WO2023284809A1 - Procédé, appareil et système d'identification de dispositif - Google Patents

Procédé, appareil et système d'identification de dispositif Download PDF

Info

Publication number
WO2023284809A1
WO2023284809A1 PCT/CN2022/105623 CN2022105623W WO2023284809A1 WO 2023284809 A1 WO2023284809 A1 WO 2023284809A1 CN 2022105623 W CN2022105623 W CN 2022105623W WO 2023284809 A1 WO2023284809 A1 WO 2023284809A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
data flow
terminal
type
analyzer
Prior art date
Application number
PCT/CN2022/105623
Other languages
English (en)
Chinese (zh)
Inventor
徐威旺
薛莉
刘文倩
吴俊�
张亮
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN202111024391.7A external-priority patent/CN115701028A/zh
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023284809A1 publication Critical patent/WO2023284809A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks

Definitions

  • the present application relates to the field of communication technologies, and in particular to a method, device and system for device identification.
  • IoT Internet of Things
  • DDoS distributed denial-of-service attacks
  • the present application provides a method, device and system for device identification, which help to identify the device type of a terminal device and reduce the consumption of network resources for device identification.
  • a device identification method is provided, which is executed by a network device that forwards packets for a terminal device.
  • the network device acquires the data flow statistics information of the terminal device, and when a condition is satisfied, sends the data flow statistics information of the terminal device to the analyzer, so that the analyzer can identify the device type of the terminal device.
  • the condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
  • the network device sends the data flow statistics information of the terminal device to the analyzer, so that the analyzer can identify the device type of the terminal device, and then A corresponding security protection policy can be implemented for the device type of the terminal device.
  • the probability of the device type of the terminal device changing is very small. If the terminal device is a terminal device that has come online again, the device type of the terminal device may have changed.
  • the network device only sends the data flow statistics information of the terminal device whose device type is unknown or has come back online to the analyzer. This avoids bandwidth consumption by traffic statistics for end devices whose device types are known and are always online. The consumption of network resources by device identification is reduced.
  • the analyzer can obtain data flow statistical information of a large number of terminal devices of unknown device types, and obtain a high-precision device identification model based on the data flow statistical information of a large number of terminal devices of unknown device types. This method does not reduce the accuracy of device identification.
  • the network device determines whether the device type of the terminal device is unknown according to the identifier of the terminal device corresponding to the known device type.
  • an identifier of a terminal device corresponding to a known device type may be stored in the network device. If the identifier of the terminal device corresponding to the known device type does not include the identifier of the terminal device, the network device determines that the device type of the terminal device is unknown.
  • the network device determines whether the device type of the terminal device is unknown according to the asset library.
  • the asset library is used to record the device type and the identifier of the terminal device corresponding to the device type.
  • the network device determines that the device type of the terminal device is unknown.
  • the network device judges whether the terminal device is a re-online terminal device according to the historical traffic volume of the terminal device.
  • the terminal device is a terminal device that has come online again.
  • the network device receives a message from the analyzer, and updates the identifier of the terminal device corresponding to the known device type based on the message.
  • the message includes the identifier of the terminal device.
  • the analyzer After identifying the device type of the terminal device, the analyzer sends a message to inform the network device that the device type of the terminal device is known, and the network device stores the device identifier of the terminal device. If the terminal device does not go offline, the network device will no longer send the data flow statistics information of the terminal device to the analyzer. That is, as more and more types of terminal devices are identified, network resources consumed by device identification will become less and less.
  • the network device receives a message from the analyzer, and updates the asset library based on the message.
  • the message includes the device type of the terminal device and the identifier of the terminal device.
  • the analyzer After identifying the device type of the terminal device, the analyzer sends a message to inform the network device of the device type of the terminal device.
  • the network device adds the device type and identification of the terminal device to the asset library. If the terminal device does not go offline, the network device will no longer send the data flow statistics information sent to the terminal device to the analyzer. That is, as more and more types of terminal devices are identified, network resources consumed by device identification will become less and less.
  • the data flow statistics information of the terminal device includes a source Internet Protocol (Internet Protocol, IP) address or a destination IP address of at least one data flow of the terminal device.
  • IP Internet Protocol
  • the data flow statistical information of the terminal device further includes one or more of the following information: the traffic size of at least one data flow of the terminal device within the second time window, at least one data flow of the terminal device The number of data packets of the flow within the second time window, and the size of each data packet of at least one data flow of the terminal device within the second time window.
  • the identifier of the terminal device includes an IP address of the terminal device.
  • the terminal device includes an IoT device of the Internet of Things.
  • a device identification device in a second aspect, includes a plurality of functional modules, all of which may be software modules or hardware modules, or a combination of software modules and hardware modules, and the plurality of functional modules may be divided according to different implementations, so as to realize the above-mentioned
  • the methods of the first aspect and its various embodiments are the norm.
  • a device identification device in a third aspect, includes a processor and memory.
  • a program is stored in the memory, and the processor is configured to execute the program stored in the memory to implement the device identification method provided in the first aspect or any possible implementation manner of the first aspect.
  • a device identification system in a fourth aspect, includes a device identification device and an analyzer.
  • the device identification apparatus is configured to implement the device identification method provided in the first aspect or any possible implementation manner of the first aspect.
  • the analyzer is configured to receive the data flow statistical information of the terminal device sent by the device identification device, and identify the device type of the terminal device according to the data flow statistical information of the terminal device.
  • the analyzer is further configured to send a message to the device identification device, where the message includes the identifier of the terminal device.
  • the analyzer is further configured to send a message to the device identification apparatus, where the message includes the identifier of the terminal device and the device type of the terminal device.
  • a computer-readable storage medium includes instructions, which, when run on a computer, cause the computer to execute the device identification method provided in the first aspect or any possible implementation manner of the first aspect.
  • a computer program product including instructions is provided. When it runs on a computer, the computer is made to execute the device identification method provided by the first aspect or any possible implementation manner of the first aspect.
  • FIG. 1 is a schematic diagram of an implementation environment involved in an embodiment of the present application
  • FIG. 2 is a flow chart of a device identification method provided in an embodiment of the present application.
  • Fig. 3 is a schematic diagram of an asset library provided by an embodiment of the present application.
  • Fig. 4 is a schematic diagram of a logic structure of an apparatus identification device provided by an embodiment of the present application.
  • Fig. 5 is a schematic diagram of the hardware structure of a device identification device provided by an embodiment of the present application.
  • Fig. 6 is a schematic diagram of a device identification system provided by an embodiment of the present application.
  • FIG. 1 shows a schematic diagram of an implementation environment involved in an embodiment of the present application.
  • the implementation environment includes a communication network 100 .
  • the communication network 100 includes a plurality of terminal devices and a plurality of network devices, and the plurality of terminal devices access the Internet (internet) or intranet (intranet) through corresponding network devices to access services provided by the service server.
  • the terminal devices 101 - 102 are connected to the network device 111
  • the terminal devices 103 - 104 are connected to the network device 112
  • the terminal device 105 is connected to the network device 113 .
  • the network device 111 connects the terminal devices 101 - 102 to the Internet or intranet through the network device 121 , so that the terminal devices 101 - 102 can access related services, for example, services provided by the service server 131 .
  • the network device 112 connects the terminal devices 103 - 104 to the Internet/Intranet through the network device 121 , so that the terminal devices 103 - 104 can access related services, for example, services provided by the service server 131 .
  • the network device 113 connects the terminal device 105 to the Internet/Intranet, so that the terminal device 105 can access related services, for example, services provided by the service server 131 .
  • the terminal device is an IoT device.
  • End devices can be of various types.
  • a terminal device may be an automated teller machine (automated teller machine, ATM), a self-service inquiry terminal, a card issuer, an intelligent counter, or a camera.
  • the terminal device 101 and the terminal device 103 may be ATMs
  • the terminal device 102 and the terminal device 104 may be cameras
  • the terminal device 105 may be a card issuer.
  • the network device may be various types of devices.
  • a network device may be a switch, router, wireless access point, base station, etc.
  • the network device 111 may be a wireless access point, and the terminal devices 101-102 access the network device 111 through a wireless local area network.
  • the network device 112 may be a switch, and the terminal devices 103 - 104 access the network device 112 through a wired access manner.
  • the network device 113 may be a base station, and the terminal device 105 accesses the network device 113 through a cellular network.
  • the network device 121 may be a router.
  • the network devices 111-113 are directly connected to the terminal devices, so the network devices 111-113 may also be called access devices.
  • the network device 121 is not directly connected to the terminal device, but forwards the message of the terminal device sent by the access device, and the network device 121 may also be called an aggregation device.
  • the service server 131 may be various types of devices.
  • the service server 131 may be a physical server, a physical server cluster, a virtual machine or a virtual machine cluster, and the like.
  • the service server 131 can be deployed in a public cloud, a private cloud, or an enterprise data center.
  • the service server can provide various services, for example, video service, deposit and withdrawal service, and so on.
  • the communication network 100 needs to identify the device type of the terminal device, so as to implement corresponding security protection policies for different types of terminal devices according to the device type. Identifying the device type of an end device is also known as asset inventory. That is, by identifying the device type of the terminal device to take stock of the types of device assets.
  • the communication network 100 may further include an analyzer 141 .
  • the analyzer 141 may receive the data flow statistical information of the terminal device sent by the network device, and identify the device type of the terminal device according to the data flow statistical information.
  • the network device may be an access device or an aggregation device.
  • the analyzer 141 may be deployed in a public cloud, a private cloud, an enterprise data center, or an enterprise headquarters campus network.
  • the analyzer 141 may be a server, a server cluster, a virtual machine or a virtual machine cluster, and the like.
  • the analyzer 141 may also be a network device with computing capabilities.
  • the network device with computing capability is deployed in the data center of the enterprise or the headquarters campus network of the enterprise.
  • An embodiment of the present application provides a method for device identification.
  • the network device close to the terminal device obtains the data flow statistics information of the terminal device, and when the type of the terminal device is unknown or the terminal device is a terminal device that has come online again, the network device sends the data flow statistics information of the terminal device to An analyzer.
  • the analyzer identifies the device type of the terminal device based on the data flow statistics information of the terminal device. After identifying the device type of the terminal device, the analyzer sends the identifier of the terminal device, or the identifier and device type of the terminal device to the network device.
  • the network device close to the terminal device may be an access device or a convergence device.
  • the data flow statistical information of the terminal device is acquired by a network device close to the terminal device, so the data flow statistical information can reflect all access behaviors of the terminal device.
  • the network device will send the data flow statistics information of the terminal device to the analyzer. That is, the analyzer can obtain data flow statistical information of a large number of unknown types of terminal devices, and the data flow statistical information can reflect all access behaviors of the terminal devices. Therefore, the analyzer can also train or update the device recognition model based on this to improve the accuracy of device recognition.
  • the network device will not send the data flow statistics of terminal devices of known device types that are not offline to the analyzer.
  • FIG. 2 shows a flow chart of a device identification method provided by an embodiment of the present application. Including the following steps:
  • Step 201 the network device acquires data flow statistics information of the terminal device.
  • Network equipment includes access equipment or aggregation equipment.
  • An access device is a network device connected to a terminal device.
  • the aggregation device is a network device that is not directly connected to the terminal equipment, but the data flow of the terminal equipment must pass through.
  • the terminal device may be the terminal device 101
  • the access device may be the network device 111
  • the aggregation device may be the network device 121 .
  • the terminal device 101 accesses the network through the network device 111 , so the network device 111 must be able to obtain the data flow statistics information of the terminal device 101 .
  • the network device 121 is not directly connected to the terminal device 101, the packets of the terminal device 101 must be forwarded through the network device 121, so the network device 121 must also be able to obtain the data flow statistics information of the terminal device 101.
  • the data streams of different types of terminal equipment have different characteristics. For example, there is almost no downlink traffic of the camera, but the uplink traffic exists continuously and the traffic is relatively large, but the data flow of the ATM occurs irregularly, and the traffic is very small.
  • the analyzer distinguishes different end devices based on the data flow statistics of the end devices. Therefore, the data flow statistical information includes statistical information that can reflect the service characteristics of the terminal equipment.
  • the data flow statistics information includes one or more of the following information: the number of data flows of the terminal device in a time window, the size of the data flow of the terminal device in the time window, the number of data flows of the terminal device in the time window.
  • the number of data packets, the size of each data packet of the terminal device within the time window, the header information of each data flow of the terminal device within the time window, and the header information of each data flow of the terminal device within the time window The traffic size of the terminal device, the number of packets of each data flow of the terminal device within the time window, and the size of each packet of each data flow of the terminal device within the time window.
  • the header information of the data stream includes tuples of the data stream.
  • a tuple of data streams may be a quintuple of data streams.
  • the five-tuple of the data stream includes the source IP address, destination IP address, source port, destination port, and protocol type of the data stream.
  • the data flow statistical information may also include directional information of the data flow, for example, uplink or downlink.
  • the data flow received by the network device from the port close to the terminal device is an uplink data flow, otherwise, it is a downlink data flow.
  • the network device obtains the data flow statistics information of the terminal device. For example, the network device collects the data flow transmitted through the network device, and obtains statistical information of the data flow within the time window.
  • the network device can distinguish the data flows of different terminal devices within the time window based on the identifier of the terminal device.
  • the identifier of the terminal device includes the IP address of the terminal device.
  • the network device may distinguish data flows of different terminal devices within a time window based on the source IP address of the uplink data flow or the destination IP address of the downlink data flow. Uplink data flows with the same source IP address or downlink data flows with the same destination IP address are data flows belonging to the same terminal device.
  • the time window may be 5 minutes.
  • the network device calculates the data flow statistics information of each terminal device within each 5 minutes to obtain the data flow statistics information of each terminal device within the time window.
  • the network device can always obtain the data flow statistics information of the terminal device. For example, the network device acquires data flow statistics information of each terminal device in each time window starting from a specified time (for example, when the network device starts running, or a time configured by an administrator). For example, the network device acquires data flow statistics information every 5 minutes from the start of operation, and the data flow statistics information includes data flow statistics information of each terminal device that has data flows within the 5 minutes.
  • the network device can also obtain the data flow statistics information of the terminal device according to predetermined requirements. For example, according to the configuration of the administrator, the network device obtains data flow statistics information every half hour, and the data flow statistics information obtained each time includes each terminal device with data flow within a time window (for example, 5 minutes) data flow statistics.
  • the data flow statistics information of the terminal device can also be obtained by other devices.
  • the data flow statistics of the terminal device are obtained by a network probe attached to the side of the network device.
  • the access device 111 in FIG. 1 may bypass a network probe, and the network probe has computing capability.
  • the access device 111 can mirror the data flow to the network probe, and the network probe calculates the data flow statistical information of each terminal device within the time window according to the mirrored data flow.
  • Step 202 when the condition is met, the network device sends the data flow statistics information of the terminal device to the analyzer.
  • the condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
  • the network device sends the data flow statistics information of the terminal device to the analyzer.
  • the conditions include: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
  • the network device sends the data flow statistics information of the terminal device to the analyzer, so as to trigger the analyzer to identify the device type of the terminal device.
  • the network device may determine whether the terminal device is a terminal device of a known device type based on various methods. For example, the identification of a terminal device of a known device type is recorded on the network device (for example, the identification includes the IP address of the terminal device, and the network device records multiple IP addresses, indicating the device type of the terminal device associated with the multiple IP addresses.
  • the network device determines the terminal device associated with the data flow An end device that is a known device type.
  • the network device may also store an asset library, which records device types and IP addresses of one or more terminal devices corresponding to each device type. The network device extracts the IP address in the data flow statistics information, and queries the asset library according to the IP address. If the IP address exists in the asset library, the network device judges that the terminal device associated with the data flow is a terminal of a known device type equipment.
  • the identifier or asset library of the terminal device corresponding to the known device type can be configured by the administrator, or, after the analyzer identifies the device type of the terminal device, it sends the device type and/or the device identifier corresponding to the device type to the network device .
  • the network device may also use the IP address of the terminal device of known device type as a filter condition, so as not to collect the data stream of the terminal device of the known device type. In this way, the overhead of network equipment can be further reduced.
  • the network device When the terminal device is a re-online terminal device, its device type may have changed, so the network device also sends its data flow statistics to the analyzer to trigger the analyzer to re-identify the device type of the terminal device. For example, the IP address of a query machine is IP A, but one day the query machine is damaged, and IP A may be used by other devices. At this time, if the network device uses IP addresses to distinguish terminal devices, it is necessary to send The data flow statistical information of the analyzer is given to the analyzer to trigger the analyzer to re-identify the device type of the terminal device bound to the IP A.
  • the network device can determine whether the terminal device is a terminal device that has come online again through various methods. For example, if the network device 111 is a wireless access point device, when it is found that the terminal device 101 is disconnected, the network device 111 judges that the terminal device 101 has gone offline; when the terminal device 101 associates with the network device 111 again, the network device judges that the The terminal 101 is a terminal device that goes online again. For another example, if the network device 112 is a switch, when it is detected that the port connected to the terminal device 104 is disconnected, the network device 112 judges that the terminal device 104 has gone offline, and when it detects that the port is connected again, the network device 112 judges that the terminal Device 104 is a terminal device that has come online again.
  • the network device may also determine whether the terminal device is a terminal device that has come online again according to the historical traffic volume of the terminal device. For example, if the network device does not detect the data flow of a terminal device within the specified time window, it is judged that the terminal device has gone offline; On-line terminal equipment.
  • the designated time window may be multiplied with the window in which the network device obtains the data flow statistics information in step 201 . For example, if the network device obtains the data flow statistics information of the terminal device every 5 minutes, when the network device does not detect the data flow of a terminal device within one or more 5 minutes, the network device judges that the terminal device has gone offline .
  • the specified time window can also be other values. For example, when the time window for obtaining the data flow statistics information of the terminal device is 5 minutes, the time window for judging whether the terminal device is online again may also be 18 minutes. When the network device does not detect the data stream of the terminal device within 18 minutes, it is judged that the terminal device has gone offline, and when the data stream of the terminal device is detected again, the network device judges that the terminal device is a terminal device that has come back online.
  • Step 203 the analyzer identifies the device type of the terminal device.
  • the analyzer identifies the device type of the terminal device based on the data flow statistics information of the terminal device sent by the network device. For example, the analyzer takes the data flow statistics information of the terminal device as an input of the device identification model, so as to obtain the device type of the terminal device from the output of the device identification model.
  • the device identification model can be configured by an administrator.
  • the device recognition model can also be obtained by analyzer training.
  • the analyzer can train and obtain the device identification model based on the data flow statistics information of a plurality of terminal devices of unknown device types sent by each network device and the data flow statistics information of a plurality of terminal devices of known device types.
  • the device recognition model can be various machine learning models, for example, random forest or convolutional neural network.
  • the device types of the terminal devices of the plurality of known device types may be marked by the administrator. For example, a network device sends data flow statistics information of 1000 terminal devices, and the administrator randomly marks the correct device type for 100 terminal devices.
  • the administrator enters 20 IP addresses and the device types associated with the 20 IP addresses on the input interface of the analyzer, and the data flow statistics information associated with the 20 IP addresses received by the analyzer is the known device Data flow statistics for the type of terminal device.
  • the administrator can also input an instruction on the input interface of the analyzer to instruct the analyzer to start training the device recognition model.
  • the analyzer can send the collection instruction to each network device.
  • the collection instruction instructs the network device to obtain the data flow statistics information of the terminal device, so that the analyzer obtains a data set for training a device recognition model.
  • the collection instruction may include collection duration, collection frequency, collection information type and other information. For example, the collection duration may be 1 day, the collection frequency may be 5 minutes, and the type of collected information may be one or more types of information included in the data stream statistical information described in step 201 .
  • the network device calculates data flow statistics every 5 minutes within 1 day.
  • the data flow statistical information within every 5 minutes includes the data flow statistical information of each terminal device that has data traffic on the network device within the 5 minutes.
  • the network device can periodically obtain data flow statistics. For example, the network device collects data flow every 5 minutes and calculates the data flow statistics within the 5 minutes.
  • the network device can regularly send data flow statistics, for example, the network device obtains data flow statistics every 5 minutes and immediately sends the data flow statistics to the analyzer.
  • the network device can also send data flow statistics in multiple time windows at one time. For example, after the network device obtains 288 data flow statistics every 5 minutes in a day, it sends the data flow to 288 time windows at one time. Statistics to the analyzer.
  • the analyzer When the analyzer identifies the device type of the terminal device based on the data flow statistics information of the terminal device, the analyzer associates the identifier of the terminal device with the device type, and adds the identifier of the terminal device to the asset library for the device type corresponding asset information entry.
  • the asset library can be as shown in FIG. 3 .
  • the asset library shown in FIG. 3 records multiple asset information entries, and each asset information entry includes a device type and one or more identifiers of terminal devices corresponding to the device type.
  • the device identification includes the IP address of the terminal device.
  • the ATM includes terminal devices associated with IP addresses 192.168.7.2 and 192.168.8.2
  • the camera includes terminal devices associated with IP addresses 192.168.11.11 and 192.168.22.22
  • the card issuer includes Terminal Equipment.
  • the asset library may also record the identification of equipment that is not of interest.
  • the analyzer can mark terminal devices with strong protection capabilities, such as personal computers (PCs), as non-concerned devices, and the analyzer or other management devices do not need to set special protection policies for these non-concerned devices . If these non-concerned devices do not come online again, the network device does not need to collect the data streams of these non-concerned devices.
  • PCs personal computers
  • the analyzer may send the identifier of the terminal device or the identifier of the terminal device and the device type of the terminal device to the network device. For example, during initial training, if the analyzer identifies a large number of terminal devices of unknown device types, the analyzer may send the identifiers of one or more terminal devices corresponding to each device type to the network device. For another example, after the training is completed, each time the analyzer receives the data flow statistical information sent by the network device, it can obtain the device type of the terminal device associated with the data flow statistical information based on the data flow statistical information.
  • the analyzer may send the identifier of the terminal device associated with the data flow statistics information or the identifier of the terminal device and the device type of the terminal device to the network device.
  • the network device records the device identification of the known device type based on the analyzer's message, or updates the asset library to record the known device type and the device identification associated with the known device type. As more and more types of terminal devices are identified, the network devices need to send less and less data flow statistics, and the network resources consumed by device identification will become less and less.
  • the analyzer can also update the device identification model based on the data flow statistics information of the unknown device type terminal device sent by the network device subsequently.
  • the network device sends the data flow statistical information of the terminal device whose device type is unknown or whose device type may change to the analyzer, and the data flow statistical information is obtained by the network device close to the terminal device, It can reflect all access behaviors of terminal equipment. Therefore, the method enables the analyzer to identify the device type of the terminal device whose device type is unknown or the device type may change, and update the device identification model based on the data flow statistics of a large number of terminal devices whose device type is unknown or the device type may change to Improve the accuracy of device identification.
  • the network device only sends the data flow statistics information of terminal devices of unknown device types or re-online terminal devices to the analyzer, avoiding the consumption of bandwidth by the data flow statistics information of terminal devices of known device types and always online. This reduces the consumption of network resources for device identification.
  • Fig. 4 is a schematic diagram of a logical structure of an apparatus for identifying equipment provided by an embodiment of the present application.
  • the device identification apparatus 400 includes an acquisition module 410 and a sending module 420 .
  • the acquiring module 410 is configured to execute step 201 in the embodiment shown in FIG. 2
  • the sending module 420 is configured to execute step 202 in the embodiment shown in FIG. 2 .
  • the acquiring module 410 is configured to acquire data flow statistical information of the terminal device.
  • the device identification apparatus 400 is an access device connected to the terminal device or a converging device through which the data flow of the terminal device must pass.
  • the data stream of the terminal device is forwarded through the device identification device 400 .
  • the sending module 420 is configured to send the data flow statistics information of the terminal device to the analyzer when a condition is met, so that the analyzer can identify the device type of the terminal device.
  • the condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
  • the sending module is configured to determine whether the device type of the terminal device is known or unknown according to the identifier of the terminal device of known device type. When the identifier of the terminal device exists in the identifiers of terminal devices of a known device type, the sending module determines that the device type of the terminal device is known, otherwise it is unknown.
  • the sending module is configured to determine whether the device type of the terminal device is known or unknown according to the asset library.
  • the asset library is used to record the device type and the identifier of the terminal device corresponding to the device type. When the identifier of the terminal device exists in the asset library, the sending module determines that the device type of the terminal device is known, otherwise it is unknown.
  • the sending module is configured to judge whether the terminal device is a re-online terminal device according to the historical traffic volume of the terminal device. If the traffic volume of the terminal device in the first time window is zero, the sending module judges that the terminal device is a terminal device that has come online again.
  • the device identification device further includes a receiving module and an updating module.
  • the receiving module is used for receiving messages.
  • the message includes the identifier of the terminal device, and the updating module is configured to update the identifier of the terminal device of the known device type based on the message.
  • the message further includes the device type of the terminal device, and the update module is configured to update the asset library based on the message.
  • the device identification apparatus 400 provided in this embodiment is used to execute the technical solution of the method embodiment shown in FIG. 2 , and its implementation principle and technical effect are similar.
  • Each device identification apparatus 400 sends the data flow statistics information of terminal devices whose device types are unknown or re-online to the analyzer, so that the analyzer can identify the device types of these terminal devices.
  • the analyzer can also train or update the device identification model based on the data flow statistics of a large number of unknown or re-online terminal devices to improve the accuracy of device identification.
  • the device identification apparatus 400 selectively sends the data flow statistical information of the terminal device to the analyzer: only the data flow statistical information of the terminal device whose device type is unknown or whose device type may change is sent to the analyzer. This avoids the consumption of bandwidth by the data flow statistics information of terminal devices whose device types are known and is always online, and reduces the network resources consumed by device identification.
  • the device identification device when the device identification device provided by the embodiment shown in FIG. 4 executes the device identification method, it only uses the division of the above-mentioned functional modules as an example. In practical applications, the above-mentioned functions can be assigned to different function modules according to needs. Module completion means that the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.
  • the device identification device and the device identification method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiments, and will not be repeated here.
  • FIG. 5 is a schematic diagram of a hardware structure of a device identification device 500 provided by an embodiment of the present application.
  • the device identification apparatus 500 includes a processor 520 , a memory 540 , a communication interface 560 and a bus 580 , and the processor 520 , the memory 540 and the communication interface 560 are connected to each other through the bus 580 .
  • the processor 520 , the memory 540 and the communication interface 560 may also be connected in other connection ways than the bus 580 .
  • the memory 540 can be various types of storage media, such as random access memory (random access memory, RAM), read-only memory (read-only memory, ROM), non-volatile RAM (non-volatile RAM, NVRAM ), programmable ROM (programmable ROM, PROM), erasable PROM (erasable PROM, EPROM), electrically erasable PROM (electrically erasable PROM, EEPROM), flash memory, optical memory, hard disk, etc.
  • RAM random access memory
  • read-only memory read-only memory
  • NVRAM non-volatile RAM
  • PROM programmable ROM
  • PROM erasable PROM
  • EPROM erasable PROM
  • electrically erasable PROM electrically erasable PROM
  • flash memory optical memory, hard disk, etc.
  • the processor 520 may be a general-purpose processor, and the general-purpose processor may be a processor that performs specific steps and/or operations by reading and executing contents stored in a memory (such as the memory 540 ).
  • the general processor may be a central processing unit (CPU).
  • the processor 520 may include at least one circuit to execute all or part of the steps of the device identification method provided by the embodiment shown in FIG. 2 .
  • the communication interface 560 includes an input/output (input/output, I/O) interface, a physical interface and a logical interface, etc., which are used to realize the interconnection of devices inside the device identification device 500, and are used to realize the connection between the device identification device 500 and The interface through which other devices, such as analyzers or end devices, are interconnected.
  • the physical interface can be Ethernet interface, optical fiber interface, ATM interface, etc.
  • the bus 580 may be any type of communication bus for interconnecting the processor 520, the memory 540 and the communication interface 560, such as a system bus.
  • the above-mentioned devices may be respectively arranged on independent chips, or at least partly or all of them may be arranged on the same chip. Whether each device is independently arranged on different chips or integrated and arranged on one or more chips often depends on the needs of product design.
  • the embodiments of the present application do not limit the specific implementation forms of the foregoing devices.
  • the device identifying apparatus 500 shown in FIG. 5 is only exemplary. During implementation, the device identifying apparatus 500 may also include other components, which will not be listed here. In addition, the device identification device 500 provided in the above embodiment is based on the same idea as the device identification method embodiment, and its specific implementation process is detailed in the method embodiment, and will not be repeated here.
  • Fig. 6 is a schematic diagram of a device identification system provided by an embodiment of the present application.
  • the device identification system 600 includes an analyzer 610 and one or more device identification devices.
  • the one or more device identifying means includes device identifying means 620 and/or device identifying means 630 .
  • the equipment identification device includes the access equipment connected to the terminal equipment or the converging equipment through which the data flow of the terminal equipment must pass.
  • the device identification device and the analyzer are connected via the Internet or an intranet.
  • the analyzer 610 is configured to execute step 203 in the embodiment of the device identification method shown in FIG. 2 .
  • the device identification device 620 or the device identification device 630 is used to execute step 201 and step 202 in the embodiment of the device identification method shown in FIG.
  • the device identifying device 620 or the device identifying device 630 includes the device identifying device 400 shown in FIG. 4 .
  • the device identifying device 620 or the device identifying device 630 includes the device identifying device 500 shown in FIG. 5 .
  • all or part of them may be implemented by software, hardware, firmware or any combination thereof.
  • software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present invention will be generated in whole or in part.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media.
  • the available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, DVD), or a semiconductor medium (for example, a solid state disk (solid state disk, SSD)), etc.
  • a magnetic medium for example, a floppy disk, a hard disk, or a magnetic tape
  • an optical medium for example, DVD
  • a semiconductor medium for example, a solid state disk (solid state disk, SSD)

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente demande concerne le domaine technique des communications, et divulgue un procédé, un appareil et un système d'identification de dispositif, qui sont utiles pour l'identification du type de dispositif utilisé pour un dispositif terminal et la réduction de la consommation de ressources réseau pour l'identification du dispositif. Un dispositif réseau acquiert des informations statistiques de flux de données d'un dispositif terminal, et envoie les informations statistiques de flux de données du dispositif terminal à un analyseur lorsqu'une condition est satisfaite, de sorte que l'analyseur identifie le type de dispositif utilisé pour le dispositif terminal, la condition étant que : le type de dispositif utilisé pour le dispositif terminal est inconnu, ou le dispositif terminal est un dispositif terminal qui est à nouveau en ligne ; et le dispositif réseau envoie sélectivement les informations statistiques de flux de données à l'analyseur, de sorte que la consommation de ressources réseau dans un processus d'identification de dispositif est réduite.
PCT/CN2022/105623 2021-07-15 2022-07-14 Procédé, appareil et système d'identification de dispositif WO2023284809A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN202110798343 2021-07-15
CN202110798343.7 2021-07-15
CN202111024391.7 2021-09-02
CN202111024391.7A CN115701028A (zh) 2021-07-15 2021-09-02 设备识别的方法、装置和系统

Publications (1)

Publication Number Publication Date
WO2023284809A1 true WO2023284809A1 (fr) 2023-01-19

Family

ID=84919037

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/105623 WO2023284809A1 (fr) 2021-07-15 2022-07-14 Procédé, appareil et système d'identification de dispositif

Country Status (1)

Country Link
WO (1) WO2023284809A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010102496A1 (fr) * 2009-03-11 2010-09-16 西安西电捷通无线网络通信股份有限公司 Procédé pour implémenter une facturation à zéro interférence au niveau d'un terminal de système wapi
CN110115015A (zh) * 2016-12-29 2019-08-09 爱维士软件有限责任公司 通过监测其行为检测未知IoT设备的系统和方法
US20200228422A1 (en) * 2017-09-30 2020-07-16 Huawei Technologies Co., Ltd. Feature parameter obtaining method and apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010102496A1 (fr) * 2009-03-11 2010-09-16 西安西电捷通无线网络通信股份有限公司 Procédé pour implémenter une facturation à zéro interférence au niveau d'un terminal de système wapi
CN110115015A (zh) * 2016-12-29 2019-08-09 爱维士软件有限责任公司 通过监测其行为检测未知IoT设备的系统和方法
US20200228422A1 (en) * 2017-09-30 2020-07-16 Huawei Technologies Co., Ltd. Feature parameter obtaining method and apparatus

Similar Documents

Publication Publication Date Title
US20200344246A1 (en) Apparatus, system and method for identifying and mitigating malicious network threats
CN110113345B (zh) 一种基于物联网流量的资产自动发现的方法
US20220174008A1 (en) System and method for identifying devices behind network address translators
US20140165198A1 (en) System and method for malware detection using multidimensional feature clustering
US20140059216A1 (en) Methods and systems for network flow analysis
US10798061B2 (en) Automated learning of externally defined network assets by a network security device
US8694630B1 (en) Self-learning classifier for internet traffic
CN110839017B (zh) 代理ip地址识别方法、装置、电子设备及存储介质
US9847968B2 (en) Method and system for generating durable host identifiers using network artifacts
CN111212053A (zh) 一种面向工控蜜罐的同源攻击分析方法
CN113328985B (zh) 一种被动物联网设备识别方法、系统、介质及设备
CN109309591B (zh) 流量数据统计方法、电子设备及存储介质
KR102244036B1 (ko) 네트워크 플로우 데이터를 이용한 네트워크 자산 분류 방법 및 상기 방법에 의해 분류된 네트워크 자산에 대한 위협 탐지 방법
US11178011B1 (en) Identifying representative entities in clusters for it management
Fei et al. The abnormal detection for network traffic of power iot based on device portrait
US20240154964A1 (en) Device authentication method and system, and apparatus
WO2023284809A1 (fr) Procédé, appareil et système d'identification de dispositif
CN113765849A (zh) 一种异常网络流量检测方法和装置
US10257093B2 (en) Information processing device, method, and medium
US11973773B2 (en) Detecting and mitigating zero-day attacks
CN115701028A (zh) 设备识别的方法、装置和系统
US20230261948A1 (en) Device Identification Method, Apparatus, and System
CN115694863A (zh) 设备验证的方法、装置和系统
WO2024065185A1 (fr) Procédé et appareil de classification de dispositif, dispositif électronique et support de stockage lisible par ordinateur
US20230412618A1 (en) Stack-hac for machine learning based botnet detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22841442

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22841442

Country of ref document: EP

Kind code of ref document: A1