between the third characteristic area and the corresponding application category; p of the third characteristic areas include the w first characteristic areas At least 1 feature area in the middle.
The network device according to any one of claims 15 to 17, wherein the data to be detected includes the first K bytes of at least one message;

The processing unit is specifically configured to perform sliding window processing on the first K bytes of the at least one message to obtain the w first characteristic regions.
The network device according to any one of claims 15 to 18, wherein the first characteristic area comprises s consecutive bytes, and the s is an integer greater than 1.
The network device according to any one of claims 15 to 19, wherein the acquiring unit is further configured to acquire first data, and the first data includes byte data corresponding to a first application category;

The network device also includes:

An input unit, configured to input the first data into a first model, wherein the output of the first model is the first application category;

The processing unit is further configured to obtain n second characteristic regions based on the first application category and the first model, and the second characteristic regions include q adjacent bytes in the first data. n is a positive integer, and the q is a positive integer;

The determining unit is further configured to determine the regional correlation between the second characteristic area and the first application category;

The network device also includes:

The generating unit is configured to generate the application relevance information based on the relevance of the second characteristic area and the area of the first application category.
The network device according to claim 20, wherein the application correlation information includes the second characteristic region correlation information, the second characteristic region correlation information includes the second characteristic region, and the The first application category corresponding to the second characteristic area, and the regional correlation between the second characteristic area and the first application category;

The n second characteristic regions include at least one first characteristic region among the w first characteristic regions, and the application category corresponding to the to-be-detected data is the first application category.
A network device, characterized in that it comprises:

An obtaining unit, configured to obtain first data, where the first data includes byte data corresponding to the first application category;

An input unit, configured to input the first data into a first model, wherein the output of the first model is the first application category;

A processing unit, configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is A positive integer, the q is a positive integer;

A determining unit, configured to determine the regional correlation between the second characteristic area and the first application category;

The generating unit is configured to generate application relevance information based on the relevance of the second characteristic area and the area of the first application category.
The network device according to claim 22, wherein the application relevance information includes the second characteristic area relevance information, the second characteristic area relevance information includes the second characteristic area, and the The first application category corresponding to the second characteristic area, and the area correlation between the second characteristic area and the first application category.
The network device according to claim 22 or 23, wherein the processing unit is specifically configured to obtain h first eigenvalues based on the first application category and the first model, and the first eigenvalues Indicating the correlation between the first application category and the first feature point in the first data, the first feature point includes one byte of data in the first data, and the h is a positive integer;

The processing unit is specifically configured to obtain n second characteristic regions according to the h first characteristic values.
The network device according to claim 24, wherein the obtaining unit is further configured to obtain z target feature points according to the h first feature values, and the feature values of the target feature points are the h first feature values. One of the first z eigenvalues in the eigenvalues arranged in descending order of numerical value, where z is an integer less than or equal to h;

The processing unit is specifically configured to obtain the n second characteristic regions according to the z target characteristic points, and each of the second characteristic regions includes at least one target characteristic point.
The network device according to claim 25, wherein the midpoint of the second feature area is the target feature point.
The network device according to any one of claims 22 to 26, wherein the n second characteristic areas include a sixth characteristic area and a fourth characteristic area, if the characteristic points in the sixth characteristic area The proportion of overlapping feature points with the fourth feature region is greater than the first preset threshold, and the number of times the sixth feature region appears in the feature region of the corresponding application category in the first application category is greater than the For the number of times the fourth characteristic area appears in the characteristic area of the corresponding application category in the first application category, the processing unit is further configured to delete the information of the fourth characteristic area.
The network device according to any one of claims 22 to 27, wherein the n second characteristic regions comprise a fifth characteristic region, and if the fifth characteristic region corresponds to at least two characteristic regions in the application correlation information If there is an application category, the processing unit is also used to delete the information of the fifth characteristic area.
A network device, characterized in that it comprises:

At least one processor and a memory, the memory storing program code, and the processor calls the program code to execute the method according to any one of claims 1 to 7.
A network device, characterized in that it comprises:

At least one processor and a memory, the memory storing program code, and the processor calls the program code to execute the method according to any one of claims 8 to 14.