WO2021164340A1 - Procédé de traitement de données et dispositif associé - Google Patents

Procédé de traitement de données et dispositif associé Download PDF

Info

Publication number
WO2021164340A1
WO2021164340A1 PCT/CN2020/129007 CN2020129007W WO2021164340A1 WO 2021164340 A1 WO2021164340 A1 WO 2021164340A1 CN 2020129007 W CN2020129007 W CN 2020129007W WO 2021164340 A1 WO2021164340 A1 WO 2021164340A1
Authority
WO
WIPO (PCT)
Prior art keywords
characteristic
data
application
network device
application category
Prior art date
Application number
PCT/CN2020/129007
Other languages
English (en)
Chinese (zh)
Inventor
武维
郭建伟
李璠
李建平
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021164340A1 publication Critical patent/WO2021164340A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2475Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications

Definitions

  • the embodiments of the present application relate to the field of network communication technology, and specifically relate to a data processing method and equipment.
  • DPI deep packet inspection
  • the DPI-based technology performs in-depth data analysis on the data stream, adds application layer data analysis, and finds the domain name information of the server in the parsed application layer data to identify the application category corresponding to the traffic in the network.
  • DPI-based technology uses plaintext parsing to parse the data packets in the pipeline, and plaintext parsing will affect the security of user data.
  • the embodiment of the present application provides a data processing method, which is used to identify the message in the pipeline code stream by the first network device according to the obtained application correlation information without performing plaintext parsing on the message when the application is identified in the network.
  • the corresponding application category improves the security of user data.
  • the first aspect of this application provides a data processing method.
  • the first network device When it is necessary to identify the application category corresponding to the data stream in the network pipeline, the first network device will obtain the data to be detected in the pipeline data, that is, the data to be detected includes byte data in the pipeline data.
  • the first network device After the first network device obtains the to-be-detected data, the first network device processes the to-be-detected data to obtain one or more first characteristic regions, where the first characteristic region includes at least one byte in the to-be-detected data The data.
  • the first network device obtains application relevance information stored in the system, where the application relevance information is used to indicate the relevance between the one or more first feature regions and the application category in the application relevance information.
  • the first network device After the first network device obtains the application relevance information, the first network device determines the application category corresponding to the one or more first characteristic areas according to the one or more first characteristic areas and the application relevance information, Then determine the application category corresponding to the data to be detected.
  • the first network device when the first network device performs application identification, it processes the to-be-detected data obtained from the pipeline code stream to obtain the first characteristic area, and according to the obtained application correlation information and the first The characteristic area determines the application category of the data to be detected, and the application category corresponding to the data to be detected can be determined without clear text analysis, which improves the security of user data.
  • the first network device determines the application category corresponding to the first characteristic area according to the application correlation information and the w first characteristic areas, and the first characteristic area and the corresponding application For the regional correlation between the categories, the first network device counts the sum of the regional correlations of the first feature region corresponding to each application category based on the application category.
  • the first network device determines that the to-be-detected data corresponds to the first application category based on the maximum value of the sum of the regional correlations of the first feature area corresponding to the first application category.
  • the first network device determines the area relevance corresponding to the first characteristic area according to the application relevance information, and determines the application category corresponding to the data to be detected according to the area relevance, which improves the feasibility of the solution.
  • the application correlation information further includes the correlation information of p third characteristic regions, where the correlation information of the third characteristic region includes the third characteristic region and the third characteristic region.
  • the feasibility of the solution is improved.
  • the first network device based on the sum of the regional correlation of the first feature region corresponding to the first application category is the maximum value, and the maximum value is greater than a preset threshold, it is determined that the data to be detected corresponds to the first application category.
  • the device on the first network determines that the value of the sum of the correlation degrees of the first feature area needs to be higher than the preset threshold before the first network device determines that the first application category is the application category corresponding to the data to be detected , Because when the sum of the correlation degrees of the first feature region is still lower than the preset threshold, it indicates that there is no information that is strongly related to the application category in the application correlation information in the data to be detected, so the data to be detected The corresponding application category may not be in the application relevance information, so it is necessary to set the sum of the relevance of the first feature area to be higher than the preset threshold in order to determine the application category corresponding to the data to be detected, thereby improving the solution determination The accuracy of the data to be tested.
  • the acquired data to be detected includes at least the first K bytes of a message
  • the first network device responds to the first K bytes including at least one message.
  • Sliding window processing is performed on the to-be-detected data to obtain w first feature regions.
  • the first network device processes the to-be-detected data by means of a sliding window to obtain the first characteristic region, which improves the feasibility of the solution.
  • the first characteristic area includes continuous s bytes of data, and the s is a positive integer greater than 1.
  • the feasibility of the solution is improved by limiting the specific data format of the first characteristic area.
  • the first network device before the first network device obtains the to-be-detected data from the pipeline data, the first network device generates the application correlation information.
  • the first network device When the first network device prepares to generate application relevance information, the first network device obtains byte data corresponding to the first application category, that is, the byte data corresponding to the first application category is the first data.
  • the first network device inputs the first data into the trained first model.
  • the first model will output the predicted application category.
  • the first model is trained by the first network device, or it can be sent after training by other devices.
  • the predicted application category information is the first application category.
  • the first network device After the first network device obtains the first application category, the first network device obtains n second characteristic regions based on the first application category and the first model, and the second characteristic regions include q adjacent bytes in the first data , N and q are positive integers.
  • the first network device After the first network device obtains the n second feature regions, the first network device determines the regional relevance of the second feature region and the first application category, and generates application relevance information, where the application relevance information includes the second feature The regional correlation between the region and the second feature region.
  • the first network device obtains the relevant byte data of the first application category and inputs the data into the trained first model to obtain the predicted application category information, and generates the predicted application category information according to the predicted application category information.
  • the application of relevance information improves the feasibility of the solution.
  • the application correlation information further includes second characteristic region correlation information
  • the second characteristic region correlation information includes a second characteristic region, and the first characteristic region corresponding to the second characteristic region Application category, and the regional correlation between the second feature area and the first application category.
  • the n second feature areas contain at least one first feature area in the w first feature areas, that is, the data to be detected corresponds to The application category of is the first application category.
  • the first network device obtains h first characteristic values based on the first application category and the first model. For example, the first network device may calculate the first characteristic value according to the first model. An application category, h first feature values are obtained, and the h first feature values are used to indicate the correlation between the first application category and the first feature point in the first data, and the first feature point includes at least the first feature point in the first data One byte of data, the h is a positive integer.
  • the first network device After the first network device obtains the h first characteristic values, the first network device obtains n second characteristic regions according to the h first characteristic values.
  • the first network device obtains h first feature values by processing the first application category, and obtains n second feature regions according to the h first feature values, which improves the feasibility of the solution.
  • the first network device obtains z target feature points in the first data according to h first feature values, and a feature corresponding to a target feature point in the first data
  • the value is one of the first z eigenvalues in the h first eigenvalues sorted from largest to smallest, where z is a positive integer, and z is an integer less than or equal to h.
  • the first network device After the first network device obtains z target feature points, the first network device obtains n second feature regions according to the z target feature points, that is, each second feature region includes at least one target feature point.
  • the first network device obtains z target feature points in the first data according to the h first feature values, and obtains n second feature regions according to the z target feature points, because one target feature
  • the feature value corresponding to the point is one of the first few feature values arranged in descending order of h first feature values, because the feature value indicates the degree of association between the feature point and the application category, the feature value The higher the higher, the higher the degree of association. Therefore, the higher the degree of association between the n second feature regions obtained from the target feature point and the application category, and the application correlation information generated based on the n feature regions will be used in the subsequent The higher the accuracy rate when determining the application category.
  • the midpoint of the second feature region is the target feature point.
  • the feasibility of the solution is improved by explaining the composition method of the second characteristic region.
  • the first network device is based on the number of times each characteristic area in the n second characteristic areas appears in the corresponding application category, and each of the n second characteristic areas.
  • the number of feature regions corresponding to the application category corresponding to the feature region in the n second feature regions, and the region correlation degree of each feature region in the n second feature regions is obtained, and each feature region in the n second feature regions
  • the regional correlation degree of represents the correlation degree between each feature region of the n second characteristic regions and the first application category, that is, the higher the regional correlation degree, the higher the correlation degree with the first application category.
  • the first network device generates application relevance information according to the area relevance of each of the n second characteristic areas.
  • the first network device generates application relevance information according to the area relevance corresponding to each characteristic area in the n second characteristic areas, which improves the feasibility of the solution.
  • n second features are obtained by using q consecutive feature points with each target feature point as the midpoint among the z target feature points Area, the m is a positive integer less than n.
  • the second network device obtains the second feature area by taking the target feature point as the midpoint, which improves the feasibility of the solution.
  • the first network device deletes these two features The feature region that appears less frequently in the first feature region in the region.
  • the first network device when the similarity of two different feature regions in the n second feature regions is high, deletes the feature that appears less frequently in the n second feature regions Region, avoiding the repeated calculation of the region correlation degree for some highly similar feature regions when calculating the region correlation degree, which improves the accuracy of calculating the region correlation degree.
  • this characteristic area is the fifth characteristic area.
  • the first network device deletes the characteristic areas corresponding to at least two application categories in the n second characteristic areas, because when there are characteristic areas corresponding to more than two application categories, it means that the characteristic areas represent different categories. Therefore, it cannot represent the strongly related features of a specific application category. Therefore, after the first network device deletes the feature area corresponding to more than two application categories, the accuracy of the solution to determine the data to be detected can be improved. .
  • the application correlation information may be displayed in the form of a heat map, and the larger the feature value corresponding to the feature point in the heat map, the more vivid the color of the feature point.
  • the application relevance information is displayed in the form of a heat map, so that the result of the application relevance information can be seen more intuitively.
  • the first K bytes of information of the first data may be intercepted, and the value of K includes 784 or 1024.
  • the first K bytes of information of the data to be detected may be intercepted, and the value of K includes 784 or 1024.
  • the second aspect of the application provides a data processing method.
  • the second network device obtains the byte data corresponding to the first application category, that is, the byte data corresponding to the first application category is the first data.
  • the second network device inputs the first data into the trained first model.
  • the first model will output the predicted application category.
  • the first model is trained by the second network device, or it can be sent after training by other devices.
  • the predicted application category information is the first application category.
  • the second network device After the second network device obtains the first application category, the second network device obtains n second feature areas based on the first application category and the first model, and each of the n second feature areas includes the first application category.
  • Q adjacent bytes in a data, n and q are positive integers.
  • the second network device After the second network device obtains the n second feature regions, the second network device determines the regional relevance of the second feature region and the first application category, and generates application relevance information, where the application relevance information includes the second feature The regional correlation between the region and the second feature region.
  • the second network device obtains the relevant byte data of the first application category and inputs the data into the trained first model to obtain predicted application category information, and generates the predicted application category information according to the predicted application category information.
  • the application of relevance information improves the feasibility of the solution.
  • the application correlation information further includes second characteristic region correlation information
  • the second characteristic region correlation information includes a second characteristic region, and the first characteristic region corresponding to the second characteristic region Application category, and the regional correlation between the second feature area and the first application category.
  • the n second feature areas contain at least one first feature area in the w first feature areas, that is, the data to be detected corresponds to The application category of is the first application category.
  • the second network device obtains h first characteristic values based on the first application category and the first model.
  • the second network device may calculate the first characteristic value according to the first model.
  • An application category, h first feature values are obtained, and the h first feature values are used to indicate the correlation between the first application category and the first feature point in the first data, and the first feature point includes at least the first feature point in the first data
  • the h is a positive integer.
  • the second network device After the second network device obtains the h first characteristic values, the second network device obtains n second characteristic regions according to the h first characteristic values.
  • the second network device obtains h first feature values by processing the first application category, and obtains n second feature regions according to the h first feature values, which improves the feasibility of the solution .
  • the second network device obtains z target feature points in the first data according to h first feature values, and a feature corresponding to one target feature point in the first data
  • the value is one of the first z eigenvalues in the h first eigenvalues sorted from largest to smallest, where z is a positive integer, and z is an integer less than or equal to h.
  • the second network device After the second network device obtains z target feature points, the second network device obtains n second feature regions according to the z target feature points, that is, each second feature region includes at least one target feature point.
  • the second network device obtains z target feature points in the first data according to the h first feature values, and obtains n second feature regions according to the z target feature points, because one target feature
  • the feature value corresponding to the point is one of the first few feature values arranged in descending order of h first feature values, because the feature value indicates the degree of association between the feature point and the application category, the feature value The higher the higher, the higher the degree of association. Therefore, the higher the degree of association between the n second feature regions obtained from the target feature point and the application category, and the application correlation information generated based on the n feature regions will be used in the subsequent The higher the accuracy rate when determining the application category.
  • the midpoint of the second feature region is the target feature point.
  • the feasibility of the solution is improved by limiting the composition of the second characteristic area.
  • the second network device is based on the number of times each characteristic area in the n second characteristic areas appears in the corresponding application category, and each of the n second characteristic areas The number of feature regions corresponding to the application category corresponding to the feature region in the n second feature regions, and the region correlation degree of each feature region in the n second feature regions is obtained, and each feature region in the n second feature regions
  • the regional correlation degree of represents the correlation degree between each feature region of the n second characteristic regions and the first application category, that is, the higher the regional correlation degree, the higher the correlation degree with the first application category.
  • the second network device generates application relevance information according to the area relevance of each of the n second characteristic areas.
  • the second network device generates application relevance information according to the area relevance corresponding to each characteristic area in the n second characteristic areas, which improves the feasibility of the solution.
  • n second features are obtained by using q consecutive feature points with each target feature point in the z target feature points as the midpoint.
  • Area, the m is a positive integer less than n.
  • the second network device obtains the second feature area by taking the target feature point as the midpoint, which improves the feasibility of the solution.
  • the first network device deletes these two features The feature region that appears less frequently in the first feature region in the region.
  • the second network device when the similarity of two different feature regions in the n second feature regions is very high, deletes the feature that appears less frequently in the n second feature regions Region, avoiding the repeated calculation of the region correlation degree for some highly similar feature regions when calculating the region correlation degree, which improves the accuracy of calculating the region correlation degree.
  • this characteristic area is the fifth characteristic area.
  • the second network device deletes the characteristic areas corresponding to at least two application categories in the n second characteristic areas, because when there are characteristic areas corresponding to more than two application categories, it means that the characteristic areas represent different categories. Therefore, it cannot represent the strong correlation feature of a specific application category. Therefore, after the second network device deletes the feature area corresponding to more than two application categories, the accuracy of the solution to determine the data to be detected can be improved. .
  • the application correlation information may be displayed in the form of a heat map, and the larger the feature value corresponding to the feature point in the heat map, the brighter the color of the feature point.
  • the application relevance information is displayed in the form of a heat map, so that the result of the application relevance information can be seen more intuitively.
  • the first K bytes of information of the first data may be intercepted, and the value of K includes 784 or 1024.
  • the second network device after the second network device obtains the application relevance information, the second network device sends the application relevance information to the first network device.
  • the application relevance information is sent to the first network device, which improves the feasibility of the solution.
  • the third aspect of this application provides a network device.
  • the obtaining unit is used to obtain the data to be detected
  • a processing unit configured to obtain w first characteristic regions according to the data to be detected, the first characteristic regions include at least one byte of data in the data to be detected, and w is a positive integer;
  • the determining unit is configured to determine the application category corresponding to the data to be detected according to the w first feature regions and the application correlation information, and the application correlation information indicates the correlation between the first feature region and the application category.
  • the determining unit is specifically configured to determine the application category corresponding to the first feature area and the regional correlation between the first feature area and the corresponding application category according to the w first feature areas and application correlation information;
  • a statistical unit configured to count the sum of the regional correlations of the first feature region corresponding to each application category based on the application category;
  • the determining unit is further configured to determine that the to-be-detected data corresponds to the first application category based on that the sum of the regional correlations of the first feature area corresponding to the first application category is the maximum value.
  • the application correlation information includes the correlation information of p third characteristic regions, where the correlation information of the third characteristic region includes the third characteristic region, the application category corresponding to the third characteristic region, and the relationship between the third characteristic region and the third characteristic region.
  • the regional correlation between the corresponding application categories; the p third characteristic regions include at least one characteristic region among the w first characteristic regions.
  • the data to be detected includes the first K bytes of at least one message
  • the processing unit is specifically configured to perform sliding window processing on the first K bytes of at least one message to obtain w first characteristic regions.
  • the first characteristic area includes s consecutive bytes, and s is an integer greater than 1.
  • the acquiring unit is further configured to acquire first data, where the first data includes byte data corresponding to the first application category;
  • Network equipment also includes:
  • the input unit is used to input the first data into the first model, where the output of the first model is the first application category;
  • the processing unit is further configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;
  • the determining unit is further configured to determine the regional correlation between the second characteristic area and the first application category;
  • Network equipment also includes:
  • the generating unit is configured to generate application relevance information based on the relevance of the second characteristic area and the area of the first application category.
  • the application relevance information includes second feature area relevance information
  • the second feature area relevance information includes a second feature area, the first application category corresponding to the second feature area, and the second feature area and the first application category Regional relevance;
  • the n second characteristic regions include at least one first characteristic region among the w first characteristic regions, and the application category corresponding to the data to be detected is the first application category.
  • the fourth aspect of the present application provides a network device.
  • An acquiring unit configured to acquire first data, where the first data includes byte data corresponding to the first application category;
  • the input unit is used to input the first data into the first model, where the output of the first model is the first application category;
  • the processing unit is configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;
  • the determining unit is used to determine the regional correlation between the second characteristic area and the first application category
  • the generating unit is configured to generate application relevance information based on the relevance of the second characteristic area and the area of the first application category.
  • the application relevance information includes second feature area relevance information
  • the second feature area relevance information includes a second feature area, the first application category corresponding to the second feature area, and the second feature area and the first application category Regional relevance.
  • the processing unit is specifically configured to obtain h first feature values based on the first application category and the first model, where the first feature value indicates the correlation between the first application category and the first feature point in the first data, and the first The characteristic point includes one byte of data in the first data, and h is a positive integer;
  • the processing unit is specifically configured to obtain n second characteristic regions according to the h first characteristic values.
  • the obtaining unit is further configured to obtain z target feature points according to the h first feature values, and the feature value of the target feature point is the first z of the h first feature values arranged in descending order of value.
  • One of the eigenvalues, z is a positive integer, and z is an integer less than or equal to h;
  • the processing unit is specifically configured to obtain n second feature regions according to z target feature points, and each second feature region includes at least one target feature point.
  • the midpoint of the second feature region is the target feature point.
  • the n second feature regions include a sixth feature region and a fourth feature region, if the ratio of feature points in the sixth feature region and feature points in the fourth feature region is greater than the first preset threshold, and The number of times that the sixth characteristic area appears in the characteristic area of the corresponding application category in the first application category is greater than the number of times the fourth characteristic area appears in the characteristic area of the corresponding application category in the first application category, then the network device further includes:
  • the processing unit is used to delete the information of the fourth characteristic area.
  • the n second characteristic regions include a fifth characteristic region, and if the fifth characteristic region corresponds to at least two application categories in the application relevance information, the processing unit is further configured to delete the information of the fifth characteristic region.
  • the fifth aspect of the present application provides a network device.
  • At least one processor and a memory stores program code, and the processor calls the program code to execute the method described in the implementation manner of the first aspect of the present application.
  • the sixth aspect of the present application provides a network device.
  • At least one processor and a memory stores program code, and the processor calls the program code to execute the method described in the implementation manner of the second aspect of the present application.
  • the seventh aspect of the present application provides an application identification system, including a first network device and a second network device.
  • the first network device is used to execute the method described in the implementation manner of the first aspect of the present application.
  • the second network device is used to execute the method described in the implementation manner of the second aspect of the present application.
  • the second network device is used to send application relevance information to the first network device.
  • the eighth aspect of the present application provides a computer storage medium.
  • the computer storage medium stores instructions.
  • the computer executes the same as the first aspect of the present application, and/or the second Aspects implement the method described in the mode.
  • the ninth aspect of the present application provides a computer program product.
  • the computer program product When the computer program product is executed on a computer, the computer executes the method described in the first aspect of the present application and/or the implementation manner of the second aspect.
  • the first network device obtains the data to be detected, and processes the data to be detected to obtain the first characteristic area, and determines the application category of the data to be detected according to the obtained application correlation information and the first characteristic area, without the need to parse the data in plaintext , Improve the security of user data.
  • Figure 1 is a schematic diagram of a network architecture in an embodiment of the application
  • Figure 2 is a schematic flowchart of a data processing method in an embodiment of the application
  • FIG. 3 is a schematic flowchart of another data processing method in an embodiment of the application.
  • FIG. 4 is a schematic diagram of the structure of a network device in an embodiment of the application.
  • FIG. 5 is a schematic structural diagram of another network device in an embodiment of this application.
  • FIG. 6 is a schematic structural diagram of another network device in an embodiment of this application.
  • FIG. 7 is a schematic structural diagram of another network device in an embodiment of this application.
  • Fig. 8 is a schematic structural diagram of another network device in an embodiment of this application.
  • the embodiment of the application provides a data processing method and device, which are used in the application identification of pipeline data by obtaining the data to be detected in the pipeline code stream, and processing the data to be detected to obtain the first characteristic area, and according to the application
  • the relevance information and the first feature area determine the application category of the data to be detected, without the need to parse the data in plain text, which improves the security of user data.
  • Figure 1 is a schematic diagram of the network architecture provided for this application.
  • the embodiment of the present application provides an exemplary network architecture.
  • the network architecture includes at least the first network device 101.
  • the first network device 101 can be connected to a network pipe, which is used to transmit data.
  • the network pipe can be a network pipe in a local area network, a network pipe in a wide area network, or a network pipe in other scenarios. There is no limitation here.
  • the first network device 101 can be installed between the router and the core network, connected by wired or wireless, can also be installed between the core network and the firewall, or can be installed in the local area network, as long as the first network device 101 is connected Just go to the network pipeline, such as the convergence node of the network traffic, the node where the network traffic flows through, etc.
  • the specifics are not limited here.
  • the first network device 101 is configured to generate application relevance information, and then obtain the data to be detected online in real time, and determine the application category of the data to be detected through the application relevance information.
  • the first network device 101 is configured to identify the application category corresponding to the message in the data transmission pipeline according to the application correlation information, and distinguish the data packet traffic belonging to different application types for data analysis.
  • the first network device 101 can be a server with a separate function, such as a separate application identification server, or can be integrated into an existing server, such as integrated in a network management server, or integrated in a network monitoring server, or integrated in traffic management
  • the server is medium, and the specific server format is not limited here.
  • the base station receives the data sent by the terminal and transmits the data to the route through the network channel. After the route transfers the data, the data is transmitted to the core network, and the core network then transmits the data that needs to be transmitted to the data destination, passing through the firewall, and finally arrives at the receiver. Data party.
  • the first network device 101 is connected to the network pipeline, such as the convergence node of the network traffic, the node that the network traffic flows through, etc.
  • the first network device 101 mirrors the place where the data flows in the communication network. Part of the data is used for application identification analysis.
  • one first network device 101 may exist alone, or multiple first network devices 101 may exist at the same time, and the details are not limited here. .
  • the network architecture may further include a terminal device 103.
  • the first network device 101 may send the data of the application category to the terminal device 103, so that the terminal device 103 may receive the data of the application category, and then process the data of the application category, for example, display the data of the application category.
  • the specific processing method is not limited here.
  • the terminal device 103 may be a computer device, or other devices, such as a network management device, which is not specifically limited here.
  • the network architecture may further include a second network device 102, and the second network device 102 may work offline and independently, or may be connected to the first network device.
  • the second network device 102 can be used on the offline side, that is, to obtain the first data used to train the model, and then train the first model through the first data, and obtain the first model according to the trained first model and the first data.
  • Application relevance information The second network device 102 is also used to send application relevance information to the first network device, which is not specifically limited here.
  • the first network device 101 may also be used on the offline side to obtain application correlation information, then the network architecture does not include the second network device 102.
  • Network pipe A collective name for equipment used to carry network data packets.
  • Application identification Identify which application category the traffic in the pipeline belongs to, for example, the pipeline traffic belongs to APP1, APP2, etc.
  • Code stream the data packet stream in the network.
  • Heat map A visual way to express the importance of data through color changes. For example, in the heat map, the brighter the data, the greater the impact on the result of application recognition.
  • Active area the location area where the data in the heat map has a greater influence, indicating the brighter location area in the heat map.
  • Pull test similar to a network data crawler, intercepting data packet information from the network.
  • the first network device and the second network device instead of the network device are used as an example for description.
  • the first network device can obtain application relevance information through the first model training, and then determine the application category corresponding to the message in the pipeline data through the application relevance information, and can also receive applications sent by other network devices
  • the relevance information is used to determine the application category corresponding to the message in the pipeline data through the application relevance information sent by other network devices. Therefore, there are several specific implementation manners of the embodiments of the present application, which are described below.
  • the first network device generates application correlation information.
  • FIG. 2 is a schematic flowchart of an embodiment of the data processing method provided by this application.
  • this embodiment can be divided into an online side and an offline side.
  • the online side is the online real-time identification of the application category corresponding to the online data stream
  • the offline side is the training model to obtain application relevance information.
  • the application correlation information can be used on the online side to identify the application category corresponding to the online data stream.
  • the offline side will be described.
  • step 201 the second network device obtains the first data.
  • the second network device obtains the data stream corresponding to the first application category, and the data stream includes byte data corresponding to the first application category.
  • the second network device may obtain the data stream in the pipeline data by means of plug-in testing, It is also possible to collect multiple data streams through other devices, and then uniformly send them to the second network device, which is not specifically limited here.
  • the data stream obtained by the second network device may be as follows:
  • the second network device may also obtain data streams corresponding to multiple application categories, as shown below:
  • the second network device acquires and processes the data of the first application category as an example for description. It should be understood that the acquisition and processing of data of multiple application categories is similar, and this application does not constitute a limitation.
  • the display mode of the data stream can be binary or converted hexadecimal, which is not specifically done here.
  • this application uses hexadecimal as an example for description.
  • this application is described in units of bytes, and this application may also be described in units of bits, etc., which is not specifically limited here.
  • the second network device may not intercept the first K bytes of data of the data stream, but use the data stream for subsequent processing, which is not specifically limited here.
  • the first data includes the first K bytes of data of the data stream.
  • the second network device does not perform the data stream When intercepting, the first data is the data stream.
  • the first data includes byte data of the multiple data streams.
  • step 202 the second network device trains the first model.
  • the second network device builds a multi-layer convolutional neural network.
  • the multi-layer convolutional neural network can be three or five layers, it can be a VGG type neural network, or it can be a ResNet
  • the type of neural network is not limited here.
  • the structure of the five-layer convolutional neural network is an input layer, a first hidden layer, a second hidden layer, a third hidden layer, and an output layer in order.
  • the number of nodes in the input layer is equal to K, which is the same as K in the first K bytes of information in the intercepted message by the second network device.
  • the number of nodes in the output layer of the neural network is the number of application categories.
  • the number of nodes in the output layer is one node.
  • the number of nodes in the output layer is the corresponding multiple nodes.
  • the input layer data adopts convolution operation, and the linear rectification function (rectified linear unit, ReLU) is used to generate the first hidden layer, the first hidden layer is convolution operation, and the ReLU activation function is used to generate the second hidden layer.
  • Layer for the second hidden layer, use global average pooling (GAP) operation to generate the third hidden layer, and use the fully connected operation for the third hidden layer, and activate it through the normalized exponential function softmax Function to generate output layer data.
  • GAP global average pooling
  • the first data may be normalized to obtain normalized data for training of the first model.
  • the normalization can be achieved by the following method: One:
  • the corresponding prediction category is obtained through the forward operation of the first model, the cross entropy loss value of the prediction category and the first application category is calculated, the gradient descent method is executed, and the model parameters are updated.
  • the training of the first model is completed. It should be understood that when the training of the first model is completed, the data corresponding to the first application category is input to the first model, and the output of the first model is the first application category.
  • step 203 the second network device obtains h first feature values based on the first application category and the first model.
  • the second network device obtains h first feature values based on the first application category and the first model.
  • the first feature value represents the correlation between the first feature point in the first data and the first application category.
  • the first feature The point refers to one byte of data, and the larger the feature value corresponding to the first feature point, the higher the correlation with the first application category.
  • the first feature point may also refer to multiple bytes of data, such as 2 bytes, etc., and this application does not constitute a limitation.
  • the second network device can obtain the h first feature values in a variety of ways. For example, the second network device obtains the connection weight value based on the first application category and the data of the last hidden layer in the architecture of the first model. The obtained connection weight value is multiplied with the corresponding penultimate hidden layer value to obtain the weighted feature information. The weighted feature information is added, and the first data is up-sampling to obtain the h The first characteristic value.
  • the h first eigenvalues can also be obtained in different ways.
  • This embodiment is a schematic example, and the method for obtaining the h first eigenvalues is not specifically described. The limit.
  • step 204 the second network device obtains z target feature points according to the h first feature values.
  • the second network device After obtaining the h first feature values, the second network device obtains the first z feature values of the h first feature values, where z is a positive integer less than or equal to h, thereby obtaining the z features Z feature points corresponding to the value. Take the z feature points as z target feature points.
  • the data size in the first eigenvalue is ranked first.
  • the eigenvalues of different feature points may be the same, for example:
  • step 205 the second network device obtains n second feature regions according to z target feature points.
  • the second network device After the second network device obtains z target feature points, the second network device intercepts one or more consecutive feature points including at least one target feature point in the first data to obtain the second feature area, and so on, There will be n second feature regions, where n is a positive integer greater than or equal to z.
  • n is a positive integer greater than or equal to z.
  • the following will take the second feature region including q consecutive feature points as an example for description, and q is an integer greater than or equal to 1. It should be understood that for different second feature regions, the value of q may be different.
  • the center point of the second feature region is the target feature point.
  • step 203 to step 205 are steps performed on one data stream. When there are multiple data streams, step 203 to step 205 are repeated. For data streams of multiple application categories, the processing of step 203 to step 205 is performed on the data streams corresponding to the multiple application categories, respectively.
  • step 206 the second network device determines the regional correlation between the second characteristic area and the first application category.
  • the second network device After processing the multiple data streams, the second network device further determines the regional correlation between the second characteristic area and the application category corresponding to the second characteristic area.
  • the second network device counts the number of the same second characteristic area in n second characteristic areas, and further obtains the n corresponding to the second characteristic area in the first application category. The probability of occurrence in the second characteristic area, thereby obtaining the regional correlation degree between the second characteristic area and the first application category. As shown in Table 1a:
  • the second feature area "82, 0a, 2a, 2e, 67, 76, 74, 32" in Table 1a as an example for illustration.
  • the number of the second feature area (also called the number of occurrences) is 80, the The second feature area corresponds to the first application category app1.
  • the total number of second feature areas of the first application category is 100, and the area correlation between the second feature area and its corresponding first application category is 80/100 , Which is 0.8.
  • the second network device separately counts the number of the same second feature area in the second feature area corresponding to each application category in the multiple application categories, and further obtains the second feature The probability of the region appearing in the total amount of the second feature region of the corresponding application category, thereby obtaining the regional correlation between the second feature region and the corresponding application category.
  • Table 1b shows the second network device separately counts the number of the same second feature area in the second feature area corresponding to each application category in the multiple application categories, and further obtains the second feature The probability of the region appearing in the total amount of the second feature region of the corresponding application category, thereby obtaining the regional correlation between the second feature region and the corresponding application category.
  • the second network device may perform statistics and calculations on the second characteristic regions of each application category.
  • the method for calculating the area relevance can also be (a certain The number of times that a characteristic area appears in all characteristic areas in its corresponding application category*category preference weight value)/the number of all characteristic areas in the application category is not specifically limited here.
  • the second network device when the second network device counts the number of occurrences of each characteristic area in the first data in the n second characteristic areas and the application category to which it belongs, if the n second characteristic areas include the sixth characteristic area and the first characteristic area Four characteristic regions, if the proportion of the feature points in the sixth characteristic region and the characteristic points in the fourth characteristic region being repeated is greater than the first preset threshold, and the sixth characteristic region is the characteristic region of the application category corresponding to the first application category If the number of times that the fourth characteristic area appears in the characteristic area of the corresponding application category in the first application category is greater than the number of times that the fourth characteristic area appears in the characteristic area of the corresponding application category in the first application category, the second network device deletes the information of the fourth characteristic area. It should be noted that if the number of occurrences of the two characteristic regions is equal, one of the characteristic regions will be arbitrarily deleted, and the details are not limited here.
  • the second network device when the second network device counts the number of occurrences of each characteristic area in the first data in the n second characteristic areas and the application category to which it belongs, if the n second characteristic areas further include the fifth characteristic area, And the fifth characteristic area corresponds to two or more application categories, the fifth characteristic area is deleted.
  • deleting the feature area can improve the efficiency of determining the data stream online.
  • step 207 the second network device generates application relevance information based on the relevance of the second characteristic area to the area of the first application category.
  • the application correlation information does not include the information of the characteristic area.
  • the second network device After the second network device obtains the area relevance of the characteristic areas in the n second characteristic areas, the second network device generates application relevance information according to the area relevance of the characteristic areas in the n second characteristic areas.
  • the application relevance information includes the area relevance information of the second feature area, the area relevance information of the second feature area includes the second feature area, and the second feature area corresponds to The first application category, and the regional correlation between the second feature area and the first application category.
  • the application relevance information can be as shown in Table 2a,
  • the second network device respectively generates application relevance information according to the regional relevance of each of the n second feature areas of different application categories.
  • the application relevance information includes the area relevance information of the second feature area, and the area relevance information of the second feature area includes the second feature area, the application category corresponding to the second feature area, and the second feature area and the second feature area.
  • the application relevance information can be as shown in Table 2b,
  • the application relevance information can also exist in other forms, as long as the application relevance information can indicate the association relationship between the feature area and the application category and the regional relevance of the feature area under the application category, for example,
  • the application relevance information is expressed in the form of a heat map. It is understandable that the application relevance information can also be expressed in other ways, such as a one-dimensional vector or a table, which is not specifically limited here.
  • Steps 201 to 207 describe the method on the offline side in this embodiment, and the following steps describe the method on the online side in this embodiment.
  • Figure 3 is a schematic diagram of the process on the online side of this application.
  • step 301 the first network device obtains the data to be detected.
  • the first network device receives the application relevance information sent by the second network device.
  • the first network device needs to identify and classify the data packets in the pipeline data
  • the first network device acquires the data to be detected in the pipeline data.
  • the first network device may obtain the data to be detected by dialing and testing by itself, and may also receive the data to be detected sent by other gateway devices, which is not specifically limited here.
  • the data to be detected obtained by the first network device may be a binary data packet or a hexadecimal data packet, and the specifics are not limited here.
  • step 302 the first network device obtains w first characteristic regions according to the data to be detected.
  • the first network device After the first network device obtains the data to be detected, it intercepts the first K bytes of information of the message, that is, intercepts the same byte information as when training the model on the offline side, and then uses the sliding window method according to the K bytes
  • the information generates w first feature regions, where w is a positive integer greater than or equal to 1.
  • the w first feature regions can also be obtained in other ways, for example, the w first feature regions can be obtained by AC (Aho–Corasick, AC) automata algorithm or prefix tree algorithm, which is not specifically done here. limited.
  • the AC automata algorithm needs to be constructed according to the application correlation information, and then the w first feature regions are obtained through the AC automata algorithm, that is, according to Apply the existing feature regions in the correlation information to automatically obtain w first feature regions that match it.
  • the characteristic area can also be obtained in other ways, as long as a collection of bytes of different sizes is obtained, which is not specifically limited here.
  • the first characteristic area can be obtained by processing the byte information of the data stream.
  • the first network device determines the regional correlation between the first characteristic region and the corresponding application category according to the application correlation information and the first characteristic region.
  • the correlation information of the third characteristic region includes the third characteristic region and the application category corresponding to the third characteristic region.
  • the regional correlation between the third characteristic area and the corresponding application category, and when the p third characteristic areas include at least one characteristic area in the w first characteristic areas the first network device is related to the application Find the area correlation information corresponding to each feature area in the w first feature areas in the degree information, such as the corresponding application category, and the area correlation with the application category.
  • the value of the regional relevance corresponding to the characteristic region is 0.
  • the first network device determines the application category corresponding to the first characteristic area and the area between the first characteristic area and the corresponding application category according to the w first characteristic areas and the application correlation information relativity;
  • the first network device counts the sum of the regional correlation degrees of the first characteristic area corresponding to each application category based on the application category;
  • the first network device determines that the data to be detected corresponds to the first application category based on that the sum of the regional correlations of the first characteristic areas corresponding to the first application category is the maximum value.
  • the first network device determines the application category corresponding to the first feature area and the area correlation between the first feature area and the corresponding application category according to the w first feature areas and application correlation information; and makes statistics based on the application category The sum of the regional relevance of the first feature area corresponding to each application category, so as to obtain the total regional relevance corresponding to each application category, for example, as shown in Table 3a below,
  • the feature area corresponding to this app1 is "65, 6a, 77, 8e, 67, 6b, 45, 33", and “33, 11, 96, 5e, 6b, 3e, 45, 33", and the regional correlations corresponding to these two feature regions are 0.4 and 0.15, respectively, then the sum of the regional correlations corresponding to the "app1" is calculated to be 0.55.
  • the network device can perform statistics and calculations on the regional correlation degrees corresponding to each application category to obtain the total regional correlation degrees corresponding to each application category.
  • step 304 the first network device determines that the data to be detected corresponds to the first application category based on that the sum of the regional correlations of the first characteristic regions corresponding to the first application category is the maximum value.
  • the first network device After the first network device obtains statistics of the total area relevance of the first feature area corresponding to different application categories, the first network device determines the data to be detected corresponding to the first feature area according to the maximum value of the sum of the area relevance of the first feature area Corresponds to the first application category.
  • the first network device may also determine whether the sum of the area correlations of the first characteristic area is higher than a preset threshold. The sum of the area correlations of the first characteristic area is higher than the preset threshold, and the first network device determines that the application category corresponding to the first characteristic area is the application category corresponding to the data to be detected. If the sum of the regional relevance of the first characteristic area is lower than the preset threshold, the first network device determines that the application category corresponding to the data to be detected is not the application category in the application relevance information.
  • the first network device may display the result of the application category corresponding to the data to be detected in the display area of the first network device, or send the result to other devices, such as Terminal equipment for operation and maintenance personnel.
  • the first network device determines that the application category corresponding to the data to be detected is not the application category in the application relevance information, it can generate application relevance information corresponding to the application category through steps 201 to 207. Furthermore, the application relevance information corresponding to the application category can be integrated with the original application relevance information to form updated application relevance information.
  • steps 201 to 207 can also be executed by the first network device.
  • steps 201 to 207 can also be executed by the first network device.
  • the first network device When executed by the first network device, then in step 301, when the first network device needs to use the application relevance information, it directly obtains the application Relevance information is sufficient.
  • the first 1024 bytes of information of the data stream include IP information, DNS information, and port information. And so on binary data ciphertext information, because this information can reflect certain characteristics of the application category, so the application correlation information is generated from the binary data of this information, and then the message data in the pipeline data is identified according to the application correlation information.
  • the application category of the first network device has improved the accuracy of identifying application categories.
  • FIG. 4 is a schematic structural diagram of an embodiment of the network device provided by this application.
  • the obtaining unit 401 is configured to obtain the data to be detected
  • the processing unit 402 is configured to obtain w first characteristic regions according to the data to be detected, the first characteristic regions include at least one byte of data in the data to be detected, and w is a positive integer;
  • the determining unit 403 is configured to determine the application category corresponding to the data to be detected according to the w first feature regions and the application correlation information, and the application correlation information indicates the correlation between the first feature region and the application category.
  • each unit of the network device is similar to those described in the foregoing embodiment shown in FIG. 2 and will not be repeated here.
  • FIG. 5 is a schematic structural diagram of another embodiment of the network device provided by this application.
  • the obtaining unit 501 is configured to obtain the data to be detected
  • the processing unit 503 is configured to obtain w first characteristic regions according to the data to be detected, the first characteristic regions include at least one byte of data in the data to be detected, and w is a positive integer;
  • the determining unit 505 is configured to determine the application category corresponding to the data to be detected according to the w first feature regions and application correlation information, and the application correlation information indicates the correlation between the first feature region and the application category.
  • the determining unit 505 is specifically configured to determine the application category corresponding to the first feature area and the regional correlation between the first feature area and the corresponding application category according to the w first feature areas and application correlation information;
  • the statistics unit 504 is configured to count the sum of the regional correlation degrees of the first feature region corresponding to each application category based on the application category;
  • the determining unit 505 is further configured to determine that the to-be-detected data corresponds to the first application category based on that the sum of the regional correlations of the first feature area corresponding to the first application category is the maximum value.
  • the application correlation information includes the correlation information of p third characteristic regions, where the correlation information of the third characteristic region includes the third characteristic region, the application category corresponding to the third characteristic region, and the relationship between the third characteristic region and the third characteristic region.
  • the regional correlation between the corresponding application categories; the p third characteristic regions include at least one characteristic region among the w first characteristic regions.
  • the data to be detected includes the first K bytes of at least one message
  • the processing unit 503 is specifically configured to perform sliding window processing on the first K bytes of at least one message to obtain w first feature regions.
  • the first characteristic area includes s consecutive bytes, and s is an integer greater than 1.
  • the acquiring unit 501 is further configured to acquire first data, where the first data includes byte data corresponding to the first application category;
  • Network equipment also includes:
  • the input unit 502 is configured to input first data into a first model, where the output of the first model is the first application category;
  • the processing unit 503 is further configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;
  • the determining unit 505 is further configured to determine the regional correlation between the second characteristic region and the first application category;
  • Network equipment also includes:
  • the generating unit 506 is configured to generate application relevance information based on the relevance of the second characteristic area and the area of the first application category.
  • the application relevance information includes second feature area relevance information
  • the second feature area relevance information includes a second feature area, the first application category corresponding to the second feature area, and the second feature area and the first application category Regional relevance;
  • the n second characteristic regions include at least one first characteristic region among the w first characteristic regions, and the application category corresponding to the data to be detected is the first application category.
  • each unit of the network device is similar to those described in the foregoing embodiments shown in FIG. 2 and FIG. 3, and will not be repeated here.
  • FIG. 6 is a schematic structural diagram of another embodiment of a network device provided by this application.
  • the acquiring unit 601 is configured to acquire first data, where the first data includes byte data corresponding to the first application category;
  • the input unit 602 is configured to input first data into a first model, where the output of the first model is the first application category;
  • the processing unit 603 is configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;
  • the determining unit 604 is configured to determine the regional correlation between the second characteristic area and the first application category
  • the generating unit 605 is configured to generate application relevance information based on the relevance of the second characteristic area and the area of the first application category.
  • each unit of the network device is similar to those described in the foregoing embodiment shown in FIG. 3, and will not be repeated here.
  • FIG. 7 is a schematic structural diagram of another embodiment of the network device provided by this application.
  • the obtaining unit 701 is configured to obtain first data, where the first data includes byte data corresponding to the first application category;
  • the input unit 702 is configured to input first data into a first model, where the output of the first model is the first application category;
  • the processing unit 703 is configured to obtain n second characteristic regions based on the first application category and the first model, where the second characteristic regions include q adjacent bytes in the first data, where n is a positive integer, and q is a positive integer;
  • the determining unit 704 is configured to determine the regional correlation between the second characteristic area and the first application category
  • the generating unit 705 is configured to generate application relevance information based on the relevance of the second characteristic area to the area of the first application category.
  • the application correlation information includes second characteristic area correlation information
  • the second characteristic area correlation information includes a second characteristic area, the first application category corresponding to the second characteristic area, and the second characteristic area and the first application category Regional relevance.
  • the processing unit 703 is specifically configured to obtain h first feature values based on the first application category and the first model, where the first feature values indicate the correlation between the first application category and the first feature point in the first data, and A characteristic point includes one byte of data in the first data, and h is a positive integer;
  • the processing unit 703 is specifically configured to obtain n second feature regions according to the h first feature values.
  • the acquiring unit 701 is further configured to acquire z target feature points according to the h first feature values, and the feature value of the target feature point is the first z of the h first feature values arranged in descending order of value.
  • One of the eigenvalues, z is a positive integer, and z is an integer less than or equal to h;
  • the processing unit 703 is specifically configured to obtain n second feature regions according to z target feature points, and each second feature region includes at least one target feature point.
  • the midpoint of the second feature region is the target feature point.
  • the n second feature regions include a sixth feature region and a fourth feature region, if the ratio of feature points in the sixth feature region and feature points in the fourth feature region is greater than the first preset threshold, and The number of times that the sixth characteristic area appears in the characteristic area of the corresponding application category in the first application category is greater than the number of times the fourth characteristic area appears in the characteristic area of the corresponding application category in the first application category, then the network device further includes:
  • the processing unit 703 is configured to delete the information of the fourth characteristic region.
  • the n second characteristic regions include a fifth characteristic region, and if the fifth characteristic region corresponds to at least two application categories in the application relevance information, the processing unit 703 is further configured to delete the information of the fifth characteristic region.
  • each unit of the network device is similar to those described in the foregoing embodiments shown in FIG. 2 and FIG. 3, and will not be repeated here.
  • another embodiment of the network device in the embodiment of the present application includes:
  • FIG. 8 is a schematic diagram of a computer device provided by an embodiment of this application.
  • the computer device includes at least one processor 801, a communication bus 802 and a memory 803, and may also include at least one communication interface 804 and an I/O interface 805.
  • the processor may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program of this application.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • the communication bus may include a path to transfer information between the above-mentioned components.
  • the communication interface uses any device such as a transceiver to communicate with other devices or communication networks, such as Ethernet, wireless access network (RAN), wireless local area network (Wireless Local Area NetworKs, WLAN), etc.
  • the memory can be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM), or other types that can store information and instructions
  • Dynamic storage devices can also be Electrically Erasable Programmable Read-Only Memory (EEPROM), CD-ROM (Compact Disc Read-Only Memory, CD-ROM) or other optical disc storage, optical disc storage ( Including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program codes in the form of instructions or data structures and can be stored by a computer Any other media taken, but not limited to this.
  • the memory can exist independently and is connected to the processor through a bus.
  • the memory can also be integrated with the processor.
  • the memory is used to store application program code for executing the solution of the present application, and the processor controls the execution.
  • the processor is configured to execute the application program code stored in the memory.
  • the processor may include one or more CPUs, and each CPU may be a single-core processor or a multi-core processor.
  • the processor here may refer to one or more devices, circuits, and/or processing cores for processing data (for example, computer program instructions).
  • the computer device may further include an input/output (I/O) interface.
  • the output device may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector, etc.
  • the input device can be a mouse, a keyboard, a touch screen device, or a sensor device.
  • the above-mentioned computer equipment may be a general-purpose computer equipment or a special-purpose computer equipment.
  • the computer equipment can be a desktop computer, a portable computer, a network server, a PDA (Personal Digital Assistant, PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device, an embedded device, or the like in Figure 7 Structure of the equipment.
  • PDA Personal Digital Assistant
  • the embodiments of this application do not limit the type of computer equipment.
  • the first network device, the second network device or the terminal device in FIG. 1, FIG. 2 or FIG. 3 may be the device shown in FIG. 8, and one or more software modules are stored in the memory.
  • the network device and the terminal device can implement the software module through the processor and the program code in the memory to complete the method executed by the network device or the terminal device in the foregoing embodiment.
  • the processor 801 can execute the operations performed by the first network device or the second network device in the embodiments shown in FIG. 2 and FIG. 3, and details are not described herein again.
  • the embodiments of the present application also provide a system for identifying applications.
  • the system includes a first network device and a second network device.
  • the first network device is used to execute the method for executing the first network device in the embodiment shown in FIG. 3, and details are not described herein again.
  • the second network device is used to execute the method executed by the second network device in the embodiment shown in FIG. 2, and details are not described herein again.
  • the second network device is further configured to send application relevance information to the first network device.
  • the first network device is further configured to send the application category corresponding to the data to be detected to the terminal device.
  • the embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored.
  • a computer program is stored on which a computer program is stored.
  • the processor mentioned in the network device in the above embodiment of this application may be a central processing unit (CPU) or other general-purpose processors. , Digital signal processor (digital signal processor, DSP), application specific integrated circuit (ASIC), ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gates or transistor logic Devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the number of processors in the network device in the above embodiments of the present application may be one or multiple, and may be adjusted according to actual application scenarios. This is only an exemplary description and is not limited.
  • the number of memories in the embodiments of the present application may be one or multiple, and may be adjusted according to actual application scenarios. This is only an exemplary description and is not limited.
  • the memory or readable storage medium mentioned in the network device in the above embodiments in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • static random access memory static random access memory
  • dynamic RAM dynamic RAM
  • DRAM dynamic random access memory
  • synchronous dynamic random access memory synchronous DRAM, SDRAM
  • double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • synchronous connection dynamic random access memory serial DRAM, SLDRAM
  • direct rambus RAM direct rambus RAM, DR RAM
  • the network device includes a processor (or processing unit) and a memory
  • the processor in this application may be integrated with the memory, or the processor and the memory may be connected through an interface, which can be based on actual conditions.
  • the application scenario adjustment is not limited.
  • the embodiments of the present application also provide a computer program or a computer program product including a computer program.
  • the computer program When the computer program is executed on a computer, the computer will enable the computer to realize the connection with the network device in any of the above-mentioned method embodiments. Method flow.
  • FIG. 2 to FIG. 3 it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
  • wired such as coaxial cable, optical fiber, digital subscriber line (DSL)
  • wireless such as infrared, wireless, microwave, etc.
  • the computer-readable storage medium may be any available medium that can be stored by a computer or a data storage device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).
  • the disclosed system, device, and method can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium.
  • the storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes.
  • the words “if” or “if” as used herein can be interpreted as “when” or “when” or “in response to determination” or “in response to detection”.
  • the phrase “if determined” or “if detected (statement or event)” can be interpreted as “when determined” or “in response to determination” or “when detected (statement or event) )” or “in response to detection (statement or event)”.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Des modes de réalisation de l'invention concernent un procédé de traitement de données. Dans les modes de réalisation de l'invention, le procédé peut être utilisé dans la transmission de données réseau, et comprend les étapes suivantes : un premier dispositif réseau obtient des données à inspecter ; le premier dispositif réseau obtient w premières zones de caractéristiques en fonction des données à inspecter, les premières zones de caractéristiques comprenant des données d'au moins un octet dans les données à inspecter, et w étant un nombre entier positif ; le premier dispositif réseau obtient des informations de degré de corrélation d'application, les informations de degré de corrélation d'application indiquant des degrés de corrélation entre les w premières zones de caractéristiques et les catégories d'application ; le premier dispositif réseau détermine, en fonction des w premières zones de caractéristiques et des informations de degré de corrélation d'application, une catégorie d'application correspondant aux données à inspecter. Selon les modes de réalisation de l'invention, une catégorie d'application correspondant à des données à inspecter peut être déterminée sans analyse de texte clair, ce qui améliore la sécurité des données utilisateur.
PCT/CN2020/129007 2020-02-17 2020-11-16 Procédé de traitement de données et dispositif associé WO2021164340A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010097474.8 2020-02-17
CN202010097474.8A CN113271263B (zh) 2020-02-17 2020-02-17 一种数据处理方法及其设备

Publications (1)

Publication Number Publication Date
WO2021164340A1 true WO2021164340A1 (fr) 2021-08-26

Family

ID=77227551

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/129007 WO2021164340A1 (fr) 2020-02-17 2020-11-16 Procédé de traitement de données et dispositif associé

Country Status (2)

Country Link
CN (1) CN113271263B (fr)
WO (1) WO2021164340A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115374130A (zh) * 2022-10-26 2022-11-22 中科三清科技有限公司 一种大气污染历史数据存储方法及介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101202652A (zh) * 2006-12-15 2008-06-18 北京大学 网络应用流量分类识别装置及其方法
CN105323117A (zh) * 2014-08-04 2016-02-10 中国电信股份有限公司 应用识别方法、装置、系统与应用服务器
CN107181736A (zh) * 2017-04-21 2017-09-19 湖北微源卓越科技有限公司 基于7层应用的网络数据包分类方法及系统
US10333664B1 (en) * 2016-09-19 2019-06-25 Sprint Spectrum L.P. Systems and methods for dynamically selecting wireless devices for uplink (UL) multiple-input-multiple-output (MIMO) pairing
CN110708215A (zh) * 2019-10-10 2020-01-17 深圳市网心科技有限公司 深度包检测规则库生成方法、装置、网络设备及存储介质

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8738906B1 (en) * 2011-11-30 2014-05-27 Juniper Networks, Inc. Traffic classification and control on a network node
CN103763320B (zh) * 2014-01-21 2017-01-25 中国联合网络通信集团有限公司 一种流量记录的合并方法和合并系统
CN104144089B (zh) * 2014-08-06 2017-06-16 山东大学 一种基于bp神经网络进行流量识别的方法
CN109951357A (zh) * 2019-03-18 2019-06-28 西安电子科技大学 基于多层神经网络的网络应用识别方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101202652A (zh) * 2006-12-15 2008-06-18 北京大学 网络应用流量分类识别装置及其方法
CN105323117A (zh) * 2014-08-04 2016-02-10 中国电信股份有限公司 应用识别方法、装置、系统与应用服务器
US10333664B1 (en) * 2016-09-19 2019-06-25 Sprint Spectrum L.P. Systems and methods for dynamically selecting wireless devices for uplink (UL) multiple-input-multiple-output (MIMO) pairing
CN107181736A (zh) * 2017-04-21 2017-09-19 湖北微源卓越科技有限公司 基于7层应用的网络数据包分类方法及系统
CN110708215A (zh) * 2019-10-10 2020-01-17 深圳市网心科技有限公司 深度包检测规则库生成方法、装置、网络设备及存储介质

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115374130A (zh) * 2022-10-26 2022-11-22 中科三清科技有限公司 一种大气污染历史数据存储方法及介质
CN115374130B (zh) * 2022-10-26 2022-12-20 中科三清科技有限公司 一种大气污染历史数据存储方法及介质

Also Published As

Publication number Publication date
CN113271263B (zh) 2023-01-06
CN113271263A (zh) 2021-08-17

Similar Documents

Publication Publication Date Title
US12021697B2 (en) IoT device grouping and labeling
US10645026B2 (en) Resource prioritization and communication-channel establishment
US20180007121A1 (en) Performance-based content delivery
US10027739B1 (en) Performance-based content delivery
WO2019169928A1 (fr) Procédé de détection de trafic et dispositif de détection de trafic
CN112640381B (zh) 检测物联网设备的不合期望的行为的方法和系统
WO2021052162A1 (fr) Procédé et appareil de configuration de paramètres de réseau, dispositif informatique, et support de stockage
WO2018133573A1 (fr) Procédé et dispositif d'analyse de capacité de survie de service
US10425849B1 (en) Visualization of personalized quality of experience regarding mobile network
CN103188119A (zh) 通信网络中关键性能指标的置信区间
WO2020228527A1 (fr) Procédé de classification de flux de données et dispositif d'acheminement de messages
US11483177B2 (en) Dynamic intelligent analytics VPN instantiation and/or aggregation employing secured access to the cloud network device
US11758419B2 (en) Service type identification systems and methods for optimizing local area networks
US11539620B2 (en) Anomaly flow detection device and anomaly flow detection method
WO2022057321A1 (fr) Procédé et appareil de détection de liaison anormale, et support de stockage
WO2021164340A1 (fr) Procédé de traitement de données et dispositif associé
WO2020258982A1 (fr) Procédé et système d'analyse de journal de sécurité de station de base, et support d'enregistrement lisible par ordinateur
WO2019209503A1 (fr) Détection d'anomalies non supervisées pour identifier des anomalies dans des données
US11605009B2 (en) Network device identification
CN106789437B (zh) 报文的处理方法、转发方法、相关装置及丢包率测量方法
CN110730191A (zh) 基于数据、信息和知识对象的意图导向的osi七层网络协议模型
Budiyanto et al. Classification of network status in academic information systems using naive Bayes algorithm method
CN102546548B (zh) 一种分层协议的识别方法和装置
US12094458B2 (en) Multi-channel conversation processing
CN115086180B (zh) 网络组网方法、网络组网装置及电子设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20919483

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20919483

Country of ref document: EP

Kind code of ref document: A1