WO2022012429A1 - 用于实现终端验证的方法、装置、系统、设备及存储介质 - Google Patents
用于实现终端验证的方法、装置、系统、设备及存储介质 Download PDFInfo
- Publication number
- WO2022012429A1 WO2022012429A1 PCT/CN2021/105494 CN2021105494W WO2022012429A1 WO 2022012429 A1 WO2022012429 A1 WO 2022012429A1 CN 2021105494 W CN2021105494 W CN 2021105494W WO 2022012429 A1 WO2022012429 A1 WO 2022012429A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- transmission
- terminal
- target
- data stream
- downlink
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 149
- 238000012795 verification Methods 0.000 title claims abstract description 133
- 238000003860 storage Methods 0.000 title claims abstract description 36
- 230000005540 biological transmission Effects 0.000 claims abstract description 1184
- 238000011144 upstream manufacturing Methods 0.000 claims description 251
- 238000012549 training Methods 0.000 claims description 54
- 230000015654 memory Effects 0.000 claims description 10
- 230000009471 action Effects 0.000 claims description 2
- 230000002159 abnormal effect Effects 0.000 abstract description 99
- 230000005856 abnormality Effects 0.000 abstract description 10
- 238000004891 communication Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 60
- 230000006870 function Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 15
- 230000006399 behavior Effects 0.000 description 10
- 238000004590 computer program Methods 0.000 description 8
- 238000004422 calculation algorithm Methods 0.000 description 7
- 230000001960 triggered effect Effects 0.000 description 7
- 238000012360 testing method Methods 0.000 description 6
- 239000000284 extract Substances 0.000 description 4
- 230000009467 reduction Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000004064 dysfunction Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L5/00—Arrangements affording multiple use of the transmission path
- H04L5/003—Arrangements for allocating sub-channels of the transmission path
- H04L5/0044—Arrangements for allocating sub-channels of the transmission path allocation of payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Definitions
- the present application relates to the field of communication technologies, and in particular, to a method, apparatus, system, device and storage medium for realizing terminal authentication.
- IOT terminals In industries such as smart parks, higher education, manufacturing, and finance, it is common for some abnormal terminals to illegally access servers. There are many types of abnormal terminals. Taking counterfeit terminals as an example, more and more Internet of things (IOT) terminals support network access functions, compared to smart terminals (such as computers, tablets, mobile phones, etc.) , IOT terminals have weak security protection functions and are easily counterfeited. In order to avoid potential security risks caused by counterfeit terminals, network devices generally verify whether the IOT terminals are counterfeit terminals by verifying the IOT terminals they access.
- IOT Internet of things
- the terminal verification process is generally as follows: after receiving a data stream output by an IOT terminal, the network device extracts the Internet Protocol (IP) address of the IOT terminal from the packets in the data stream, and queries the IP address. Address library, if the IP address of the IOT terminal is stored in the IP address library, the network device determines that the IOT terminal is not a counterfeit terminal, and the verification of the IOT terminal passes, if the IP address of the IOT terminal is not stored in the IP address library, Then the network device determines that the IOT terminal is a counterfeit terminal, and the IOT terminal fails the verification.
- IP Internet Protocol
- the IP address of the IOT terminal can be easily counterfeited, if the counterfeit terminal outputs a data stream to the network device by counterfeiting the IP address in the IP address database, then the IP address extracted by the network device from the data stream output by the counterfeit terminal is The IP address in the IP address database, the network device will pass the verification of the counterfeit terminal. It can be seen that the network device cannot accurately verify the counterfeit terminal through the above-mentioned terminal verification process, that is, the accuracy of the terminal verification is low.
- the present application provides a method, apparatus, system, device and storage medium for realizing terminal verification, which can improve the accuracy of terminal verification.
- the technical solution is as follows:
- a method for realizing terminal verification comprising:
- first transmission characteristic of the first terminal reconstructing the first transmission characteristic based on the first transmission characteristic to obtain a second transmission characteristic; if the difference between the first transmission characteristic and the second transmission characteristic is The difference between the two is greater than or equal to the target difference, and it is determined that the first terminal fails the verification; wherein, the first transmission characteristic is the overall transmission characteristic of at least one first data stream transmitted by the first terminal, and the The second transmission characteristic is the reconstructed first transmission characteristic.
- reconstruction refers to reconstruction, and the reconstructing the first transmission characteristic based on the first transmission characteristic means: on the basis of the first transmission characteristic, through a preset algorithm Then, a second transmission feature is reconstructed, and the reconstructed second transmission feature is as consistent as possible with the first transmission feature.
- the preset algorithm is used to reconstruct the normal transmission characteristics as much as possible, and the preset algorithm includes dimension reduction encoding and dimension increase decoding, wherein the dimension reduction encoding is an encoding method for reducing the dimension of transmission features, and the dimension increase encoding is an increase in dimension encoding.
- the performing the first transmission feature based on the first transmission feature includes: performing dimension reduction encoding on the first transmission feature, and performing dimension-up decoding on the dimension-reduced encoded first transmission feature.
- the preset algorithm is expressed by the following target model.
- This method verifies the terminal by reconstructing the transmission characteristics of the terminal. For example, if the difference between the reconstructed transmission characteristics and the transmission characteristics of the terminal is large, it means that the transmission characteristics of the terminal are abnormal, and the terminal is abnormal. terminal, then it is determined that the terminal has not passed the verification. Because the terminal has specific normal transmission characteristics, the normal transmission characteristics are not easy to be counterfeited. Therefore, this method can accurately verify various abnormal terminals, improve the accuracy of terminal verification, and counterfeit terminals. It is a kind of abnormal terminal. Therefore, this method can also accurately verify the counterfeit terminal, instead of simply verifying the IP address of the terminal, so as to prevent the counterfeit terminal from passing the verification.
- the transmission characteristic of a normal terminal is also the normal transmission characteristic of the terminal
- the transmission characteristic of the abnormal terminal is also the abnormal transmission characteristic of the terminal.
- the first transmission characteristic includes an uplink transmission characteristic
- the uplink transmission characteristic is an overall transmission characteristic of at least one uplink data stream in the at least one first data stream.
- the upstream transmission feature includes at least one of an upstream message feature and an upstream feature
- the upstream message feature is an overall feature of an upstream message in the at least one upstream data stream
- the upstream characteristics are statistical characteristics of the at least one upstream data stream.
- the characteristics of the uplink packets include the average transmission interval of the uplink packets, the average value of the uplink load, the total uplink load size, the number of uplink packets, the number of uplink target packets, and the uplink target packets.
- At least one of a ratio and a load fluctuation value of an uplink packet the average transmission interval of the uplink packet is the average transmission interval of the uplink packet in a time window
- the average value of the uplink load is the average transmission interval of the uplink packet in the time window
- the average size of the load of the target packets in the at least one upstream data flow, the total upstream load size is the total size of the load of the target packets in the at least one upstream data flow in the time window
- the The number of upstream packets is the number of upstream packets in the at least one upstream data stream within the time window
- the number of upstream target packets is the target number in the at least one upstream data stream within the time window.
- the number of packets, the proportion of the uplink target packets is the proportion of the target packets in the at least one upstream data flow in the time window, and the uplink packet load fluctuation value is used to indicate that in the Fluctuation of the size of the target packet in the at least one upstream data stream within the time window;
- the upstream characteristics include the upstream terminal port fluctuation value, the total number of upstream data streams, the number of upstream target data streams, the number of upstream data streams under each data stream type in the at least one data stream type, and at least one type of transmission. At least one of the number of upstream data streams under each transmission protocol type in the protocol type, and the upstream terminal port fluctuation value is used to indicate the at least one upstream data stream in the first terminal within the time window.
- the fluctuation situation of the output port, the upstream target data flow is the upstream data flow whose corresponding server input port belongs to the target port range.
- the uplink packet feature further includes at least one of a first receiving window fluctuation value and an average value of a first receiving window size, where the first receiving window fluctuation value is used to indicate that the Fluctuation of the size of the receiving window carried by the uplink packet within the time window.
- the fluctuation value of the first receiving window is a standard deviation of the receiving window size carried by the uplink packet within the time window.
- the first transmission characteristic further includes at least one of the total number of the at least one first data stream and a downlink transmission characteristic
- the downlink transmission characteristic is the at least one first data stream.
- the downlink transmission characteristic includes at least one of a downlink packet characteristic and a downlink characteristic
- the downlink packet characteristic is an overall characteristic of a downlink packet in the at least one downlink data stream
- the downstream characteristics are statistical characteristics of the at least one downstream data stream.
- the characteristics of the downlink packets include the average transmission interval of downlink packets, the average value of downlink loads, the size of the total downlink load, the number of downlink packets, the number of downlink target packets, and the downlink target packets.
- the average transmission interval of the downlink packets is the average transmission interval of the downlink packets in a time window
- the average downlink load is the average transmission interval of the downlink packets in the time window the average size of the load of the target packets in the at least one downstream data stream
- the total downstream load size is the total size of the load of the target packets in the at least one downstream data stream within the time window
- the The number of downlink packets is the number of downlink packets in the at least one downlink data stream in the time window
- the number of downlink target packets is the target number in the at least one downlink data stream in the time window.
- the number of packets, the proportion of the downlink target packets is the proportion of the target packets in the at least one downstream data stream within the time window, and the downlink packet load fluctuation value is used to indicate that in the time window Fluctuation of the size of the target packet in the at least one downstream data stream within the time window;
- the downstream characteristics include a downlink terminal port fluctuation value, the total number of downstream data streams, the number of downstream target data streams, the number of downstream data streams under each data stream type in at least one data stream type, and at least one type of transmission. At least one of the number of downlink data streams under each transmission protocol type in the protocol type, and the downlink terminal port fluctuation value is used to indicate the at least one downlink data stream in the first terminal within the time window.
- the fluctuation situation of the input port, the downlink target data stream is the downlink data stream whose corresponding server output port belongs to the target port range.
- the downlink packet feature further includes at least one of a second receiving window fluctuation value and an average value of a second receiving window size, where the second receiving window fluctuation value is used to indicate the downlink Fluctuation of the receive window size carried by the packet.
- the fluctuation value of the second receiving window is a standard deviation of the receiving window size carried by the downlink packet within the time window.
- the acquiring the first transmission characteristic of the first terminal includes:
- the stream transmission characteristic of a first data stream includes at least one of transmission information, data stream type, destination port type, and packet characteristics of the first data stream, and the transmission information is used
- the target port type is the port type of the port in the server that transmits the first data stream
- the message feature is the feature of the message in the first data stream.
- the transmission information includes at least one element in a five-tuple of the first data stream
- the message characteristics include at least one of the sum of message transmission intervals, the load size, the sum of squares of the loads, the number of target messages, the total number of messages, the fluctuation value of the receiving window, the total size of the window, and the sum of squares of the window.
- the sum of packet transmission intervals is the total duration of transmission intervals between packets in the first data stream within a time window
- the load size is the target packet in the first data stream within the time window
- the total size of the load is the square sum of the load size of the target packet
- the number of the target packet is the total number of the target packet in the packet within the time window
- the total number of packets is the total number of packets in the time window
- the receiving window fluctuation value is used to indicate the fluctuation of the receiving window size carried by the packet in the time window.
- the total size of the window is the sum of the sizes of the receiving windows carried by the message within the time window
- the sum of squares of the windows is the sum of the squares of the sizes of the sliding windows.
- the transmission information further includes at least one of a direction identifier and an identifier of the time window, where the direction identifier is used to indicate a transmission direction of the first data stream.
- the reconstructing the first transmission characteristic based on the first transmission characteristic to obtain the second transmission characteristic includes:
- the first transmission feature is input into a target model, and the target model reconstructs the first transmission feature based on the inputted first transmission feature, and outputs the second transmission feature.
- the method before the inputting the first transmission feature into the target model, the method further includes:
- the third transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a second terminal.
- the method before the inputting the first transmission feature into the target model, the method further includes:
- the target model reconstructs each fourth transmission feature based on the multiple input fourth transmission features, and outputs multiple and obtaining the target difference degree based on the plurality of fifth transmission characteristics and the plurality of fourth transmission characteristics;
- the target terminal type is the terminal type of the first terminal, the plurality of fourth transmission characteristics and the plurality of fifth transmission characteristics are in one-to-one correspondence, and one fourth transmission characteristic is at least one transmission characteristic of a target terminal.
- the obtaining the target difference degree based on the plurality of fifth transmission characteristics and the plurality of fourth transmission characteristics includes:
- the target difference degree is obtained based on a degree of difference between at least one fifth transmission characteristic among the plurality of fifth transmission characteristics and a corresponding fourth transmission characteristic.
- the method before the inputting the first transmission feature into the target model, the method further includes:
- the target model Inputting multiple sixth transmission features of multiple target terminals under the target terminal type into the target model, the target model reconstructs each sixth transmission feature based on the multiple input sixth transmission features, and outputs multiple a seventh transmission characteristic; based on the degree of difference between the plurality of seventh transmission characteristics and the corresponding sixth transmission characteristic, it is determined that the target model has passed the verification;
- the target terminal type is the terminal type of the first terminal, the plurality of sixth transmission characteristics are in one-to-one correspondence with the plurality of seventh transmission characteristics, and one sixth transmission characteristic is at least one transmission characteristic of a target terminal.
- the method before the inputting the first transmission feature into the target model, the method further includes:
- Acquire transmission information of at least one second data stream transmitted by the at least one second terminal associate and store the transmission information with the terminal type of the second terminal; acquire the transmission information associated with the terminal type based on the transmission information associated with the terminal type. multiple transmission characteristics of the at least one second terminal;
- the transmission information is used to indicate the transmission attribute of the data stream, and one transmission characteristic is the overall transmission characteristic of at least one data stream transmitted by the terminal.
- the method before the inputting the first transmission feature into the target model, the method further includes:
- the target model is received from a control device.
- the execution body of the method is a control device or a network device.
- a method for realizing terminal verification comprising:
- a third transmission characteristic is the overall transmission characteristic of at least one data stream transmitted by a second terminal
- the target model is used to reconstruct the transmission characteristic of the verified terminal of the target terminal type, so as to verify the verification of the verified terminal.
- the terminal performs verification
- the transmission characteristic is the overall transmission characteristic of at least one data stream transmitted by the verified terminal.
- the method further includes:
- the target model is sent to a network device.
- the method before the multiple third transmission features are used as the input and output of the initial model, before the training, the method further includes:
- the plurality of fourth transmission characteristics are in one-to-one correspondence with the plurality of fifth transmission characteristics, and one fourth transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a target terminal.
- the obtaining the target difference degree based on the plurality of fifth transmission characteristics and the plurality of fourth transmission characteristics includes:
- the target difference degree is obtained based on a degree of difference between at least one fifth transmission characteristic among the plurality of fifth transmission characteristics and a corresponding fourth transmission characteristic.
- the method before the multiple third transmission features are used as the input and output of the initial model, before the training, the method further includes:
- the plurality of sixth transmission characteristics are in one-to-one correspondence with the plurality of seventh transmission characteristics, and one sixth transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a target terminal.
- the method before the acquiring multiple third transmission characteristics of at least one second terminal of the target terminal type, the method further includes:
- Acquire transmission information of at least one second data stream transmitted by the at least one second terminal associate and store the transmission information with the terminal type of the second terminal; acquire the transmission information associated with the terminal type based on the transmission information associated with the terminal type. multiple transmission characteristics of the at least one second terminal;
- the transmission information is used to indicate the transmission attribute of the data stream, and one transmission characteristic is the overall transmission characteristic of at least one data stream transmitted by the terminal.
- a system for realizing terminal verification includes a control device and a network device;
- the control device is used for:
- one third transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by one second terminal
- the network equipment is used for:
- the first transmission characteristic is an overall transmission characteristic of at least one first data stream transmitted by the first terminal
- the target model Inputting the first transmission feature into the target model, the target model reconstructs the first transmission feature based on the inputted first transmission feature, and outputs a second transmission feature, where the second transmission feature is the reconstructed first transmission feature;
- the degree of difference between the first transmission characteristic and the second transmission characteristic is greater than or equal to the target degree of difference, it is determined that the first terminal fails the verification.
- control device is further used for:
- the plurality of fourth transmission characteristics are in one-to-one correspondence with the plurality of fifth transmission characteristics, and one fourth transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a target terminal.
- control device is further used for:
- the target difference degree is obtained based on a degree of difference between at least one fifth transmission characteristic among the plurality of fifth transmission characteristics and a corresponding fourth transmission characteristic.
- control device is further used for:
- the plurality of sixth transmission characteristics are in one-to-one correspondence with the plurality of seventh transmission characteristics, and one sixth transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a target terminal.
- control device is further used for:
- Acquire transmission information of at least one second data stream transmitted by the at least one second terminal associate and store the transmission information with the terminal type of the second terminal; acquire the transmission information associated with the terminal type based on the transmission information associated with the terminal type. multiple transmission characteristics of the at least one second terminal;
- the transmission information is used to indicate the transmission attribute of the data stream, and one transmission characteristic is the overall transmission characteristic of at least one data stream transmitted by the terminal.
- the first transmission characteristic includes an uplink transmission characteristic
- the uplink transmission characteristic is an overall transmission characteristic of at least one uplink data stream in the at least one first data stream.
- the upstream transmission feature includes at least one of an upstream message feature and an upstream feature
- the upstream message feature is an overall feature of an upstream message in the at least one upstream data stream
- the upstream characteristics are statistical characteristics of the at least one upstream data stream.
- the characteristics of the uplink packets include the average transmission interval of the uplink packets, the average value of the uplink load, the total uplink load size, the number of uplink packets, the number of uplink target packets, and the uplink target packets.
- At least one of a ratio and a load fluctuation value of an uplink packet the average transmission interval of the uplink packet is the average transmission interval of the uplink packet in a time window
- the average value of the uplink load is the average transmission interval of the uplink packet in the time window
- the average size of the load of the target packets in the at least one upstream data flow, the total upstream load size is the total size of the load of the target packets in the at least one upstream data flow in the time window
- the The number of upstream packets is the number of upstream packets in the at least one upstream data stream within the time window
- the number of upstream target packets is the target number in the at least one upstream data stream within the time window.
- the number of packets, the proportion of the uplink target packets is the proportion of the target packets in the at least one upstream data flow in the time window, and the uplink packet load fluctuation value is used to indicate that in the Fluctuation of the size of the target packet in the at least one upstream data stream within the time window;
- the upstream characteristics include the upstream terminal port fluctuation value, the total number of upstream data streams, the number of upstream target data streams, the number of upstream data streams under each data stream type in the at least one data stream type, and at least one type of transmission. At least one of the number of upstream data streams under each transmission protocol type in the protocol type, and the upstream terminal port fluctuation value is used to indicate the at least one upstream data stream in the first terminal within the time window.
- the fluctuation situation of the output port, the upstream target data flow is the upstream data flow whose corresponding server input port belongs to the target port range.
- the uplink packet feature further includes at least one of a first receiving window fluctuation value and an average value of a first receiving window size, where the first receiving window fluctuation value is used to indicate that the Fluctuation of the size of the receiving window carried by the uplink packet within the time window.
- the first transmission characteristic further includes at least one of the total number of the at least one first data stream and a downlink transmission characteristic
- the downlink transmission characteristic is the at least one first data stream.
- the downlink transmission characteristic includes at least one of a downlink packet characteristic and a downlink characteristic
- the downlink packet characteristic is an overall characteristic of a downlink packet in the at least one downlink data stream
- the downstream characteristics are statistical characteristics of the at least one downstream data stream.
- the characteristics of the downlink packets include the average transmission interval of downlink packets, the average value of downlink loads, the size of the total downlink load, the number of downlink packets, the number of downlink target packets, and the downlink target packets.
- the average transmission interval of the downlink packets is the average transmission interval of the downlink packets in a time window
- the average downlink load is the average transmission interval of the downlink packets in the time window the average size of the load of the target packets in the at least one downstream data stream
- the total downstream load size is the total size of the load of the target packets in the at least one downstream data stream within the time window
- the The number of downlink packets is the number of downlink packets in the at least one downlink data stream in the time window
- the number of downlink target packets is the target number in the at least one downlink data stream in the time window.
- the number of packets, the proportion of the downlink target packets is the proportion of the target packets in the at least one downstream data stream within the time window, and the downlink packet load fluctuation value is used to indicate that in the time window Fluctuation of the size of the target packet in the at least one downstream data stream within the time window;
- the downstream characteristics include a downlink terminal port fluctuation value, the total number of downstream data streams, the number of downstream target data streams, the number of downstream data streams under each data stream type in at least one data stream type, and at least one type of transmission. At least one of the number of downlink data streams under each transmission protocol type in the protocol type, and the downlink terminal port fluctuation value is used to indicate the at least one downlink data stream in the first terminal within the time window.
- the fluctuation situation of the input port, the downlink target data flow is the downlink data flow whose corresponding server output port belongs to the target port range.
- the downlink packet feature further includes at least one of a second receiving window fluctuation value and an average value of a second receiving window size, where the second receiving window fluctuation value is used to indicate the downlink Fluctuation of the receive window size carried by the packet.
- the network device is further used for:
- the first transmission characteristics are obtained based on the streaming characteristics of the at least one first data stream.
- the stream transmission characteristic of a first data stream includes at least one of transmission information, data stream type, destination port type, and packet characteristics of the first data stream, and the transmission information is used
- the target port type is the port type of the port in the server that transmits the first data stream
- the message feature is the feature of the message in the first data stream.
- the transmission information includes at least one element in a five-tuple of the first data stream
- the message characteristics include at least one of the sum of message transmission intervals, the load size, the sum of squares of the loads, the number of target messages, the total number of messages, the fluctuation value of the receiving window, the total size of the window, and the sum of squares of the window.
- the sum of packet transmission intervals is the total duration of transmission intervals between packets in the first data stream within a time window
- the load size is the target packet in the first data stream within the time window
- the total size of the load, the square sum of the load is the square sum of the load size of the target packet
- the number of target packets is the total number of target packets in the packets within the time window
- the total number of packets is the total number of packets in the time window
- the receiving window fluctuation value is used to indicate the fluctuation of the receiving window size carried by the packet in the time window
- the total size of the window is the sum of the sizes of the receiving windows carried by the message within the time window
- the sum of squares of the windows is the sum of the squares of the sizes of the sliding windows.
- the transmission information further includes at least one of a direction identifier and an identifier of the time window, where the direction identifier is used to indicate a transmission direction of the first data stream.
- an apparatus for realizing terminal authentication which is used for executing the above-mentioned method for realizing terminal authentication.
- the apparatus for implementing terminal verification includes a functional module for implementing the method for implementing terminal verification provided in the above-mentioned first aspect or any optional manner of the above-mentioned first aspect.
- an apparatus for realizing terminal authentication which is used for executing the above-mentioned method for realizing terminal authentication.
- the apparatus for implementing terminal verification includes a functional module for implementing the method for implementing terminal verification provided in the above second aspect or any optional manner of the above second aspect.
- an electronic device in a sixth aspect, includes a processor and a memory, and the memory stores at least one piece of program code, the program code is loaded and executed by the processor to realize the above-mentioned first aspect or the above-mentioned first aspect.
- the action performed by the method is performed by the method.
- a computer-readable storage medium is provided, and at least one piece of program code is stored in the storage medium, and the program code is loaded and executed by a processor to realize the above-mentioned first aspect or any one of the above-mentioned first aspects.
- a computer program product or computer program includes program code
- the program code is stored in a computer-readable storage medium
- the processor of the electronic device reads from the computer-readable storage medium Get the program code
- the processor executes the program code, so that the electronic device executes the first aspect or the method for realizing terminal verification provided in any optional manner of the first aspect, or executes the second aspect or The method for realizing terminal authentication provided in any optional manner of the above second aspect.
- FIG. 1 is a schematic diagram of a system for realizing terminal verification provided by an embodiment of the present application
- FIG. 2 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
- FIG. 3 is a flowchart of a terminal type identification provided by an embodiment of the present application.
- FIG. 4 is a schematic diagram of a storage terminal type provided by an embodiment of the present application.
- FIG. 5 is a flowchart of a method for obtaining a model provided by an embodiment of the present application.
- FIG. 6 is a schematic diagram of starting training provided by an embodiment of the present application.
- FIG. 7 is a schematic diagram of a transmission feature acquisition provided by an embodiment of the present application.
- FIG. 8 is a flowchart of a method for implementing terminal verification provided by an embodiment of the present application.
- FIG. 9 is a schematic diagram of a method for realizing terminal verification provided by an embodiment of the present application.
- FIG. 10 is a schematic structural diagram of an apparatus for realizing terminal verification provided by an embodiment of the present application.
- FIG. 11 is a schematic structural diagram of an apparatus for realizing terminal verification provided by an embodiment of the present application.
- FIG. 1 is a schematic diagram of a system for implementing terminal verification provided by an embodiment of the present application.
- the system 100 includes multiple terminals 101 , multiple network devices 102 , multiple servers 103 , and a control device 104 .
- a terminal 101 is used to send a data stream to the server 103 through the network device 102 .
- the terminal 101 outputs the data stream to the network device 102, and the network device 102 forwards the data stream output by the terminal 101 to the server 103.
- the terminal 101 is also the device that outputs the data stream.
- the server 103 is a device for inputting data streams.
- the terminal 101 is also used to receive data streams from the server 103 through the network device 102 .
- the server 103 outputs the data stream to the network device 102, and the network device 102 forwards the data stream output by the server 103 to the terminal 101.
- the terminal 101 is the device that inputs the data stream
- the server 103 is the output device. device for data flow.
- the device that outputs the data stream is denoted as the "first device”, and the device that inputs the data stream is denoted as the "second device”.
- the data stream output by the terminal 101 is denoted as "upstream data stream”, at this time the terminal 101 is the first device, and the server 103 is the second device; the data stream input by the terminal 101 is denoted as "downstream data stream” Data flow”
- the terminal 101 is the second device, and the server 103 is the first device.
- the upstream data stream and the downstream data stream of the terminal 101 are both data streams transmitted by the terminal 101 .
- the terminal 101 is an IOT terminal, such as a camera, a sound, a printer, an IP phone, an automatic teller machine (automatic teller machine, ATM) or an inquiry machine, and the like.
- the network device 102 In addition to forwarding the data stream, the network device 102 is also used to collect the transmission characteristics of the terminal 101, and report the collected transmission characteristics of the terminal 101 to the control device 104, and the control device 104 based on the transmission characteristics of the terminal 101, the The terminal 101 performs verification to determine whether the terminal 101 is a normal terminal or an abnormal terminal.
- a normal terminal is a terminal with normal behavior, and a terminal that legally interacts with the server according to preset rules is deemed to have normal behavior. For example, if the terminal accesses the server to perform the preset service within the time period specified by the preset rule, or if the terminal legally interacts with the server within the scope of authority specified by the preset rule, the behavior of the terminal is normal.
- the terminal is a normal terminal.
- An abnormal terminal is a terminal with abnormal behavior. The terminal does not interact with the server according to the preset rules, or the interaction between the terminal and the server is illegal, and the behavior is regarded as abnormal.
- the terminal impersonates a terminal with the authority specified by the preset rules, and illegally interacts with the server, or if the terminal illegally interacts with the server outside the authority specified by the preset rules, the behavior of the terminal is abnormal, the The terminal is an abnormal terminal.
- the illegal interaction between the terminal and the server includes the terminal illegally accessing specific content in the server, or the terminal accessing the server outside the time period specified by the preset rules, or the terminal being hacked as a springboard, maliciously attacking the network, or the terminal conducting illegal business, etc. various situations.
- the transmission characteristics collected by the network device 102 are actual transmission characteristics of the terminal 101 and can reflect the behavior of the terminal 101 .
- the control device 104 has the ability to reconstruct the actual transmission characteristics of the terminal 101, and the control device 104 reconstructs the actual transmission characteristics of the terminal 101 to obtain the reconstructed transmission characteristics, where the reconstructed transmission characteristics are The reconstructed actual transmission characteristic; if the difference between the actual transmission characteristic and the reconstructed transmission characteristic is less than the target difference, it means that the difference between the actual transmission characteristic and the reconstructed transmission characteristic is small, and the control device 104 determines that the terminal behavior embodied by the actual transmission characteristic is normal, the actual transmission characteristic is a normal transmission characteristic, and determines that the terminal 101 is a normal terminal, then the control device 104 passes the verification of the terminal 101; The difference degree between the reconstructed transmission characteristics is greater than or equal to the target difference degree, indicating that the difference between the actual transmission characteristics and the reconstructed transmission characteristics is relatively large, and the control device 104 determines that the terminal behavior embodied by the
- the control device 104 reconstructs the actual transmission characteristics based on the target model. Before reconstructing the actual transmission feature based on the target model, the control device 104 obtains the target model through training.
- the network device 102 collects multiple transmission characteristics of at least one normal terminal 101 under the same terminal type, and sends the multiple transmission characteristics to the control device 104, and the control device 104 uses the multiple transmission characteristics as an initial model.
- the input and output are trained to obtain the target model, so that the subsequent control device 104 reconstructs the actual transmission characteristics of the terminal 101 under the terminal type based on the target model.
- the control device 104 can also display the training progress, so that the user can learn the training progress.
- the network device 102 described above is responsible for collecting transmission characteristics, and the control device 104 trains a target model based on the transmission characteristics collected by the network device 102, and verifies the terminal 101 based on the target model.
- the network device 102 is responsible for collecting transmission characteristics, and the control device 104 trains at least one target model based on the transmission characteristics collected by the network device 102, each target model corresponds to a terminal type, and Send the at least one target model to the network device 102, and the network device 102, after collecting the transmission characteristics of any terminal 101, determines the any terminal 101 in the at least one target model based on the terminal type of the any terminal 101 The network device 102 reconstructs the transmission characteristics of any terminal 101 based on the determined target model, so as to verify the any terminal 101.
- the network device 102 forwards the data stream forwarded by the network device 102 to the control device 104, and the control device 104 collects the transmission characteristics of the terminal 101 based on the data stream forwarded by the network device 102, and performs training, and The terminal 101 is verified based on the trained target model.
- the network device 102 includes one of a firewall device, a router, and a switch.
- the network device 102 and the control device 104 described above are two separate electronic devices, and in another possible implementation manner, the network device 102 and the control device 104 are the same electronic device, and the electronic device also has the network device 102 and control device 104 functions.
- FIG. 2 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
- the electronic device 200 is provided as the above-mentioned network device and/or control device.
- the electronic device 200 may vary greatly due to different configurations or performances. It includes one or more processors 201 and one or more memories 202, wherein the processor 201 is a central processing unit (central processing units, CPU) or other types of processors, and the memory 202 stores at least one One piece of program code, where the at least one piece of program code is loaded and executed by the processor 201 to implement the steps performed by the network device and/or the control device provided by the various method embodiments described below.
- the electronic device 200 also has components such as a wired or wireless network interface, a keyboard, and an input and output interface for input and output.
- the electronic device 200 also includes other components for realizing device functions, which are not described here. Repeat.
- a computer-readable storage medium such as a memory including program codes, and the program codes can be executed by a processor in a terminal to complete the method for realizing terminal authentication in the following embodiments .
- the computer-readable storage medium is a non-transitory computer-readable storage medium, such as read-only memory (ROM), random access memory (RAM), compact disc read-only memory, CD-ROM), magnetic tapes, floppy disks, and optical data storage devices, etc.
- the control device can identify the type of the terminal in the terminal verification system to determine the terminal type of the terminal in the terminal verification system.
- type identification refer to the flowchart of a terminal type identification provided by an embodiment of the present application as shown in FIG. 3 .
- the control device acquires a type identification instruction, where the type identification instruction is used to indicate the terminal type of the identification terminal.
- the type identification instruction includes an identification mark, and the identification mark is used to indicate the terminal type of the identification terminal.
- the type identification instruction is triggered by a user operation.
- the control device detects that the user performs an operation on the control device for triggering the type identification instruction, the control device is triggered to acquire the type identification instruction.
- the control devices in the terminal verification system can also be divided into multi-level control devices, namely a central control device and a plurality of regional control devices, wherein the central control device is used to manage multiple regions Control devices, each zone control device is used to manage network devices in at least one network zone.
- the central control device acquires the type identification instruction based on the user operation, it can also send the acquired type identification instruction to each regional control device, so that each regional control device can receive the type identification instruction from the central control device.
- the control device in this step 301 is an area control device.
- each time the control device obtains the type identification instruction the control device performs a process of terminal type identification (that is, the following steps 302-308).
- the control device receives the type identification instruction only once, and periodically performs the process of terminal type identification after receiving the type identification instruction. This embodiment of the present application does not specifically limit the timing of terminal type identification.
- the control device sends an information acquisition instruction to at least one network device, where the information acquisition instruction is used to instruct the network device to upload the transmission information of the data stream.
- the at least one network device is a network device managed by the control device.
- the transmission information of a data stream is used to indicate the transmission attributes of the data stream, such as transmission address, transmission port, transmission protocol, transmission direction, and transmission time, which are respectively a transmission attribute of the data stream.
- the information acquisition instruction includes an attribute identifier of at least one transmission attribute, so as to instruct the network device to upload at least one transmission attribute of the data stream based on the attribute identifier of the at least one transmission attribute.
- the any network device receives the information acquisition instruction.
- the any network device acquires at least one transmission information of at least one data stream based on the information acquisition instruction.
- the at least one data stream is a data stream transmitted by the network device within a time window, the duration of the time window is the target duration, and the time window is the detection time for any network device to detect the at least one data stream.
- the at least one data flow includes at least one upstream data flow, and optionally, the at least one data flow further includes at least one downstream data flow.
- the transmission information of a data stream includes at least one element in the quintuple of the first data stream, and the quintuple of the first data stream includes source address information, source port identification, destination address information, and destination port identification of the data stream. , Transmission protocol type.
- the source address information is used to indicate the network address of the first device that outputs the data stream, where the first device is a device that outputs the data stream to the network device, such as a server or a terminal, and the source address information includes the first device's IP address.
- the source port identifier is used to indicate an output port in the first device for outputting the data stream.
- the destination address information is used to indicate the IP address of the second device that inputs the data stream, where the second device is the device that inputs the data stream, that is, the device that receives the data stream forwarded by the network device, such as a server or terminal, the destination address information includes the network address of the second device.
- the destination port identifier is used to indicate an input port in the second device for inputting the data stream.
- the network address of a device includes at least one of an IP address of the device and a media access control (media access control, MAC) address, and the network address of the first device is also a source network address, such as a source IP address. address, source MAC address.
- the network address of the second device is also the destination network address, for example, the destination IP address and the destination MAC address. It should be noted that, in the embodiments of the present application, the network address of the device is an IP address as an example for description.
- the transport protocol type is used to indicate the transport protocol that the data stream follows, such as transmission control protocol (TCP), user datagram protocol (UDP), or internet control message protocol (internet control message protocol). , ICMP).
- TCP transmission control protocol
- UDP user datagram protocol
- IP internet control message protocol
- ICMP internet control message protocol
- the transmission information further includes at least one of a direction identifier and an identifier of the time window, the direction identifier includes an uplink identifier or a downlink identifier, and if the direction identifier is an uplink identifier, it indicates the data stream It is an upstream data flow; if the direction identification is a downstream identification, it indicates that the data flow is a downstream data flow.
- the any network device includes a plurality of ports, which are respectively at least one first input port, at least one first output port, at least one second input port and at least one second output port, wherein the first input port is used for inputting slave
- the data stream output by the terminal is used to input the upstream data stream; the first output port is used to output the upstream data stream to the server; the second input port is used to input the data stream output from the server, that is, used for input Downstream data stream; the second output port is used for outputting the downstream data stream to the terminal.
- the any network device acquires the transmission information of the at least one data stream based on the data stream transmitted by the input port or the output port in the any network device.
- the process of acquiring the transmission information of the at least one data stream by the any network device based on the input port in the any network device and the information acquisition instruction is implemented by the following steps 3041-3043 .
- Step 3041 For any input port in the at least one first input port or at least one second input port, the any network device obtains the metadata of the multiple packets input by the any input port within a time window .
- a time window of target duration is set in any network device, and the any network device detects the data stream transmitted by the any network device within the time window to obtain the data stream transmitted by the any network device.
- Streaming characteristics within the time window wherein the transmission information of the data stream belongs to the streaming characteristics of the data stream.
- the time window is the time period of the target duration after the any network device receives the information acquisition instruction. For example, if the any network device performs this step 3041 within the target duration after receiving the information acquisition instruction, then, The target duration after the any network device receives the information acquisition instruction is also the time window.
- the multiple packets are packets in the data flow input in the any input port within the time window.
- the metadata of a packet includes flow identification information, source MAC address and destination MAC address of the data flow to which the packet belongs.
- the flow identification information of the data flow is a quintuple, including the Source IP address, source port identifier, destination IP address, destination port identifier, and transmission protocol type.
- the any network device obtains multiple packets from the data stream input by the any input port, and parses the multiple packets to obtain metadata of the multiple packets.
- Step 3042 The any network device deduplicates the metadata of the multiple packets to obtain the metadata of at least one packet, where the metadata of the at least one packet is different from each other, and the metadata of the at least one packet is different from each other.
- Each packet belongs to a different data flow.
- One or more data streams may be input to any input port within the time window, and some of the multiple packets may belong to the same data stream.
- any network device may The metadata of multiple packets is deduplicated to obtain the metadata of at least one packet.
- the multiple packets are respectively packets 1-3, wherein the metadata of the packet 1 is the same as the metadata of the packet 2, and is different from the metadata of the packet 3, and the metadata of the packet 1 and the packet 2 are both belong to data flow 1 and packet 3 belongs to data flow 2, any network device retains the metadata of packet 1 and the metadata of packet 3 by deduplicating the metadata of packets 1-3.
- Step 3043 For any packet in the at least one packet, the any network device generates transmission information of the data stream to which the any packet belongs based on the information acquisition instruction.
- the any network device generates transmission information of the data stream to which the any packet belongs based on at least one attribute identifier included in the information acquisition instruction.
- the any network device will use at least one of the source IP address and the source MAC address in the metadata of any packet, It is determined as the source address information of the data stream, and the any network device determines at least one of the destination IP address, destination MAC address, and destination MAC address in the metadata of any packet as the destination address information of the data stream, and Add the source address information and the destination address information to the transmission information of the data stream; if the information acquisition instruction includes the attribute identifier of the transmission port, the any network device will include the source port identifier in the metadata of any message And the destination port identifier is added to the transmission information of the data stream; if the information acquisition instruction includes the attribute identifier of the transmission protocol, then the any network device adds the transmission protocol type in the metadata of any message to the data.
- the any network device In the transmission information of the stream; if the information acquisition instruction includes the attribute identifier of the transmission direction, then the any network device is based on the port used for transmitting the any packet in the any network device or the source address information of the data stream, Determine the transmission direction of the data stream, and add the direction identifier used to indicate the transmission direction to the transmission information of the data stream; if the information acquisition instruction carries the attribute identifier of the transmission time, the time The identification of the window is added to the transmission information of the data stream.
- the process of determining the transmission direction of the data stream by the any network device based on the port used for transmitting the any packet or the source address information of the data stream in the any network device is as follows: : If the port used to input any message in any network device is the first input port, or the port used to output any message in any network device is the first output port, then the data The stream is an upstream data stream, and the transmission direction of the data stream is determined by the any network device as upstream; if the port used to input the any packet in the any network device is the second input port, or the any network device The internal port used to output any message is the second output port, then the data stream is a downlink data stream, and the any network device determines that the transmission direction of the data stream is downlink; if the source address information of the data stream contains If the indicated first device is a terminal, the data stream is an upstream data stream, and any network device determines that the transmission direction of the data stream is upstream; if the second device indicated by the source address information of
- any network device transmits a total of 3 data streams, which are data streams 1-3, wherein, data stream 1 and data stream 2 are upstream data streams, and data stream 3 is downstream data flow, through this step 3043, any network device can obtain the transmission information of the data flow 1-3 shown in Table 1.
- the process shown in this step 304 is that any network device obtains the at least one first data stream transmitted by the second terminal.
- the any network device sends the at least one transmission information to the control device.
- the control device receives the at least one transmission information.
- the process shown in this step 306 is also the process of the control device acquiring the transmission information of the at least one second data stream transmitted by the second terminal .
- the control device stores the at least one transmission information.
- the control device extracts at least one item of information from each transmission information, and stores the at least one item of information in a configuration table to realize asset identification.
- the control device stores each item of information in each transmission information in a configuration table, and the configuration table is shown in Table 1.
- the control device stores part of information in each transmission information into a configuration table, where the part of information includes a direction identifier and a network address of the terminal.
- the control device associates and stores the network address of the terminal in at least one transmission information including the same direction identifier and the direction identifier. If the network address of the terminal is an IP address, the control device associates and stores the direction identifier with the IP address of the terminal.
- the direction identifier in a transmission information is an uplink identifier
- the data stream corresponding to the transmission information is uplink data flow
- the source IP address in the transmission information is the IP address of the terminal
- the control device adds the source IP address to the configuration table, and corresponds to the uplink identifier
- the direction identifier in a transmission information is the downlink identifier
- the control device adds the destination IP address to the configuration table and corresponds to the downlink identifier.
- the control device extracts the source IP address corresponding to the uplink identifier and the destination IP address corresponding to the downlink identifier in Table 1, and associates the extracted source IP address with the uplink identifier and stores it In the configuration table shown in Table 2, the extracted destination IP address and the downlink identifier are associated and stored in the configuration table shown in Table 2.
- the control device associates and stores the any transmission information with the terminal type of the first target terminal, wherein the first target terminal is used to transmit the any transmission The data stream corresponding to the information.
- Terminal types include camera, audio, printer, IP phone, ATM or inquiry machine.
- the control device stores at least one piece of information in any transmission information in association with the terminal type of the target terminal.
- the control device stores the at least one item of information in association with the terminal type of the first target terminal in an asset table, where the asset table is used to store a variety of terminal types, and the asset table is stored in the local or local of the control device. cloud space.
- the control device obtains at least one piece of information in any of the transmission information from the configuration table, and based on the at least one piece of information, inquires whether there is a terminal type corresponding to the at least one piece of information in the asset table.
- the terminal type corresponding to the at least one item of information is the terminal type of the first target terminal, and the control device has stored the at least one item of information in association with the terminal type of the first target terminal, so the control device does not need to perform this step 308 again, If not, the control device stores the at least one item of information in the asset table in association with the terminal type of the first target terminal.
- the control device displays the terminal type addition information in the terminal type addition interface to prompt the user to add the terminal type in the asset table.
- the terminal type corresponding to the at least one item of information wherein the terminal type addition information is used to indicate that the terminal type corresponding to the at least one item of information is added in the asset table, and the terminal type addition information includes the at least one item of information and an addition identifier , and the added identifier is used to indicate the terminal type corresponding to the at least one item of information added in the asset table.
- the user determines the terminal type of the first target terminal based on at least one item of information in the terminal type addition information, and adds the terminal type of the first target terminal in the terminal type addition interface.
- the control device detects that the user is in the terminal After the adding operation is performed on the type interface, the trigger control device stores the at least one item of information in the asset table in association with the terminal type added by the user.
- the network device will match the terminal type of the terminal indicated by the any IP address with the terminal type of the terminal.
- This arbitrary IP address association is stored in the asset table. Still taking the configuration table shown in Table 2 as an example, if the terminal indicated by the IP address 192.168.1.240 is the camera, the terminal indicated by the IP address 192.168.1.180 is the camera, and the terminal indicated by the IP address 192.168.1.150 is the speaker, then The control device associates the three IP addresses with the corresponding terminal types and stores them in the asset table to obtain Table 3.
- the process shown in this step 308 is that the control device associates the at least one transmission information of the at least one second data stream with the data of the second terminal.
- the network device acquires the transmission information of the transmitted data stream, and sends the acquired transmission information to the control device, and the control device stores the received transmission information, and queries whether the asset table exists. If the terminal type corresponding to the transmission information does not exist, the control device prompts the user to add the terminal type corresponding to the transmission information in the asset table, and the control device then adds the terminal type corresponding to the transmission information in the asset table based on the user's operation.
- the method shown in the embodiment of the present application uploads the transmission information of the data stream to the control device through the network device, so that the control device associates and stores the transmission information of each data stream transmitted by the terminal in the terminal verification system with the terminal type, so as to reach the statistical terminal The purpose of validating the terminal type of the terminal in the system.
- the network device uploads the transmission information of the data stream to the control device based on the information acquisition instruction, and the control device stores the transmission information uploaded by the network device.
- the control device does not send the information acquisition instruction to the network device, but sends the data stream acquisition instruction to the network device.
- the network device After the network device receives the data stream acquisition instruction, the network device will One copy of multiple messages in at least one data stream transmitted in the window is uploaded to the control device, and the control device obtains the transmission of the at least one data stream based on the multiple messages in the at least one data stream uploaded by the network device information, and perform steps 307-308.
- step 304, step 307 and step 308 are periodically executed by the network device.
- the control device acquires from at least one network device multiple transmission characteristics of the terminal under the any terminal type, and performs training based on the acquired multiple transmission characteristics to obtain the any The target model corresponding to the terminal type.
- the process refer to the flowchart of a model acquisition method provided by an embodiment of the present application shown in FIG. 5 .
- the control device determines the target terminal type corresponding to the target model to be acquired.
- the control device determines the target terminal type based on a user operation.
- the user inputs the target terminal type in the training interface of the control device, and performs a confirmation operation to realize the process of starting the training.
- the interface obtains the target terminal type.
- the control device sends a transmission characteristic acquisition instruction to at least one network device, where the transmission characteristic acquisition instruction is used to instruct to acquire transmission characteristics of the terminal under the target terminal type.
- the transmission characteristic acquisition instruction includes the target terminal type and at least one network address corresponding to the target terminal type, each network address corresponds to a terminal, and the transmission characteristic of a terminal is the overall transmission characteristic of at least one data stream transmitted by the terminal.
- the control device queries the asset table for at least one network address corresponding to the target terminal type, forms a terminal address list with the at least one network address found, and adds the terminal address list to the terminal address list. in the transfer characteristic acquisition instruction.
- the terminal address list is used to record the target terminal type and at least one network address corresponding to the target terminal type. Taking at least one network address corresponding to the target terminal type as the IP address of the terminal as an example, refer to the terminal address list shown in Table 4.
- the user configures the target terminal type to be the terminal type corresponding to the target model to be acquired (that is, is to configure the target terminal type for training), the control device queries the asset table based on the target terminal type configured by the user, obtains at least one network address corresponding to the target terminal type, and sends the target terminal type and the at least one network address to the network device to start the training process.
- the any network device receives a transmission characteristic acquisition instruction.
- the any network device acquires multiple transmission characteristics of at least one second terminal under the target terminal type.
- the at least one second terminal is a terminal indicated by at least one network address in the transmission feature instruction.
- the terminal type of the at least one second terminal is the target terminal type.
- a transmission characteristic of a terminal is the overall transmission characteristic of at least one data stream transmitted by the terminal, and the transmission characteristic may include characteristics of multiple dimensions, and does not only refer to the characteristics of one dimension.
- the transmission characteristic is an overall transmission characteristic of the at least one data stream within a time window.
- the transmission characteristic includes an uplink transmission characteristic
- the uplink transmission characteristic is an overall transmission characteristic of at least one uplink data stream in the at least one data stream
- the uplink data stream is a data stream output by the terminal
- Upstream data flow consists of upstream packets.
- the upstream transmission feature includes one of an upstream message feature and an upstream feature
- the upstream message feature is the overall feature of the upstream message in the at least one upstream data stream
- the upstream feature is the at least one upstream feature.
- the uplink packet features include the average transmission interval of uplink packets, the average uplink load, the total uplink load size, the number of uplink packets, the number of uplink target packets, the proportion of uplink target packets, and the uplink packets.
- At least one of the load fluctuation values the average transmission interval of the upstream packets is the average transmission interval of the upstream packets in the at least one upstream data stream in a time window, and the average uplink load is the at least one transmission interval in the time window.
- the average size of the load of the target packets in the upstream data stream, the total size of the upstream load is the total size of the load of the target packets in the at least one upstream data stream within the time window
- the number of upstream packets is the time The number of upstream packets in the at least one upstream data stream in the window, the number of upstream target packets in the time window
- the number of target packets in the at least one upstream data stream, the proportion of the upstream target packets is The proportion of target packets in the at least one upstream data stream within the time window, and the upstream packet load fluctuation value is used to indicate the size fluctuation of the target packets in the at least one upstream data stream within the time window.
- the target message is a message with a payload, and optionally, the data in the payload is service data.
- the uplink packet feature further includes at least one of a first receiving window fluctuation value and an average value of the first receiving window size, where the first receiving window fluctuation value is used to indicate the at least one uplink data within the time window. Fluctuation of the size of the receiving window carried by the upstream packet in the flow, and the average size of the first receiving window is the average size of the receiving window carried by the upstream packet in the at least one upstream data stream within the time window.
- the receiving window is a TCP sliding window.
- the first receiving window fluctuation value is the standard deviation of the receiving window size carried by the upstream packets in the at least one upstream data stream within the time window.
- the upstream characteristics include the upstream terminal port fluctuation value, the total number of upstream data streams, the number of upstream target data streams, the number of upstream data streams under each data stream type in at least one data stream type, at least At least one of the number of upstream data streams under each transport protocol type in a transport protocol type.
- the upstream terminal port fluctuation value is used to indicate the fluctuation of the output port of at least one upstream data stream in the terminal within the time window, that is, the fluctuation of the output port of the upstream data stream transmission in the terminal within the time window .
- the upstream target data flow is the upstream data flow whose corresponding server input port belongs to the target port range.
- the upstream terminal port fluctuation value is a variance value of the port identifier of the output port of the at least one upstream data stream.
- the total number of upstream data streams is the total number of the at least one upstream data stream, and the number of the upstream target data streams is the total number of upstream target data streams in the at least one upstream data stream.
- the at least one transport data stream type includes a data stream, a broadcast data stream, and a unicast data stream.
- the at least one transport protocol type includes TCP, UDP, and ICMP.
- the target port range can be set according to actual requirements. For example, the target port range is the range of well-known ports, and the embodiment of the present application does not specifically limit the target port range.
- the transmission characteristic further includes at least one of the total number of the at least one data stream and a downlink transmission characteristic, and the downlink transmission characteristic is the totality of the at least one downlink data stream in the at least one data stream Transmission characteristics, the downlink data stream is the data stream input by the terminal, and consists of downlink packets.
- the downlink transmission characteristic includes at least one of a downlink packet characteristic and a downlink characteristic, the downlink packet characteristic is an overall characteristic of downlink packets in the at least one downlink data stream, and the downlink characteristic is the at least one Statistical characteristics of downstream data streams.
- the characteristics of the downlink packets include the average transmission interval of downlink packets, the average value of downlink loads, the size of the total downlink load, the number of downlink packets, the number of downlink target packets, the proportion of downlink target packets, and the number of downlink packets.
- At least one of the load fluctuation values the average transmission interval of the downlink packets is the average transmission interval of downlink packets in the at least one downlink data stream within a time window, and the average downlink load is the at least one downlink packet in the time window.
- the average size of the target packet load in the data stream, the total downstream load size is the total size of the target packet load in the at least one downstream data stream within the time window, and the number of downlink packets is the time window.
- the number of downlink packets in the at least one downlink data stream, the number of downlink target packets is the number of target packets in the at least one downlink data stream within the time window, and the proportion of the downlink target packets is in The proportion of target packets in the at least one downlink data stream in the time window, and the downlink packet load fluctuation value is used to indicate the size fluctuation of the target packets in the one downlink data stream in the time window.
- the downlink packet feature further includes at least one of a second receiving window fluctuation value and an average value of the second receiving window size, where the second receiving window fluctuation value is used to indicate a downlink packet in the at least one downlink data stream.
- the average size of the second receive window is the average size of the receive window carried by the downlink packets in the at least one downlink data stream within the time window.
- the fluctuation value of the second receiving window is the standard deviation of the receiving window size carried by the downlink packet in the at least one downlink data stream within the time window.
- the downstream characteristics include a downlink terminal port fluctuation value, the total number of downstream data streams, the number of downstream target data streams, the number of downstream data streams under each data stream type in at least one data stream type, at least At least one of the number of downstream data streams under each transmission protocol type in a transmission protocol type.
- the downstream terminal port fluctuation value is used to indicate the fluctuation of the input port of the at least one downstream data stream in the terminal within the time window, that is, the fluctuation of the input port of the downstream data stream transmission in the terminal within the time window condition.
- the downlink target data stream is a downlink data stream whose corresponding output port of the server belongs to the target port range.
- the downlink terminal port fluctuation value is the variance value of the port identifier of the input port of at least one downlink data stream in the terminal within the time window.
- the total number of downlink data streams is the total number of the at least one downlink data stream, and the number of the downlink target data streams is the total number of downlink target data streams in the at least one downlink data stream.
- any network device After acquiring the transmission feature acquisition instruction, any network device acquires at least one network address (for example, the IP address of at least one second terminal) corresponding to the target terminal type from the transmission feature instruction, and within multiple time windows In any time window, the any network device determines a transmission of the second terminal based on any network address in the at least one network address and the data stream transmitted by the second terminal indicated by the any network address. feature, so that any network device can obtain a transmission feature of the at least one second terminal within the any time window, and within the multiple time windows, the any network device can obtain the at least one first terminal Multiple transmission characteristics of two terminals.
- at least one network address for example, the IP address of at least one second terminal
- the any network device determines the data flow of the second terminal based on any network address in the at least one network address and the data stream transmitted by the second terminal indicated by the any network address.
- a way of transmitting features includes way 1 or way 2.
- Manner 1 Within the any time window, the any network device determines a transmission characteristic of the second terminal based on each data stream transmitted by the second terminal.
- Mode 1 can be implemented by the following steps A-C.
- Step A Within the any time window, the any network device determines, based on the any network address, at least one third data stream transmitted by the second terminal indicated by the network address.
- the packets in the at least one third data stream are all WAN packets.
- the network device determines that the data stream to which the any packet belongs is the one transmitted by the second terminal. Data flow; the any network device determines whether the any packet is a WAN packet by comparing the destination IP address and the source IP address of the any packet. If the any packet is a WAN packet, then the any packet is A network device determines that the data stream to which any of the packets belongs is a third data stream transmitted by the second terminal.
- Step B The any network device acquires the streaming characteristics of each of the first and third data streams in the at least one third data stream, and the streaming characteristics of a third data stream is the transmission characteristics of the third data stream.
- the stream transmission characteristics of a data stream include at least one of transmission information, data stream type, target port type, and packet characteristics of the data stream.
- the transmission information is used to indicate the transmission attribute of the data stream, and the transmission information includes source address information (source IP address and/or source MAC address), source port identifier, destination address information (destination IP address and/or source MAC address) of the data stream or destination MAC address), destination port identifier, and at least one of the transmission protocol type.
- the transmission information further includes at least one of a direction identifier and an identifier of the time window, where the direction identifier is used to indicate the transmission direction of the data stream.
- the target port type is the port type of the port that transmits the data stream in the server, wherein the port type of the port is divided into a first port type, a second port type and a third port type.
- the first port type corresponds to The port range is the well-known port range [0, 1024)
- the port range corresponding to the second port type is the registered port range [1024, 49152)
- the port range corresponding to the third port type is the private port range [49152, + ⁇ ). It should be noted that the port ranges corresponding to the first port type, the second port type, and the third port type can all be set according to specific implementation scenarios.
- the port range corresponding to the first port type is [0, 10001)
- the port range corresponding to the second port type is [10001, 20000)
- the port range corresponding to the third port type is [20000, + ⁇ ) .
- the embodiment of the present application does not specifically limit the port intervals corresponding to the first port type, the second port type, and the third port type.
- the packet characteristic is the characteristic of the packet in the data flow.
- the packet characteristics include at least one of the sum of packet transmission intervals, the load size, the sum of squares of loads, the number of target packets, the total number of packets, the fluctuation value of the receiving window, the total size of the window, and the sum of squares of the window.
- the sum of the packet transmission intervals is the total duration of the transmission intervals between the packets in the data stream in a time window
- the load size is the total size of the load of the target packets in the data stream in the time window
- the sum of squares of the load is the sum of the squares of the payload of the target packet
- the number of target packets is the total number of target packets in the packet within the time window
- the total number of packets is the total number of packets in the time window
- the receive window fluctuation value is used to indicate the fluctuation of the receive window size carried by the packets in the data stream within the time window
- the total size of the window is the time window
- the sum of the size of the receiving window carried by the packet in the data stream, and the sum of squares of the window is the sum of the squares of the size of the sliding window.
- any network device acquires at least one of the transmission information, data stream type, destination port type, and packet characteristics of the any third data stream, and uses The acquired information is determined as the streaming characteristics of any third data stream.
- the process of acquiring the transmission information of any third data stream by any network device is the same as the process of acquiring the transmission information of at least one data stream by any network device in step 304.
- the process of acquiring the transmission information of any third data stream by a network device will not be repeated.
- the process of acquiring the data stream type of any third data stream by any network device is as follows: the any network device determines, according to the source IP address and destination IP address carried in any packet in any third data stream, to determine Whether the any third data stream is a broadcast data stream or a multicast data stream, and if the any third data stream is neither a broadcast data stream nor a multicast data stream, then the any network device determines the any third data stream The stream is a unicast data stream.
- the process of acquiring the target port type of the any third data stream by the any network device the any network device acquires the port identifier of the server in the any packet, and determines the port type to which the port identifier of the server belongs as The destination port type.
- the port identifier of the server is the source port identifier or the destination port identifier of any packet.
- the process for the any network device to obtain the packet characteristics of the any third data stream is: within the any time window, the any network device records the first packet transmitted by the any third data stream. a time, and the second time from the transmission of the last message, and the time difference between the second time and the first time is determined as the sum of the message transmission intervals; within the any time window, the any network The device counts the total size of the payload of the target packets in any third data stream, and determines the total size as the payload size; within the any time window, each third data stream transmits one target packet , the any network device calculates the load size square of the target packet, so that any network device can obtain at least one load size square of the target packet within the any time window.
- the sum of the squares of the loads in the at least one target packet is performed to obtain the sum of the squares of the loads; the any network device counts the total number of target packets in the any third data stream in the any time window, Obtain the number of target packets; the any network device counts the total number of packets in the any third data stream in the any time window to obtain the total number of packets; in the any time window, The any network device sums the receiving window sizes carried by the packets in the any third data stream to obtain the total window size; within the any time window, the any network device receives the any third data stream
- the receiving window size carried by each packet in the stream is squared, and the squares of the receiving window sizes carried by each packet are summed to obtain the sum of squares of the windows; any network device obtains the sum of squares based on the total size of the window and the sum of squares of the windows
- the standard deviation of the receiving window size carried by the packet, and the standard deviation is determined as the fluctuation value of the receiving window; the sum of the packet
- the IP addresses of the terminals transmitting the data stream ae are 192.168.1.2, 192.168.1.2, 192.168.1.5, 192.168.1.5, and 192.168.1.6, respectively.
- the streaming characteristics are shown in Table 5 below.
- Step C The any network device acquires a transmission characteristic of the second terminal based on the streaming transmission characteristic of the at least one third data stream.
- This step C is realized by the processes shown in the following steps C1-C3.
- Step C1 The any network device acquires the upstream transmission characteristics based on the streaming characteristics of at least one upstream data stream in the at least one third data stream.
- the any network device acquires at least one of the upstream packet characteristics and the upstream characteristics of the at least one upstream data stream based on the streaming characteristics of the at least one upstream data stream (referred to as “at least one streaming characteristics”), and will obtain At least one of the received upstream packet feature and upstream feature is determined as the upstream transmission feature.
- the process of acquiring the upstream message feature by the any network device based on the at least one stream transmission feature is: the any network device sums the message transmission interval sums in the at least one stream transmission feature, and obtains the first A sum value, the first sum value is the sum of the packet transmission intervals of the upstream packets in the at least one upstream data stream; the any network device sums the total number of packets in the at least one stream transmission characteristic, Obtain the number of uplink packets; the first sum value is divided by the number of uplink packets by the any network device to obtain the average transmission interval of uplink packets; the load in the at least one stream transmission characteristic of the any network device Sum the size to obtain the total uplink load size; the any network device sums the number of target packets in the at least one stream transmission feature to obtain the number of uplink target packets; Divide the number of target packets by the number of uplink packets to obtain the proportion of uplink target packets; the any network device divides the total uplink load size by the number of uplink target packet
- the process of acquiring the upstream feature by the any network device based on the at least one streaming feature is: the any network device acquires at least one source port identifier from the transmission information of the at least one streaming feature, and the any network device acquires at least one source port identifier from the transmission information of the at least one streaming feature.
- the any network calculates the variance of the at least one source port identifier, and determine the variance as the upstream terminal port fluctuation value; the any network set the total number of the at least one stream transmission feature as the total number of upstream data streams; the Any network device counts the total number of upstream target data streams in the at least one upstream data stream, and obtains the number of the upstream target data streams; the any network device acquires the data stream type in the at least one stream transmission feature, and based on Acquire the data stream type, and count the number of upstream data streams under each data stream type in the at least one data stream type; the any network device acquires the transmission protocol type in the at least one stream transmission feature, and based on the acquired transmission Protocol type, count the number of upstream data streams under each transmission protocol type in at least one transmission protocol type; any network device determines the upstream terminal port fluctuation value, the total number of upstream data streams, and the number of upstream target data streams , at least one of the number of upstream data streams under each data stream type in at least one data stream
- At least one upstream data flow includes data flow 1 and data flow 2, data flow 1 is a multicast data flow, data flow 2 is a broadcast data flow, and at least one data flow type includes multicast data flow, broadcast data flow and unicast data flow data stream, the number of upstream data streams under the at least one data stream type is 1, 1, and 0, respectively.
- at least one upstream data stream includes data stream 1 and data stream 2
- the transmission protocol type of data stream 1 is TCP
- the transmission protocol type of data stream 2 is UDP
- the at least one transmission protocol type includes TCP, UDP and ICMP
- the number of upstream data streams under at least one transmission protocol type is 1, 1, and 0, respectively.
- Step C2 The any network device acquires the downlink transmission characteristic based on the stream transmission characteristic of at least one downlink data stream in the at least one third data stream.
- This step C2 is the same as the process shown in step C1, and this step C2 is not described repeatedly in this embodiment of the present application.
- Step C3 The any network device determines the uplink transmission characteristic and the downlink transmission characteristic as one transmission characteristic of the second terminal.
- the any network device determines the uplink transmission characteristic as a transmission characteristic of the second terminal. In another possible implementation manner, the any network device determines the uplink transmission characteristic, the downlink transmission characteristic and the total number of the at least one third data stream as a transmission characteristic of the second terminal.
- the data streams a and b in Table 5 are the data streams output by the same second terminal, and the arbitrary device is based on the data streams a and b in Table 5.
- the stream transmission feature of b to obtain a transmission feature of the second terminal.
- the source IP addresses of the data streams c and d are the same, then the data streams c and d are the data streams output by the same second terminal, and any device obtains the second data stream based on the streaming characteristics of the data streams c and d in Table 5.
- a transmission characteristic of the terminal Based on the stream transmission characteristics of data stream e in Table 5 and a transmission characteristic of the second terminal indicated by the destination IP address of data stream e, any device finally obtains the transmission characteristics of the three second terminals shown in Table 6.
- FIG. 7 a schematic diagram of a transmission feature acquisition provided by an embodiment of the present application shown in FIG. 7 .
- the target duration of a time window in Figure 7 is 1 hour, and each day from 2016-09-22 to 2016-10-12 is divided into 24 time windows.
- any network device obtains the first A transmission feature of the two terminals, in each time window, when any third data stream transmitted by the second terminal is input to the any network device, the any network device obtains the stream of the any third data stream Transmission characteristics, then any network device acquires a transmission characteristic of the second terminal based on the transmission characteristics of at least one third data stream transmitted in each time window, and can also acquire the terminal type of the second terminal, for example In the time window of 5:00-5:59 on 2016-09-24, any network device inputs a total of 344 third data streams transmitted by the second terminal, then any network device is based on the 344 third data streams.
- Stream transmission characteristics of the flow collect a transmission characteristic of the second terminal within the time window, and configure the collected transmission characteristics, such as uplink/downlink packet characteristics, uplink/downlink flow characteristics, and the like.
- the above example uses 1 hour as a time window to count the transmission characteristics, while in some other embodiments, 1 minute is used as a time window to count the transmission characteristics in every minute in real time, and the time window
- the window duration (that is, the target duration) of the time window can be set according to the specific implementation scenario.
- the embodiment of the present application does not specifically limit the window duration of the time window.
- Manner 2 Within the any time window, the any network device determines a transmission characteristic of the second terminal according to the at least one network address.
- the any network device acquires at least one of the upstream packet characteristics of multiple upstream packets carrying the at least one network address, and the upstream characteristics of the upstream data streams in which the multiple upstream packets are located, The any network device determines at least one of the acquired upstream packet feature and upstream feature as the upstream transmission feature.
- the process for the any network device to obtain the uplink packet characteristics of the plurality of uplink packets carrying the at least one network address is as follows: The total number of multiple uplink packets of the address is obtained to obtain the number of uplink packets; the any network device records the arrival time of the first packet and the last packet of the multiple uplink packets in the arbitrary time window. Reach time, and divide the time difference between the two arrival times by the target difference to obtain the average transmission interval of uplink packets, where the first packet is the one that carries any of the at least one network address within the any time window.
- the average number of the first receiving window size is obtained; the average transmission interval of uplink packets, the average uplink load average, the total uplink load size, the number of uplink packets, the number of uplink target packets, the uplink At least one of the target packet ratio, the load fluctuation value of the uplink packet, the fluctuation value of the first receiving window, and the average value of the size of the first receiving window is determined as the characteristic of the uplink packet.
- the process for any network device to acquire the upstream characteristics of the upstream data streams in which the multiple upstream packets carrying the at least one network address are located is: in the any time window, the any network device Obtain multiple source port identifiers in multiple uplink messages that carry the at least one network address, and the any network device calculates the variance of the multiple source port identifiers, and determines the variance as the uplink terminal port fluctuation value; in the In any time window, the any network device counts the total number of upstream data streams carrying the at least one network address to obtain the total number of upstream data streams; The total number of upstream target data streams in the upstream data streams of the at least one network address is obtained to obtain the number of upstream target data streams; within the any time window, the any network device counts each of the at least one data stream type The number of upstream data streams carrying the at least one network address under the data stream type, to obtain the number of upstream data streams under each data stream type in the at least one data stream type; within the any time window, the any The network
- Any of the network devices can also refer to the process of acquiring the uplink transmission characteristics in Mode 2 to acquire the downlink transmission characteristics. And referring to the process shown in step C3, a transmission feature of the second terminal is acquired.
- the any network device determines a transmission characteristic of the second terminal indicated by each network address based on the foregoing manner 1 or manner 2, so that within the multiple time windows , the any network device can acquire multiple transmission characteristics of the at least one second terminal.
- the any network device sends a plurality of transmission characteristics of the at least one second terminal to the control device.
- the control device receives multiple transmission characteristics of the at least one second terminal.
- the control device can respectively receive the at least one second terminal from the at least one network device of multiple transmission characteristics.
- the control device uses the multiple third transmission features of the at least one second terminal as the input and output of the initial model, and performs training to obtain the target model.
- the plurality of third transmission characteristics are part of the plurality of transmission characteristics of the at least one second terminal.
- One transmission characteristic of each second terminal is a sample data, and each second terminal is a normal terminal, when the number of multiple transmission characteristics of the at least one second terminal received by the control device is greater than or equal to the target number , it indicates that the sample data of the normal terminal is sufficient; the control device divides the received multiple transmission characteristics of the at least one second terminal into three parts, and puts the three parts into the training set, the verification set and the test set respectively, That is, the training set, the verification set and the test set all include part of the transmission characteristics of the multiple transmission characteristics of the at least one second terminal, wherein each transmission characteristic in the training set is the third transmission characteristic, and each transmission characteristic in the verification set is The fourth transmission characteristic, each transmission characteristic in the test set is the sixth transmission characteristic.
- the target model is used to reconstruct normal transmission characteristics.
- the target model is an unsupervised deep neural network model, such as a deep autoencoder model.
- the transmission feature X restored by the decoder where x n is the nth feature included in the transmission feature X, such as the total number of upstream data streams, and n is the total dimension of the transmission feature X or the feature in the transmission feature.
- the total number, n>1, x' n is the reconstructed x n .
- the control device inputs a plurality of third transmission features into the i-th model, and the i-th model reconstructs each input third transmission feature, and outputs the reconstructed transmission feature of each third transmission feature.
- the control device inputs a plurality of third transmission features and corresponding reconstructed transmission features into the target loss function, and calculates the value of the target loss function; if the value of the target loss function is greater than or equal to the preset threshold, and i ⁇ q, the control Based on the optimization algorithm, the device continues to iterate to update the model parameters of the i-th model to obtain the i+1-th model, and the control device enters the i+1-th training process; if the objective loss function value is less than the preset threshold, the control device ends Training, the i-th model is determined as the target model; if the target loss function value is greater than or equal to the preset difference and i ⁇ q, then the control device ends the training, so as to avoid the control device in the case that the target model cannot be trained The iterative training is continued, or if the change of the model parameters of the model between two adjacent iterations is less than a preset model parameter change value, the control device ends the training.
- the optimization algorithm includes a gradient descent algorithm, and the objective loss function is shown in the following formula (1), where m is the total number of multiple third transmission features, is the value of the i-th dimension in the j-th third transmission feature, is reconstructed from the target model. n ⁇ i>0, m ⁇ j>0.
- control device can also display training progress information, and the training progress information includes the current number of training times and the value of the target loss function, so that the user can obtain through the training progress information. training progress.
- the control device inputs multiple fourth transmission features of multiple target terminals under the target terminal type into the target model, and the target model reconstructs each fourth transmission feature based on the inputted multiple fourth transmission features, A plurality of fifth transmission characteristics are output, the plurality of fourth transmission characteristics are in one-to-one correspondence with the plurality of fifth transmission characteristics, and one fourth transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a target terminal.
- the multiple target terminals include at least one second terminal and at least one third terminal, wherein the at least one second terminal is a normal terminal, and the at least one third terminal is an abnormal terminal.
- a fifth transmission characteristic is a reconstructed fourth transmission characteristic.
- the verification set also includes multiple transmission characteristics of at least one third terminal.
- the transmission characteristics of the second terminal and the transmission characteristics of the third terminal are both regarded as the first terminal.
- the control device obtains a plurality of fourth transmission features from the verification set, and inputs the obtained plurality of fourth transmission features into the target model, and the target model outputs the reconstructed plurality of fourth transmission features based on the plurality of input fourth transmission features Fourth transmission characteristics, wherein the plurality of fourth transmission characteristics belong to at least one second terminal and at least one third terminal, and the plurality of reconstructed fourth transmission characteristics are also the plurality of fifth transmission characteristics, and each The fifth transmission characteristic corresponds to a fourth transmission characteristic.
- the control device acquires the target difference degree based on the plurality of fifth transmission characteristics and the corresponding fourth transmission characteristics.
- the control device obtains the target difference based on the degree of difference between at least one fifth transmission characteristic among the plurality of fifth transmission characteristics and the corresponding fourth transmission characteristic, and the difference between one fifth transmission characteristic and the corresponding fourth transmission characteristic
- the degree of difference is used to indicate the difference between the one fifth transmission characteristic and the corresponding fourth transmission characteristic, wherein the fourth transmission characteristic corresponding to the at least one fifth transmission characteristic is the transmission characteristic of the second terminal .
- this step 509 is implemented by the processes shown in the following steps 5091-5093.
- Step 5091 For any fourth transmission characteristic of any second terminal in the at least one second terminal, the control device acquires the degree of difference between the any fourth transmission characteristic and the corresponding fifth transmission characteristic.
- the degree of difference between the any fourth transmission feature and the corresponding fifth transmission feature is the mean square error between the corresponding features in the any fourth transmission feature and the corresponding fifth transmission feature.
- error, MSE as shown in formula (2), where MSE(X, X') is the mean square error between any of the fourth transmission features and the corresponding feature in the corresponding fifth transmission feature.
- the control device performs this step 5091 on each fourth transmission feature of each second terminal in the at least one second terminal, so as to obtain a plurality of fourth transmission features and corresponding fifth transmission features of the at least one second terminal difference between.
- the control device determines a fifth transmission characteristic corresponding to each fourth transmission characteristic of the at least one second terminal as one of the at least one fifth transmission characteristic.
- the control device further screens multiple fifth transmission characteristics corresponding to multiple fourth transmission characteristics of the at least one second terminal to obtain the at least one fifth transmission characteristic, For details, refer to the following step 5092.
- Step 5092 Based on the degree of difference between the plurality of fourth transmission characteristics of the at least one second terminal and the corresponding fifth transmission characteristics, the control device selects the fifth transmission characteristics corresponding to the plurality of fourth transmission characteristics of the second terminal. Among the transmission characteristics, at least one fifth transmission characteristic is determined.
- the degree of difference is If the difference degree is a normal value, the difference degree can participate in the calculation of the target difference degree, and the control device determines the fifth transmission characteristic corresponding to any fourth transmission characteristic as one of the at least one fifth transmission characteristic.
- the target difference interval includes a plurality of differences, and the plurality of differences are normal values, all of which can participate in the calculation of the target difference.
- the degree of difference in the target difference interval can be set according to specific conditions.
- the control device adopts a boxplot or sets a quantile to determine the target difference interval.
- the determined target difference interval is [0, 0.1]. Therefore, the scope of the target difference interval is not specifically limited in the embodiments of the present application.
- Step 5093 The control device determines the target difference degree based on the difference degree between the at least one fifth transmission characteristic and the corresponding fourth transmission characteristic.
- the control device obtains the target degree of difference based on the average value or fraction of at least one degree of difference, wherein the at least one degree of difference includes a degree of difference between the at least one fifth transmission characteristic and the corresponding fourth transmission characteristic,
- the fractional bits include the median value of the at least one degree of difference.
- the control device obtains the target degree of difference ⁇ based on the average value of the at least one degree of difference, as shown in formula (3).
- MSE[ ⁇ ] is the array formed by the at least one difference degree
- AVE(MSE[ ⁇ ]) is the average value of the at least one difference degree
- STD(MSE[ ⁇ ]) is the standard of the at least one difference degree
- the difference is used to indicate the fluctuation of the at least one degree of difference
- K is the sensitivity coefficient.
- the target model is not only used to completely reconstruct the normal transmission characteristics, but also used to completely reconstruct the abnormal transmission characteristics. It should be noted that a certain error range is allowed to completely reconstruct the normal transmission characteristics. For example, when the target model is reconstructing an actual transmission feature, if the difference between the reconstructed transmission feature output by the target model and the actual transmission feature is smaller than the target difference, it means that the target model is completely reconstructed If the actual transmission characteristic is a normal transmission characteristic, it means that the reconstruction is accurate; if the actual transmission characteristic is an abnormal transmission characteristic, it means that this reconstruction fails; when the target model is reconstructing a In the case of actual transmission characteristics, if the difference between the reconstructed transmission characteristics output by the target model and the actual transmission characteristics is greater than or equal to the target difference degree, it means that the target model has not completely reconstructed the actual transmission characteristics.
- the at least one fourth transmission feature is an actual transmission feature
- the at least one fifth transmission feature is a reconstructed transmission feature
- the normal transmission feature is a transmission feature of a normal terminal, that is, a transmission feature of at least one second terminal
- the abnormal transmission characteristic is the transmission characteristic of the abnormal terminal, that is, the transmission characteristic of at least one third terminal.
- the control device can also reconstruct the exact conditions of the fourth transmission characteristics of the target terminals according to the target model, dynamically adjust the value of K, and determine the target difference degree through the adjusted K. In a possible implementation manner, the control device determines the target difference degree by executing the K value update process r times.
- the control device K as K j, and based on the formula (3) to calculate a difference degree [theta] j, if the degree of difference in the [theta] j, which corresponds to the first target model condition, the control device determines the degree of difference as the target opening degree ⁇ j difference, K value update ending; otherwise, the control device will be updated to K J K j + 1, and K j + 1 to a K, executed in a first The process of updating the K value for j+1 times.
- r ⁇ j ⁇ 1 K j is K used in the process of updating the jth K value
- ⁇ j is the difference degree calculated based on K j and formula (3).
- the first condition includes at least one of the following: under the degree of difference ⁇ j , the first precision of the target model is greater than or equal to a first precision threshold, and the first recall of the target model is greater than or equal to equal to the first recall threshold; under the difference degree ⁇ j , the second precision of the target model is greater than or equal to the second precision threshold, and the second recall of the target model is greater than or equal to the second Recall threshold.
- the first precision is the accuracy rate that the target model completely reconstructs the normal transmission features
- the first recall is the probability that the target model completely reconstructs the normal transmission characteristics
- the second precision is The target model does not completely reconstruct the accuracy of abnormal transmission features
- the second recall is the probability that the target model does not completely reconstruct abnormal transmission features.
- This embodiment of the present application does not specifically limit the first precision rate threshold, the first recall rate threshold, the second precision rate threshold, and the second recall rate threshold.
- the control device obtains the number of normal transmission characteristics, the first normal number, the first 2. The normal number, the number of abnormal transmission characteristics, the first abnormal number and the second abnormal number; the control device determines the first abnormal number based on the normal transmission characteristic number, the first normal number and the second normal number Precision and first recall; the control device determines the second precision and second recall based on the number of abnormal transmission characteristics, the number of first abnormalities and the number of second abnormalities.
- An actual transmission characteristic has a first label, and the first label is used to indicate whether the actual transmission characteristic is a normal transmission characteristic. If the first label is the first normal identification, it means that the actual transmission characteristic is a normal transmission characteristic. If the label is the first abnormality identifier, it means that the actual transmission characteristic is an abnormal transmission characteristic.
- the plurality of fourth transmission characteristics are all actual transmission characteristics, the first labels of the normal transmission characteristics in the plurality of fourth transmission characteristics are the first normal identifiers, and the first labels of the abnormal transmission characteristics in the plurality of fourth transmission characteristics Both are the first exception identifier.
- the embodiments of the present application do not specifically limit the representations of the first normal identifier and the first abnormal identifier.
- a reconstructed transmission characteristic has a second label, and the second label is used to indicate whether the actual transmission characteristic corresponding to the reconstructed transmission characteristic is a normal transmission characteristic. If the second label is a second normal identification, it indicates that the reconstruction
- the actual transmission characteristic corresponding to the transmission characteristic is the normal transmission characteristic, that is, the terminal to which the actual transmission characteristic belongs is a normal terminal; if the second label is the second abnormal identifier, it means that the actual transmission characteristic corresponding to the reconstructed transmission characteristic is Abnormal transmission characteristic, the terminal to which the actual transmission characteristic belongs is an abnormal terminal.
- the plurality of fifth transmission characteristics are reconstructed transmission characteristics.
- the degree of difference between the fifth transmission characteristic and the corresponding fourth transmission characteristic is less than the degree of difference ⁇ j , it means that the Under the difference degree ⁇ j , the fourth transmission characteristic corresponding to the fifth transmission characteristic is a normal transmission characteristic, then the second label of the fifth transmission characteristic is the second normal identification, otherwise, it is explained that under the difference degree ⁇ j ,
- the fourth transmission characteristic corresponding to the fifth transmission characteristic is an abnormal transmission characteristic, and the second label of the fifth transmission characteristic is a second abnormality identifier.
- the embodiments of the present application do not specifically limit the representations of the second normal identifier and the second abnormal identifier.
- the number of normal transmission characteristics is the total number of transmission characteristics of the second terminal in the plurality of fourth transmission characteristics, that is, the total number of normal transmission characteristics in the plurality of fourth transmission characteristics.
- the first normal number is the total number of target normal transmission features in the plurality of fourth transmission features under the difference degree ⁇ j
- the target normal transmission feature is that the target model in the plurality of fourth transmission features can be accurately reconstructed normal transmission characteristics.
- the second normal number is the number of the fifth data stream whose second label is the second normal identifier under the difference degree ⁇ j.
- the number of abnormal transmission characteristics is the total number of transmission characteristics of the third terminal in the plurality of fourth transmission characteristics, that is, the total number of abnormal transmission characteristics in the plurality of fourth transmission characteristics.
- the first abnormal number is the total number of target abnormal transmission features in the plurality of fourth transmission features under the difference degree ⁇ j
- the target abnormal transmission feature is the target model reconstruction failure in the plurality of fourth transmission features.
- Abnormal transmission feature; the second abnormal number is the number of the fifth data stream whose second label is the second abnormal identification under the difference degree ⁇ j.
- the control device obtains the number of normal transmission characteristics, the first normal number, the first The two normal numbers, the number of abnormal transmission characteristics, the first abnormal number and the second abnormal number include: if the first label of a fourth transmission characteristic is the first normal identification, the fourth transmission characteristic is the normal transmission characteristic, Then the control device determines the number of the first labels of the plurality of fourth transmission characteristics as the number of labels of the first normal identification as the number of normal transmission characteristics; if the first label of a fourth transmission characteristic is the first normal identification, And the second label of the fifth transmission characteristic corresponding to the fourth transmission characteristic is the second normal identification, indicating that the target model reconstructs the fourth transmission characteristic (normal transmission characteristic) is accurate, then the control device
- the four transmission characteristics are determined as the target normal transmission characteristics, and the control device determines the total number of target normal transmission characteristics in the plurality of fourth transmission characteristics as the first normal number; the control device counts the second label as the second normal identification The number of the fifth data stream, and the counted number is determined as the second normal number; if
- the characteristic is determined as the target abnormal transmission characteristic, and the control device determines the total number of the target abnormal transmission characteristic in the plurality of fourth transmission characteristics as the first abnormal number; the control device counts the second label as the second abnormal identification. The number of five data streams, and the counted number is determined as the second abnormal number.
- the control device determines the first precision rate and the first recall rate based on the number of normal transmission characteristics, the first normal number and the second normal number, including: the control device The ratio between the first normal number and the second normal number is determined as the first precision rate, and the control device determines the ratio between the first normal number and the normal transmission characteristic number as The first recall.
- the control device determining the second precision rate and the second recall rate based on the number of abnormal transmission characteristics, the first abnormal number and the second abnormal number includes: the control device The ratio between the first abnormal number and the second abnormal number is determined as the second precision, and the control device determines the ratio between the first abnormal number and the abnormal transmission feature number as The second recall.
- the verification set includes 100 fourth transmission characteristics, of which 90 fourth transmission characteristics are normal transmission characteristics, and 10 fourth transmission characteristics are abnormal transmission characteristics, that is, the number of normal data streams is 90, and the number of abnormal data streams is 10.
- the control device inputs 100 fourth transfer features into the target model, and the target model outputs 100 fifth transfer features.
- the control device marks the second label of any fifth transmission feature as a second normal identifier to indicate that the fourth transmission feature corresponding to the fifth transmission feature is a normal transmission feature (that is, the predicted first The fourth transmission characteristic corresponding to the fifth transmission characteristic is the normal transmission characteristic), otherwise, the control device marks the fifth label of the fifth transmission characteristic as the second abnormal identification to indicate the fourth transmission corresponding to the fifth transmission characteristic
- the characteristic is an abnormal transmission characteristic (that is, the fourth transmission characteristic corresponding to the predicted fifth transmission characteristic is an abnormal transmission characteristic).
- the number of fifth transmission features with the second label as the second normal identifier in the 100 fifth transmission features is 88
- the number of fifth transmission features with the second label as the second abnormal identifier in the 100 fifth transmission features Take 12 as an example, that is, the second normal number is 88
- the second abnormal number is 12.
- the first labels of the 86 fourth transmission characteristics are the first normal identification, indicating that the 86 fourth transmission characteristics are the target normal transmission characteristics
- the first normal number is 86
- the first labels of the two fourth transmission characteristics in the 88 fourth transmission characteristics are the first abnormal identification, indicating that the two fourth transmission characteristics are actually abnormal transmission characteristics.
- the difference degree ⁇ j the result of reconstructing the two fourth transmission features by the target model is inaccurate; among the 12 fourth transmission features corresponding to the 12 fifth transmission features, the first labels of the 8 fourth transmission features are The first abnormality identifier indicates that the 8 fourth transmission characteristics are the target abnormal transmission characteristics, then the number of the first abnormality is 8, and the first label of the 4 fourth transmission characteristics among the 12 fourth transmission characteristics is the first label. A normal flag, indicating that the four fourth transmission characteristics are actually normal transmission characteristics.
- the first precision rate the first The normal number is 86 / the second normal number is 88
- the first recall rate the first normal number 86 / the normal data stream number 90
- the second precision rate the first abnormal number 8 / the second abnormal number Number 12
- the first recall rate the number of the first abnormality 8/the number of abnormal data streams 10.
- the predicted fifth transmission feature is also the reconstructed fifth transmission feature.
- the first precision rate of the target model is greater than or equal to the first precision rate threshold, it means that under the difference degree ⁇ j , the output result of the target model when reconstructing the normal transmission features is basically is accurate.
- the first recall rate of the target model is greater than or equal to the first recall rate threshold, it means that the target model can completely reconstruct the normal transmission characteristics with a high probability under the difference degree ⁇ j. Therefore, if the The first precision of the target model is greater than or equal to the first precision threshold and the first recall of the target model is greater than or equal to the first recall threshold, indicating that under the degree of difference ⁇ j , the target model It has the function of completely reconstructing the normal transmission characteristics.
- the second precision rate of the target model is greater than or equal to the second precision rate threshold, it means that under the difference degree ⁇ j , the output result of the target model when reconstructing abnormal transmission features is basically accurate.
- the second recall rate of the target model is greater than or equal to the second recall rate threshold, indicating that the target model cannot fully reconstruct the abnormal transmission characteristics with a high probability under the difference degree ⁇ j.
- the control device determines the degree of difference as a target degree [theta] j difference.
- the target difference degree is set by the user according to experience, and the target difference degree does not need to be determined by the above formula (3) and the updating method.
- the control device inputs multiple sixth transmission features of multiple target terminals under the target terminal type into the target model, and the target model reconstructs each sixth transmission feature based on the inputted multiple sixth transmission features, A plurality of seventh transmission characteristics are output, the plurality of sixth transmission characteristics are in one-to-one correspondence with the plurality of seventh transmission characteristics, and one sixth transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a target terminal.
- the multiple target terminals include at least one second terminal and at least one third terminal, wherein the at least one second terminal is a normal terminal, and the at least one third terminal is an abnormal terminal.
- a seventh transmission characteristic is a reconstructed sixth transmission characteristic.
- the test set also includes multiple transmission characteristics of at least one third terminal.
- the transmission characteristics of the second terminal and the transmission characteristics of the third terminal are both regarded as the first terminal.
- the control device acquires multiple sixth transmission features from the test set, and inputs the acquired multiple sixth transmission features into the target model, and the target model outputs the reconstructed multiple sixth transmission features based on the input multiple sixth transmission features Sixth transmission characteristics, wherein the multiple sixth transmission characteristics belong to at least one second terminal and at least one third terminal, and the reconstructed multiple sixth transmission characteristics are also the multiple seventh transmission characteristics, and each The seventh transmission characteristic corresponds to a sixth transmission characteristic.
- the control device determines that the target model has passed the verification.
- the control device determines whether the target model meets the second condition based on the degree of difference between the plurality of seventh transmission characteristics and the corresponding sixth transmission characteristics, and if the target model meets the second condition, the control device determines the target The model passes the verification, otherwise, the control device determines that the target model fails the verification, and if the target model fails the verification, the control device jumps to execute steps 507-511 until the finally acquired target model can pass the verification.
- the second condition includes at least one of the following: under the target difference degree, the first precision of the target model is greater than or equal to the third precision threshold, and the first recall of the target model is greater than or equal to The third recall threshold; under the target difference degree, the second recall of the target model is greater than or equal to the fourth recall threshold, and the second recall of the target model is greater than or equal to the fourth recall rate threshold.
- the embodiments of the present application do not specifically limit the third precision threshold, the third recall threshold, the fourth precision threshold, and the fourth recall threshold.
- step 5093 The calculation methods of the first precision rate, the first recall rate, the second precision rate, and the second recall rate are described in step 5093, and will not be repeated here.
- the control device adds the target model to a model library, and assigns a model identifier to the target model, and the model library is used to indicate the target model corresponding to at least one terminal type .
- Each terminal type corresponds to a target model.
- the control device can also store the target model in association with the target terminal type.
- the control device associates the model identifier of the target model with the target terminal type and stores it in a target model list for querying, wherein the target model list uses for recording the target model corresponding to at least one terminal type. For example, if the target terminal type is a camera, and the target model corresponding to the target terminal type is target model 3, the control device stores the camera and target model 3 in the target model list shown in Table 8 in association.
- the training is performed by the control device to obtain the target model
- the network device can also be trained to obtain the target model, and the network device performs training to obtain the target model.
- the process is the same as the process of training the control device, and the process of training the network device is not described here in this embodiment of the present application.
- the network address corresponding to the target terminal type is delivered to at least one network device through the control device, and each network device collects information indicated by each network address based on each network address delivered.
- the transmission characteristics of the second terminal are then obtained by the control device based on the multiple transmission characteristics of at least one second terminal uploaded by each network device, and the target model corresponding to the type of the target terminal is obtained by training, so that the subsequent verification based on the target model can be performed. Whether the terminal under the target terminal type is an abnormal terminal.
- the control device sends the target model to at least one network device, and each network device verifies the terminal under the target terminal type based on the target model.
- the control device sends a model storage instruction to at least one network device, where the model storage instruction is used to instruct to store the target model.
- the model storage instruction includes the target model, the target terminal type, and at least one network address corresponding to the target terminal type, the target difference degree, and the storage identifier.
- the target terminal type is also the terminal type of the second terminal.
- the at least one network address That is, the network address corresponding to the target terminal type in the configuration table, that is, the network address of at least one second terminal, and the storage identifier is used to indicate storage of the target model.
- the user inputs the target terminal type in the model update interface of the control device, and when the control device detects that the user performs a confirmation operation on the model update interface, the control device is triggered to execute The following operations: based on the target terminal type input in the model update interface, the control device queries the asset table for the model identifier of the target model corresponding to the target terminal type, and queries the configuration table for at least one network corresponding to the target terminal type address, and obtain the target model corresponding to the model identifier in the model library, the control device adds the target terminal type, at least one network address, target model and storage identifier to the model storage instruction, and sends the information to the at least one network The device sends the model storage command.
- the any network device receives the model storage instruction.
- the any network device stores the target model in the model storage instruction.
- the any network device associates and stores the target model, the target terminal type, the at least one network address, and the target difference degree in the model storage instruction.
- the any network device acquires a first transmission characteristic of the first terminal, where the first transmission characteristic is an overall transmission characteristic of at least one first data stream transmitted by the first terminal.
- the terminal type of the first terminal is the target terminal type, and the first terminal is also the verified terminal of the target terminal type.
- the network address of the first terminal is any one of the at least one network address, that is, the network address of any second terminal in the at least one second terminal is the same as the network address of the first terminal.
- Each of the at least one first data stream carries the network address of the first terminal.
- the first transmission characteristic is also a transmission characteristic of the first terminal, that is, the overall transmission characteristic of at least one first data stream transmitted by the first terminal within the one time window.
- the network address of the first terminal carried in the message transmitted by the first terminal is the network address of a second terminal; if the first terminal is the preset service used terminal, the first terminal is any one of the at least one second terminal.
- the any network device In order to verify whether the first terminal is an abnormal terminal, the any network device also needs to verify whether the first terminal is an abnormal terminal based on the first transmission characteristic of the first terminal. Therefore, any network device also needs to verify whether the first terminal is an abnormal terminal. Obtain the first transmission characteristic of the first terminal.
- the any network device determines the at least one data stream as at least one first data stream.
- a data stream the any network device determines the terminal outputting the at least one first data stream as the first terminal; the any network device determines the first transmission of the first terminal based on the at least one first data stream feature.
- the process of determining the first transmission feature of the first terminal by any network device based on the at least one first data stream is the same as the process of determining a transmission feature of the second terminal by any network device in the above step 504,
- the process of determining the first transmission feature of the first terminal based on the at least one first data stream by any network device will not be described repeatedly.
- the any network device inputs the first transmission characteristic into a target model, and the target model reconstructs the first transmission characteristic based on the inputted first transmission characteristic, and outputs the second transmission characteristic.
- the target model corresponds to the target terminal type, and the second transmission feature is the first transmission feature reconstructed by the target model.
- the process shown in this step 805 is also a process in which any network device reconstructs the first transmission characteristic based on the first transmission characteristic to obtain the second transmission characteristic.
- the any network device determines that the first terminal has not passed the verification, and the target degree of difference is used to indicate the first The difference between the transmission characteristic and the second transmission characteristic.
- the degree of difference between the first transmission characteristic and the second transmission characteristic is the mean square error between the second transmission characteristic and the corresponding characteristic in the corresponding first transmission characteristic.
- the any network device calculates, based on the above formula (2), the mean square error between the second transmission characteristic and the corresponding characteristic in the corresponding first transmission characteristic, and determines the mean square error as the difference between the first transmission characteristic and the first transmission characteristic.
- the degree of difference between the second transmission characteristics the any network device compares the degree of difference between the first transmission characteristic and the second transmission characteristic with the target degree of difference to determine the difference between the first transmission characteristic and the second transmission characteristic.
- the difference between the two transmission features is greater than or equal to the target difference; if the difference between the first transmission feature and the second transmission feature is greater than or equal to the target difference, it means that the target model has not been completely reconstructed
- the difference between a transmission characteristic and the second transmission characteristic is less than the target difference, it means that the target terminal completely reconstructs the first transmission characteristic, the first transmission characteristic is a normal transmission characteristic, and the behavior of the first terminal If it is normal, the first terminal is a normal terminal, and the any network device determines that the first terminal has passed the verification.
- the any network device sends a verification result of the first terminal to the control device, where the verification result is used to indicate whether the first terminal passes the verification.
- the verification result includes the verification identifier and the network address of the first terminal.
- the verification identifier is used to indicate whether the first terminal has passed the verification, and the verification identifier includes a first verification identifier or a second verification identifier, wherein the first verification identifier is used to indicate that the first terminal has passed the verification, and the second verification identifier is used for to indicate that the first terminal has not passed the verification. If the first terminal passes the verification, the verification identifier is the first verification identifier, and if the first terminal fails the verification, the verification identifier is the second verification identifier.
- the control device receives the verification result.
- control device displays the first prompt message, and sends a disconnection instruction to any network device
- the first prompt information is used to prompt the user that the first terminal has failed the verification, and the first prompt information includes the second verification identifier, the network address of the first terminal, and a warning identifier, and the warning identifier is used to prompt the user that the first terminal has not passed the verification. If the verification is not passed, it is used to prompt the user that the first terminal is an abnormal terminal.
- the disconnection instruction is used to instruct any network device to disconnect from the first terminal, the disconnection instruction includes the network address of the first terminal and a disconnection identifier, and the disconnection identifier is used for Instruct any network device to disconnect from the first terminal.
- the control device is triggered to display the first prompt information, and the disconnection instruction is sent to any network device.
- the control device is triggered to display the first prompt information, and the user can refer to the first prompt information on the control device.
- An operation of triggering the disconnection instruction by the user is also performed on the control device, and then the control device is triggered to send the disconnection instruction to any network device.
- the control device displays second prompt information, and the second prompt information is used to prompt the user that the first terminal has passed the verification, that is, it is used to prompt that the first terminal is a normal terminal, and the second prompt information is used to prompt the user that the first terminal has passed the verification.
- the second prompt information includes the IP address of the first terminal and the first verification identifier.
- the any network device receives the disconnection instruction, and disconnects the connection with the first terminal based on the disconnection instruction.
- the any network device After the any network device receives the disconnection instruction, the any network device obtains the network address from the disconnection instruction, and disconnects the connection with the first terminal indicated by the network address .
- the any network device can also display the first prompt information to prompt the user that the first terminal has not passed the verification.
- the any network device if the user performs an operation for triggering the disconnection of the connection with the first terminal on the any network device, the any network device is triggered to directly disconnect the first total segment. There is no need to wait for the control device to issue a disconnection instruction.
- the terminal is verified by reconstructing the transmission characteristics of the terminal. For example, if the difference between the reconstructed transmission characteristics and the transmission characteristics of the terminal is large, it means that the transmission characteristics of the terminal appear. If the terminal is abnormal, it is determined that the terminal has not passed the verification. Since the terminal has specific normal transmission characteristics, the normal transmission characteristics are not easy to be counterfeited. Therefore, this method can accurately verify various abnormal terminals and improve the verification of the terminal. Therefore, this method can also accurately verify the fake terminal, instead of simply verifying the IP address of the terminal, so as to prevent the fake terminal from passing the verification.
- the network device When receiving the data stream transmitted by the terminal, the network device obtains the transmission information of the data stream according to the messages in the data stream, and uploads the transmission information to the control device, and the control device extracts the network of the terminal in the transmission information. address (that is, asset identification) to realize the configuration of the terminal, and the user will mark the terminal type of the terminal in the asset table based on the network address of the terminal (for example, associate the network address of the terminal with the terminal type of the terminal) storage).
- address that is, asset identification
- the control device sends the network address information (that is, device information) of the terminal corresponding to the target terminal type to the network device, and the network device matches at least one data stream transmitted by the terminal of the corresponding device type based on the delivered network address.
- the network device obtains the transmission characteristics of the corresponding terminal based on the stream transmission characteristics of the at least one data stream, and sends the transmission characteristics of the corresponding terminal to the sample library in the control device, Based on the transmission characteristics of at least one terminal under the target terminal type in the sample library, the control device trains to obtain a target model corresponding to the target terminal type, and sends the target model to the network device, and the network device based on the target model.
- the terminal under the terminal type is verified. If the terminal fails the verification, a warning message, which is the first prompt message, is displayed.
- the user issues an isolation policy to the network device, such as disconnecting the terminal that fails the verification. , after receiving the isolation policy, the network device disconnects the connection with the terminal that has not passed the authentication.
- FIG. 10 is a schematic structural diagram of an apparatus for realizing terminal verification provided by an embodiment of the present application.
- the apparatus 1000 includes:
- a first acquisition module 1001 configured to acquire a first transmission characteristic of a first terminal, where the first transmission characteristic is an overall transmission characteristic of at least one first data stream transmitted by the first terminal;
- a first reconstruction module 1002 configured to reconstruct the first transmission characteristic based on the first transmission characteristic to obtain a second transmission characteristic, where the second transmission characteristic is the reconstructed first transmission feature;
- a determination module 1003 configured to determine that the first terminal fails the verification if the degree of difference between the first transmission characteristic and the second transmission characteristic is greater than or equal to a target degree of difference.
- the first transmission characteristic includes an uplink transmission characteristic
- the uplink transmission characteristic is an overall transmission characteristic of at least one upstream data stream in the at least one first data stream.
- the upstream transmission feature includes at least one of an upstream message feature and an upstream feature
- the upstream message feature is an overall feature of an upstream message in the at least one upstream data stream
- the upstream feature is a statistical feature of the at least one upstream data stream.
- the uplink packet characteristics include the average transmission interval of uplink packets, the average uplink load, the total uplink load size, the number of uplink packets, the number of uplink target packets, the proportion of uplink target packets, and the uplink report.
- at least one of the fluctuation values of the uplink packet, the average transmission interval of the uplink packets is the average transmission interval of the uplink packets in a time window, and the average uplink load is the at least one transmission interval of the uplink packets in the time window.
- the average size of the load of the target packets in the upstream data stream, the total size of the upstream load is the total size of the load of the target packets in the at least one upstream data stream within the time window
- the number of the upstream packets is the number of upstream packets in the at least one upstream data stream within the time window
- the number of upstream target packets is the number of target packets in the at least one upstream data stream within the time window
- the proportion of the uplink target packets is the proportion of target packets in the at least one upstream data stream within the time window
- the uplink packet load fluctuation value is used to indicate the Size fluctuations of target packets in at least one upstream data stream
- the upstream characteristics include the upstream terminal port fluctuation value, the total number of upstream data streams, the number of upstream target data streams, the number of upstream data streams under each data stream type in the at least one data stream type, and at least one type of transmission. At least one of the number of upstream data streams under each transmission protocol type in the protocol type, and the upstream terminal port fluctuation value is used to indicate the at least one upstream data stream in the first terminal within the time window.
- the fluctuation situation of the output port, the upstream target data flow is the upstream data flow whose corresponding server input port belongs to the target port range.
- the uplink packet feature further includes at least one of a first receiving window fluctuation value and an average value of the first receiving window size, where the first receiving window fluctuation value is used to indicate the Fluctuation of the receive window size carried by upstream packets.
- the first receiving window fluctuation value is the standard deviation of the receiving window size carried by the uplink packet within the time window.
- the first transmission characteristic further includes at least one of the total number of the at least one first data stream and a downlink transmission characteristic
- the downlink transmission characteristic is at least one of the at least one first data stream The overall transmission characteristics of the downstream data stream.
- the downlink transmission characteristic includes at least one of a downlink packet characteristic and a downlink characteristic
- the downlink packet characteristic is an overall characteristic of a downlink packet in the at least one downlink data stream
- the downlink characteristic is is a statistical feature of the at least one downstream data stream.
- the characteristics of the downlink packets include the average transmission interval of downlink packets, the average value of downlink loads, the size of the total downlink load, the number of downlink packets, the number of downlink target packets, the proportion of downlink target packets, and the downlink packet size.
- the average transmission interval of the downlink packets is the average transmission interval of the downlink packets in a time window
- the average downlink load is the at least one transmission interval of the downlink packets in the time window the average size of the load of the target packets in the downlink data stream
- the total size of the downlink load is the total size of the load of the target packets in the at least one downlink data stream within the time window
- the number of the downlink packets is the number of downlink packets in the at least one downlink data stream in the time window
- the number of downlink target packets is the number of target packets in the at least one downlink data stream in the time window
- the proportion of downlink target packets is the proportion of target packets in the at least one downlink data stream within the time window
- the downlink packet load fluctuation value is used to indicate the Size fluctuations of target packets in at least one downstream data stream
- the downstream characteristics include a downlink terminal port fluctuation value, the total number of downstream data streams, the number of downstream target data streams, the number of downstream data streams under each data stream type in at least one data stream type, and at least one type of transmission. At least one of the number of downlink data streams under each transmission protocol type in the protocol type, and the downlink terminal port fluctuation value is used to indicate the at least one downlink data stream in the first terminal within the time window.
- the fluctuation situation of the input port, the downlink target data stream is the downlink data stream whose corresponding server output port belongs to the target port range.
- the downlink message feature further includes at least one of a second receive window fluctuation value and an average value of the second receive window size, where the second receive window fluctuation value is used to indicate the reception carried by the downlink message. Window size fluctuations.
- the second receiving window fluctuation value is the standard deviation of the receiving window size carried by the downlink packet within the time window.
- the first obtaining module 1001 is used for:
- the first transmission characteristics are obtained based on the streaming characteristics of the at least one first data stream.
- the stream transmission characteristic of a first data stream includes at least one of transmission information, data stream type, destination port type, and packet characteristics of the first data stream, and the transmission information is used to indicate the transmission information of the data stream.
- the transmission attribute, the target port type is the port type of the port in the server that transmits the first data stream
- the message feature is the feature of the message in the first data stream.
- the transmission information includes at least one element in a five-tuple of the first data stream
- the message characteristics include at least one of the sum of message transmission intervals, the load size, the sum of squares of the loads, the number of target messages, the total number of messages, the fluctuation value of the receiving window, the total size of the window, and the sum of squares of the window.
- the sum of packet transmission intervals is the total duration of transmission intervals between packets in the first data stream within a time window
- the load size is the target packet in the first data stream within the time window
- the total size of the load, the sum of squares of the load is the sum of the squares of the load of the target packet
- the number of target packets is the total number of target packets in the packets within the time window
- the total number of packets is the total number of packets in the time window
- the receiving window fluctuation value is used to indicate the fluctuation of the receiving window size carried by the packet in the time window
- the total size of the window is the sum of the sizes of the receiving windows carried by the message within the time window
- the sum of squares of the windows is the sum of the squares of the sizes of the sliding windows.
- the transmission information further includes at least one of a direction identifier and an identifier of the time window, where the direction identifier is used to indicate the transmission direction of the first data stream.
- the first reconstruction module 1002 is used for:
- the first transmission feature is input into a target model, and the target model reconstructs the first transmission feature based on the inputted first transmission feature, and outputs the second transmission feature.
- the apparatus 1000 further includes:
- a training module configured to use multiple third transmission features of at least one second terminal under the target terminal type as the input and output of the initial model, and perform training to obtain the target model, where the target terminal type is the first terminal
- a third transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a second terminal.
- the apparatus 1000 further includes:
- the second reconstruction module is configured to input multiple fourth transmission characteristics of multiple target terminals under the target terminal model into the target model, and the target model reconstructs the multiple fourth transmission characteristics based on the inputted fourth transmission characteristics.
- the target terminal type is the terminal type of the first terminal
- the multiple fourth transmission features are in one-to-one correspondence with the multiple fifth transmission features
- a fourth transmission characteristic is the overall transmission characteristic of at least one data stream transmitted by a target terminal;
- the second obtaining module is configured to obtain the target difference degree based on the plurality of fifth transmission characteristics and the plurality of fourth transmission characteristics.
- the second obtaining module is used for:
- the target difference degree is obtained based on a degree of difference between at least one fifth transmission characteristic among the plurality of fifth transmission characteristics and a corresponding fourth transmission characteristic.
- the apparatus 1000 further includes:
- the third reconstruction module is configured to input multiple sixth transmission features of multiple target terminals under the target terminal type into the target model, and the target model reconstructs each sixth transmission feature based on the inputted sixth transmission features.
- a sixth transmission feature output a plurality of seventh transmission features
- the target terminal type is the terminal type of the first terminal
- the plurality of sixth transmission features are in one-to-one correspondence with the plurality of seventh transmission features
- a sixth transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a target terminal;
- the determining module 1003 is further configured to determine that the target model has passed the verification based on the degree of difference between the plurality of seventh transmission characteristics and the corresponding sixth transmission characteristics.
- the apparatus 1000 further includes:
- a third acquiring module configured to acquire transmission information of at least one second data stream transmitted by the at least one second terminal, where the transmission information is used to indicate a transmission attribute of the data stream;
- a storage module configured to store the transmission information in association with the terminal type of the second terminal
- the third acquiring module is further configured to acquire multiple transmission characteristics of the at least one second terminal based on the transmission information associated with the terminal type, where one transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by the terminal.
- the apparatus 1000 further includes:
- the receiving module is used for receiving the target model from the control device.
- the apparatus 1000 is a control device or a network device.
- the apparatus 1000 verifies the terminal by reconstructing the transmission characteristics of the terminal. For example, if the difference between the reconstructed transmission characteristics and the transmission characteristics of the terminal is large, it means that the transmission characteristics of the terminal are abnormal, and the terminal is abnormal. If the terminal is an abnormal terminal, it is determined that the terminal has not passed the verification. Since the terminal has specific normal transmission characteristics, the normal transmission characteristics are not easy to be counterfeited. Therefore, the device 1000 can accurately verify various abnormal terminals, which improves the accuracy of terminal verification. , and the counterfeit terminal is a kind of abnormal terminal. Therefore, the device 1000 can also accurately verify the counterfeit terminal, instead of simply verifying the IP address of the terminal to prevent the counterfeit terminal from passing the verification.
- FIG. 11 is an apparatus for realizing terminal verification provided by an embodiment of the present application, and the apparatus 1100 includes:
- an acquisition module 1101 configured to acquire a plurality of third transmission characteristics of at least one second terminal of the target terminal type, where a third transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by a second terminal;
- the training module 1102 is configured to use the plurality of third transmission features as the input and output of the initial model, and perform training to obtain a target model, which is used to reconstruct the transmission characteristics of the verified terminal of the target terminal type , to verify the terminal to be verified, and the transmission characteristic is the overall transmission characteristic of at least one data stream transmitted by the terminal to be verified.
- the apparatus 1100 further includes:
- the sending module 1103 is configured to send the target model to the network device.
- the apparatus 1100 further includes:
- the first reconstruction module is configured to input a plurality of fourth transmission characteristics of a plurality of target terminals under the target terminal type into the target model, and the target model reconstructs a plurality of fourth transmission characteristics based on the inputted fourth transmission characteristics.
- Each fourth transmission characteristic is constructed, and a plurality of fifth transmission characteristics are output, and the plurality of fourth transmission characteristics are in one-to-one correspondence with the plurality of fifth transmission characteristics, and one fourth transmission characteristic is at least one transmission characteristic of a target terminal. the overall transmission characteristics of the data stream;
- the first target obtaining module is further configured to obtain the target difference degree based on the plurality of fifth transmission characteristics and the plurality of fourth transmission characteristics.
- the first target acquisition module is used for:
- the target difference degree is obtained based on a degree of difference between at least one fifth transmission characteristic among the plurality of fifth transmission characteristics and a corresponding fourth transmission characteristic.
- the apparatus 1100 further includes:
- the second reconstruction module is configured to input a plurality of sixth transmission characteristics of multiple target terminals under the target terminal type into the target model, and the target model reconstructs a plurality of sixth transmission characteristics based on the inputted sixth transmission characteristics.
- Each sixth transmission feature is constructed, and a plurality of seventh transmission features are output, and the plurality of sixth transmission features are in one-to-one correspondence with the plurality of seventh transmission features, and a sixth transmission feature is at least one transmission feature of a target terminal. the overall transmission characteristics of the data stream;
- a determination module configured to determine that the target model has passed the verification based on the degree of difference between the plurality of seventh transmission characteristics and the corresponding sixth transmission characteristics.
- the apparatus 1100 further includes:
- a second target acquisition module configured to acquire transmission information of at least one second data stream transmitted by the at least one second terminal, where the transmission information is used to indicate a transmission attribute of the data stream;
- a storage module configured to store the transmission information in association with the terminal type of the second terminal
- the second target acquisition module is further configured to acquire multiple transmission characteristics of the at least one second terminal based on the transmission information associated with the terminal type, where one transmission characteristic is an overall transmission characteristic of at least one data stream transmitted by the terminal .
- Embodiments of the present application also provide a computer program product or computer program, where the computer program product or computer program includes computer instructions, where the computer instructions are stored in a computer-readable storage medium, and the processor of the electronic device is obtained from the computer-readable storage medium. After reading the computer instructions, the processor executes the computer instructions, so that the electronic device executes the above-mentioned method for realizing terminal verification.
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
上行标识 | 下行标识 |
源IP地址 | 目的IP地址 |
192.168.1.240 | 192.168.1.150 |
192.168.1.180 |
终端类型 | 终端的IP地址 |
摄像头 | 192.168.1.240 |
192.168.1.180 | |
音响 | 192.168.1.150 |
模型标识 | 终端类型 |
目标模型1 | 音响 |
目标模型2 | ATM |
目标模型3 | 摄像头 |
Claims (37)
- 一种用于实现终端验证的方法,其特征在于,所述方法包括:获取第一终端的第一传输特征,所述第一传输特征为所述第一终端传输的至少一个第一数据流的总体传输特征;基于所述第一传输特征,对所述第一传输特征进行重构,得到第二传输特征,所述第二传输特征为重构出的所述第一传输特征;若所述第一传输特征与所述第二传输特征之间的差异度大于或等于目标差异度,确定所述第一终端未通过验证。
- 根据权利要求1所述的方法,其特征在于,所述第一传输特征包括上行传输特征,所述上行传输特征为所述至少一个第一数据流中至少一个上行数据流的总体传输特征。
- 根据权利要求2所述的方法,其特征在于,所述上行传输特征包括上行报文特征、上行流特征中的至少一个,所述上行报文特征为所述至少一个上行数据流中上行报文的总体特征,所述上行流特征为所述至少一个上行数据流的统计特征。
- 根据权利要求3所述的方法,其特征在于,所述上行报文特征包括上行报文平均传输间隔、上行负载平均值、上行总负载大小、上行报文个数、上行目标报文个数、上行目标报文占比、上行报文负载波动值中的至少一个,所述上行报文平均传输间隔为在一个时间窗口内所述上行报文的平均传输间隔,所述上行负载平均值为在所述时间窗口内所述至少一个上行数据流中目标报文的负载的平均大小,所述上行总负载大小为在所述时间窗口内所述至少一个上行数据流中目标报文的负载的总大小,所述上行报文个数为在所述时间窗口内所述至少一个上行数据流中上行报文的个数,所述上行目标报文个数在所述时间窗口内所述至少一个上行数据流中目标报文的个数,所述上行目标报文占比为在所述时间窗口内所述至少一个上行数据流中目标报文的占比,所述上行报文负载波动值用于指示在所述时间窗口内所述至少一个上行数据流中目标报文的大小波动情况;所述上行流特征包括上行终端端口波动值、上行数据流总个数、上行目标数据流个数、至少一种数据流类型中每种数据流类型下的上行数据流个数、至少一种传输协议类型中每种传输协议类型下的上行数据流个数中的至少一个,所述上行终端端口波动值用于指示在所述时间窗口内所述第一终端中所述至少一个上行数据流的输出端口的波动情况,所述上行目标数据流为所对应的服务器输入端口属于目标端口范围的上行数据流。
- 根据权利要求4所述的方法,其特征在于,所述上行报文特征还包括第一接收窗口波动值、第一接收窗口大小平均值中的至少一个,所述第一接收窗口波动值用于指示在所述时间窗口内所述上行报文携带的接收窗口大小的波动情况。
- 根据权利要求2-5任一项权利要求所述的方法,其特征在于,所述第一传输特征还包 括所述至少一个第一数据流的总个数、下行传输特征中的至少一个,所述下行传输特征为所述至少一个第一数据流中至少一个下行数据流的总体传输特征。
- 根据权利要求6所述的方法,其特征在于,所述下行传输特征包括下行报文特征、下行流特征中的至少一个,所述下行报文特征为所述至少一个下行数据流中下行报文的总体特征,所述下行流特征为所述至少一个下行数据流的统计特征。
- 根据权利要求7所述的方法,其特征在于,所述下行报文特征包括下行报文平均传输间隔、下行负载平均值、下行总负载大小、下行报文个数、下行目标报文个数、下行目标报文占比、下行报文负载波动值中的至少一个,所述下行报文平均传输间隔为在一个时间窗口内所述下行报文的平均传输间隔,所述下行负载平均值为在所述时间窗口内所述至少一个下行数据流中目标报文的负载的平均大小,所述下行总负载大小为在所述时间窗口内所述至少一个下行数据流中目标报文的负载的总大小,所述下行报文个数为在所述时间窗口内所述至少一个下行数据流中下行报文的个数,所述下行目标报文个数在所述时间窗口内所述至少一个下行数据流中目标报文的个数,所述下行目标报文占比为在所述时间窗口内所述至少一个下行数据流中目标报文的占比,所述下行报文负载波动值用于指示在所述时间窗口内所述至少一个下行数据流中目标报文的大小波动情况;所述下行流特征包括下行终端端口波动值、下行数据流总个数、下行目标数据流个数、至少一种数据流类型中每种数据流类型下的下行数据流个数、至少一种传输协议类型中每种传输协议类型下的下行数据流个数中的至少一个,所述下行终端端口波动值用于指示在所述时间窗口内所述第一终端中所述至少一个下行数据流的输入端口的波动情况,所述下行目标数据流为对应的服务器输出端口属于目标端口范围的下行数据流。
- 根据权利要求8所述的方法,其特征在于,所述下行报文特征还包括第二接收窗口波动值、第二接收窗口大小平均值中的至少一个,所述第二接收窗口波动值用于指示所述下行报文携带的接收窗口大小的波动情况。
- 根据权利要求1-9任一项权利要求所述的方法,其特征在于,所述获取第一终端的第一传输特征包括:获取所述至少一个第一数据流中每个第一数据流的流传输特征;基于所述至少一个第一数据流的流传输特征,获取所述第一传输特征。
- 根据权利要求10所述的方法,其特征在于,一个第一数据流的流传输特征包括所述第一数据流的传输信息、数据流类型、目标端口类型、报文特征中的至少一个,所述传输信息用于指示数据流的传输属性,所述目标端口类型为服务器中传输所述第一数据流的端口的端口类型,所述报文特征为所述第一数据流中报文的特征。
- 根据权利要求11所述的方法,其特征在于,所述传输信息包括所述第一数据流的五元组中的至少一元;所述报文特征包括报文传输间隔总和、负载大小、负载平方和、目标报文个数、报文总个数、接收窗口波动值、窗口总大小、窗口平方和中的至少一个,所述报文传输间隔总和为在一个时间窗口内所述第一数据流中报文之间的传输间隔的总时长,所述负载大小为在所述时间窗内所述第一数据流中目标报文的负载的总大小,所述负载平方和为所述目标报文的负载大小的平方和,所述目标报文个数为在所述时间窗口内所述报文中目标报文的总个数,所述报文总个数为在所述时间窗口内所述报文的总个数,所述接收窗口波动值用于指示在所述时间窗口内所述报文携带的接收窗口大小的波动情况,所述窗口总大小为在所述时间窗口内所述报文携带的接收窗口大小的总和,所述窗口平方和为所述滑动窗口的大小的平方和。
- 根据权利要求12所述的方法,其特征在于,所述传输信息还包括方向标识、所述时间窗口的标识中的至少一个,所述方向标识用于指示所述第一数据流的传输方向。
- 根据权利要求1-13任一项权利要求所述的方法,其特征在于,所述基于所述第一传输特征,对所述第一传输特征进行重构,得到第二传输特征包括:将所述第一传输特征输入目标模型,由所述目标模型基于输入的所述第一传输特征,重构所述第一传输特征,输出所述第二传输特征。
- 根据权利要求14所述的方法,其特征在于,所述将所述第一传输特征输入目标模型之前,所述方法还包括:将目标终端类型下至少一个第二终端的多个第三传输特征作为初始模型的输入和输出,进行训练,得到所述目标模型,所述目标终端类型为所述第一终端的终端类型,一个第三传输特征为一个第二终端传输的至少一个数据流的总体传输特征。
- 根据权利要求14或15所述的方法,其特征在于,所述将所述第一传输特征输入目标模型之前,所述方法还包括:将目标终端类型下多个目标终端的多个第四传输特征输入所述目标模型,由所述目标模型基于输入的所述多个第四传输特征,重构每个第四传输特征,输出多个第五传输特征,所述目标终端类型为所述第一终端的终端类型,所述多个第四传输特征与所述多个第五传输特征一一对应,一个第四传输特征为一个目标终端传输的至少一个数据流的总体传输特征;基于所述多个第五传输特征与所述多个第四传输特征,获取所述目标差异度。
- 根据权利要求16所述的方法,其特征在于,所述基于所述多个第五传输特征与所述多个第四传输特征,获取所述目标差异度包括:基于所述多个第五传输特征中至少一个第五传输特征与对应的第四传输特征之间的差异度,获取所述目标差异度。
- 根据权利要求14-17任一项权利要求所述的方法,其特征在于,所述将所述第一传输特征输入目标模型之前,所述方法还包括:将目标终端类型下多个目标终端的多个第六传输特征输入所述目标模型,由所述目标模 型基于输入的所述多个第六传输特征,重构每个第六传输特征,输出多个第七传输特征,所述目标终端类型为所述第一终端的终端类型,所述多个第六传输特征与所述多个第七传输特征一一对应,一个第六传输特征为一个目标终端传输的至少一个数据流的总体传输特征;基于所述多个第七传输特征与对应的第六传输特征之间的差异度,确定所述目标模型通过验证。
- 根据权利要求14-18任一项权利要求所述的方法,其特征在于,所述将所述第一传输特征输入目标模型之前,所述方法还包括:获取所述至少一个第二终端传输的至少一个第二数据流的传输信息,所述传输信息用于指示数据流的传输属性;将所述传输信息与所述第二终端的终端类型进行关联存储;基于所述终端类型关联的传输信息,获取所述至少一个第二终端的多个传输特征,一个传输特征为终端传输的至少一个数据流的总体传输特征。
- 根据权利要求14所述的方法,其特征在于,所述将所述第一传输特征输入目标模型之前,所述方法还包括:从控制设备接收所述目标模型。
- 根据权利要求1-19任一项权利要求所述的方法,其特征在于,所述方法的执行主体为控制设备或网络设备。
- 一种用于实现终端验证的方法,其特征在于,所述方法包括:获取目标终端类型的至少一个第二终端的多个第三传输特征,一个第三传输特征为一个第二终端传输的至少一个数据流的总体传输特征;将所述多个第三传输特征作为初始模型的输入和输出,进行训练,得到目标模型,所述目标模型用于重构所述目标终端类型的被验证终端的传输特征,以对所述被验证终端进行验证,所述传输特征为所述被验证终端传输的至少一个数据流的总体传输特征。
- 一种用于实现终端验证的装置,其特征在于,所述装置包括:第一获取模块,用于获取第一终端的第一传输特征,所述第一传输特征为所述第一终端传输的至少一个第一数据流的总体传输特征;第一重构模块,用于基于所述第一传输特征,对所述第一传输特征进行重构,得到第二传输特征,所述第二传输特征为重构出的所述第一传输特征;确定模块,用于若所述第一传输特征与所述第二传输特征之间的差异度大于或等于目标差异度,确定所述第一终端未通过验证。
- 根据权利要求23所述的装置,其特征在于,所述第一传输特征包括上行传输特征,所述上行传输特征为所述至少一个第一数据流中至少一个上行数据流的总体传输特征。
- 根据权利要求24所述的装置,其特征在于,所述上行传输特征包括上行报文特征、上行流特征中的至少一个,所述上行报文特征为所述至少一个上行数据流中上行报文的总体特征,所述上行流特征为所述至少一个上行数据流的统计特征。
- 根据权利要求24或25所述的装置,其特征在于,所述第一传输特征还包括所述至少一个第一数据流的总个数、下行传输特征中的至少一个,所述下行传输特征为所述至少一个第一数据流中至少一个下行数据流的总体传输特征。
- 根据权利要求26所述的装置,其特征在于,所述下行传输特征包括下行报文特征、下行流特征中的至少一个,所述下行报文特征为所述至少一个下行数据流中下行报文的总体特征,所述下行流特征为所述至少一个下行数据流的统计特征。
- 根据权利要求23-27任一项权利要求所述的装置,其特征在于,所述第一获取模块用于:获取所述至少一个第一数据流中每个第一数据流的流传输特征;基于所述至少一个第一数据流的流传输特征,获取所述第一传输特征。
- 根据权利要求28所述的装置,其特征在于,一个第一数据流的传输特征流传输特征包括所述第一数据流的传输信息、数据流类型、目标端口类型、报文特征中的至少一个,所述传输信息用于指示数据流的传输属性,所述目标端口类型为服务器中传输所述第一数据流的端口的端口类型,所述报文特征用于指示特征为所述第一数据流中报文的特点特征。
- 根据权利要求23-29任一项权利要求所述的装置,其特征在于,所述第一重构模块用于:将所述第一传输特征输入目标模型,由所述目标模型基于输入的所述第一传输特征,重构所述第一传输特征,输出所述第二传输特征。
- 根据权利要求30所述的装置,其特征在于,所述装置还包括:训练模块,用于将目标终端类型下至少一个第二终端的多个第三传输特征作为初始模型的输入和输出,进行训练,得到所述目标模型,所述目标终端类型为所述第一终端的终端类型,一个第三传输特征为一个第二终端传输的至少一个数据流的总体传输特征。
- 根据权利要求30或31所述的装置,其特征在于,所述装置还包括:第二重构模块,用于将目标终端类型下多个目标终端的多个第四传输特征输入所述目标模型,由所述目标模型基于输入的所述多个第四传输特征,重构每个第四传输特征,输出多个第五传输特征,所述目标终端类型为所述第一终端的终端类型,所述多个第四传输特征与所述多个第五传输特征一一对应,一个第四传输特征为一个目标终端传输的至少一个数据流的总体传输特征;第二获取模块,用于基于所述多个第五传输特征与所述多个第四传输特征,获取所述目 标差异度。
- 根据权利要求30-32任一项权利要求所述的装置,其特征在于,所述装置还包括:第三重构模块,用于将目标终端类型下多个目标终端的多个第六传输特征输入所述目标模型,由所述目标模型基于输入的所述多个第六传输特征,重构每个第六传输特征,输出多个第七传输特征,所述目标终端类型为所述第一终端的终端类型,所述多个第六传输特征与所述多个第七传输特征一一对应,一个第六传输特征为一个目标终端传输的至少一个数据流的总体传输特征;所述确定模块,还用于基于所述多个第七传输特征与对应的第六传输特征之间的差异度,确定所述目标模型通过验证。
- 一种用于实现终端验证的装置,其特征在于,所述装置包括:获取模块,用于获取目标终端类型的至少一个第二终端的多个第三传输特征,一个第三传输特征为一个第二终端传输的至少一个数据流的总体传输特征;训练模块,用于将所述多个第三传输特征作为初始模型的输入和输出,进行训练,得到目标模型,所述目标模型用于重构所述目标终端类型的被验证终端的传输特征,以对所述被验证终端进行验证,所述传输特征为所述被验证终端传输的至少一个数据流的总体传输特征。
- 一种用于实现终端验证的系统,其特征在于,所述系统包括控制设备和网络设备;所述控制设备用于:获取目标终端类型的至少一个第二终端的多个第三传输特征,一个第三传输特征为一个第二终端传输的至少一个数据流的总体传输特征;将所述多个第三传输特征作为初始模型的输入和输出,进行训练,得到目标模型;向所述网络设备发送所述目标模型;所述网络设备用于:获取所述目标终端类型的第一终端的第一传输特征,所述第一传输特征为所述第一终端传输的至少一个第一数据流的总体传输特征;将所述第一传输特征输入所述目标模型,由所述目标模型基于输入的所述第一传输特征,重构所述第一传输特征,输出第二传输特征,所述第二传输特征为重构出的所述第一传输特征;若所述第一传输特征与所述第二传输特征之间的差异度大于或等于目标差异度,确定所述第一终端未通过验证。
- 一种电子设备,其特征在于,所述电子设备包括处理器和存储器,所述存储器中存储有至少一条程序代码,所述程序代码由所述处理器加载并执行以实现如权利要求1至权利要求22任一项所述的方法所执行的操作。
- 一种计算机可读存储介质,其特征在于,所述存储介质中存储有至少一条程序代码,所述程序代码由处理器加载并执行以实现如权利要求1至权利要求22任一项所述的方法所 执行的操作。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2023502830A JP2023533354A (ja) | 2020-07-13 | 2021-07-09 | 端末検証を実現するための方法、装置、システム、デバイス、および記憶媒体 |
EP21842651.8A EP4171095A4 (en) | 2020-07-13 | 2021-07-09 | METHOD FOR IMPLEMENTING TERMINAL DEVICE VERIFICATION, APPARATUS, SYSTEM, APPARATUS AND STORAGE MEDIUM |
CA3186107A CA3186107A1 (en) | 2020-07-13 | 2021-07-09 | Method, apparatus, system, device, and storage medium for implementing terminal verification |
US18/154,263 US20230171264A1 (en) | 2020-07-13 | 2023-01-13 | Method, Apparatus, System, Device, and Storage Medium for Implementing Terminal Verification |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010669766.4 | 2020-07-13 | ||
CN202010669766 | 2020-07-13 | ||
CN202011198953.5 | 2020-10-31 | ||
CN202011198953.5A CN114006714A (zh) | 2020-07-13 | 2020-10-31 | 用于实现终端验证的方法、装置、系统、设备及存储介质 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/154,263 Continuation US20230171264A1 (en) | 2020-07-13 | 2023-01-13 | Method, Apparatus, System, Device, and Storage Medium for Implementing Terminal Verification |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022012429A1 true WO2022012429A1 (zh) | 2022-01-20 |
Family
ID=79555046
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/105494 WO2022012429A1 (zh) | 2020-07-13 | 2021-07-09 | 用于实现终端验证的方法、装置、系统、设备及存储介质 |
Country Status (5)
Country | Link |
---|---|
US (1) | US20230171264A1 (zh) |
EP (1) | EP4171095A4 (zh) |
JP (1) | JP2023533354A (zh) |
CA (1) | CA3186107A1 (zh) |
WO (1) | WO2022012429A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114915502A (zh) * | 2022-07-15 | 2022-08-16 | 北京六方云信息技术有限公司 | 资产异常行为检测方法、装置、终端设备以及存储介质 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060116968A1 (en) * | 2004-11-26 | 2006-06-01 | Shigeru Arisawa | Method and system for transmitting electronic value information |
CN104410982A (zh) * | 2014-11-19 | 2015-03-11 | 南京邮电大学 | 一种无线异构网络中终端聚合与重构方法 |
CN108683901A (zh) * | 2018-05-10 | 2018-10-19 | Oppo广东移动通信有限公司 | 一种数据处理方法、mec服务器及计算机可读存储介质 |
CN110769008A (zh) * | 2019-11-05 | 2020-02-07 | 长沙豆芽文化科技有限公司 | 一种数据安全防护方法、装置及服务设备 |
CN111325451A (zh) * | 2020-02-02 | 2020-06-23 | 贾海芳 | 智能楼宇多级调度方法、智能楼宇调度中心及系统 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003088532A1 (en) * | 2002-04-11 | 2003-10-23 | The Johns Hopkins University | Intrusion detection system for wireless networks |
JP4763819B2 (ja) * | 2009-05-22 | 2011-08-31 | 株式会社バッファロー | 無線lanアクセスポイント装置、不正マネジメントフレーム検出方法 |
KR102000159B1 (ko) * | 2013-12-18 | 2019-07-16 | 한국전자통신연구원 | 불법 위장 단말 식별 장치 및 방법 |
EP3442191B1 (en) * | 2017-08-07 | 2020-09-23 | Nokia Solutions and Networks Oy | Prevention of identity spoofing in a communications network |
-
2021
- 2021-07-09 WO PCT/CN2021/105494 patent/WO2022012429A1/zh unknown
- 2021-07-09 JP JP2023502830A patent/JP2023533354A/ja active Pending
- 2021-07-09 CA CA3186107A patent/CA3186107A1/en active Pending
- 2021-07-09 EP EP21842651.8A patent/EP4171095A4/en active Pending
-
2023
- 2023-01-13 US US18/154,263 patent/US20230171264A1/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060116968A1 (en) * | 2004-11-26 | 2006-06-01 | Shigeru Arisawa | Method and system for transmitting electronic value information |
CN104410982A (zh) * | 2014-11-19 | 2015-03-11 | 南京邮电大学 | 一种无线异构网络中终端聚合与重构方法 |
CN108683901A (zh) * | 2018-05-10 | 2018-10-19 | Oppo广东移动通信有限公司 | 一种数据处理方法、mec服务器及计算机可读存储介质 |
CN110769008A (zh) * | 2019-11-05 | 2020-02-07 | 长沙豆芽文化科技有限公司 | 一种数据安全防护方法、装置及服务设备 |
CN111325451A (zh) * | 2020-02-02 | 2020-06-23 | 贾海芳 | 智能楼宇多级调度方法、智能楼宇调度中心及系统 |
Non-Patent Citations (1)
Title |
---|
See also references of EP4171095A4 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114915502A (zh) * | 2022-07-15 | 2022-08-16 | 北京六方云信息技术有限公司 | 资产异常行为检测方法、装置、终端设备以及存储介质 |
CN114915502B (zh) * | 2022-07-15 | 2022-10-04 | 北京六方云信息技术有限公司 | 资产异常行为检测方法、装置、终端设备以及存储介质 |
Also Published As
Publication number | Publication date |
---|---|
US20230171264A1 (en) | 2023-06-01 |
EP4171095A1 (en) | 2023-04-26 |
JP2023533354A (ja) | 2023-08-02 |
CA3186107A1 (en) | 2022-01-20 |
EP4171095A4 (en) | 2023-12-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230128061A1 (en) | Unsupervised encoder-decoder neural network security event detection | |
US9769190B2 (en) | Methods and apparatus to identify malicious activity in a network | |
US9369479B2 (en) | Detection of malware beaconing activities | |
CN112235264B (zh) | 一种基于深度迁移学习的网络流量识别方法及装置 | |
US20220174008A1 (en) | System and method for identifying devices behind network address translators | |
US11848943B2 (en) | Centralized threat intelligence | |
CN110648180B (zh) | 一种调整投放渠道的方法、装置和电子设备 | |
He et al. | Deep-feature-based autoencoder network for few-shot malicious traffic detection | |
US10992972B1 (en) | Automatic identification of impermissable account sharing | |
US10802937B2 (en) | High order layer intrusion detection using neural networks | |
CN110417747A (zh) | 一种暴力破解行为的检测方法及装置 | |
WO2022012429A1 (zh) | 用于实现终端验证的方法、装置、系统、设备及存储介质 | |
WO2022034405A1 (en) | Low-latency identification of network-device properties | |
Bartos et al. | IFS: Intelligent flow sampling for network security–an adaptive approach | |
WO2023001053A1 (zh) | 设备验证的方法、装置和系统 | |
Kim et al. | A novel approach to detection of mobile rogue access points | |
US9455895B2 (en) | Data link layer switch frame forwarding analysis | |
CN110648181B (zh) | 基于监测投放效率控制投放渠道的方法、装置和电子设备 | |
CN114006714A (zh) | 用于实现终端验证的方法、装置、系统、设备及存储介质 | |
Cai et al. | E‐Replacement: Efficient scanner data collection method in P4‐based software‐defined networks | |
Xu et al. | Supervised learning framework for covert channel detection in LTE‐A | |
US11343241B2 (en) | Multi-connectivity communication | |
US12001584B2 (en) | Privacy-preserving contact tracing | |
WO2023098222A1 (zh) | 多业务场景的识别方法和决策森林模型的训练方法 | |
CN111049944B (zh) | 一种id发现方法和装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21842651 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2023502830 Country of ref document: JP Kind code of ref document: A Ref document number: 3186107 Country of ref document: CA |
|
ENP | Entry into the national phase |
Ref document number: 2021842651 Country of ref document: EP Effective date: 20230118 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |