[go: up one dir, main page]

CN108737291B - Method and device for representing network flow - Google Patents

Method and device for representing network flow Download PDF

Info

Publication number
CN108737291B
CN108737291B CN201810438595.7A CN201810438595A CN108737291B CN 108737291 B CN108737291 B CN 108737291B CN 201810438595 A CN201810438595 A CN 201810438595A CN 108737291 B CN108737291 B CN 108737291B
Authority
CN
China
Prior art keywords
network traffic
network
predicate
semantics
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810438595.7A
Other languages
Chinese (zh)
Other versions
CN108737291A (en
Inventor
钱丽萍
王大伟
汪立东
王子厚
袁辰
张慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Civil Engineering and Architecture
National Computer Network and Information Security Management Center
Original Assignee
Beijing University of Civil Engineering and Architecture
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Civil Engineering and Architecture, National Computer Network and Information Security Management Center filed Critical Beijing University of Civil Engineering and Architecture
Priority to CN201810438595.7A priority Critical patent/CN108737291B/en
Publication of CN108737291A publication Critical patent/CN108737291A/en
Application granted granted Critical
Publication of CN108737291B publication Critical patent/CN108737291B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2475Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/279Recognition of textual entities
    • G06F40/284Lexical analysis, e.g. tokenisation or collocates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2408Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种网络流量表示的方法及装置,方法包括:采用预设谓词及其论元,按预定事件语义学方法表示网络流量的语义,并根据网络流量的语义,定义网络流量与其它网络流量之间的关系,再根据上述关系,按照预定特征生成网络流量的集合,最后根据网络流量的集合,确定网络流量对应的通信主体的运行情况。该方法通过定义网络流量产生有关的谓词和论元,并采用预定的语义学方法对网络流量进行语义表示,根据网络流量的语义及语义关系形成网络流量的集合来表示通信主体的运行情况,该方法可以对网络流量进行准确的表示,并且表示形式较为简单,解决了现有技术的问题。

Figure 201810438595

The present invention provides a method and device for representing network traffic. The method includes: using preset predicates and their arguments, representing the semantics of network traffic according to a predetermined event semantic method, and defining the network traffic and other network traffic according to the semantics of network traffic The relationship between the traffic flows, and then according to the above relationship, a set of network traffic is generated according to predetermined characteristics, and finally, according to the set of network traffic, the operation status of the communication subject corresponding to the network traffic is determined. The method defines the predicates and arguments related to the generation of network traffic, and uses a predetermined semantic method to semantically represent the network traffic. According to the semantics and semantic relationship of the network traffic, a set of network traffic is formed to represent the operation of the communication subject. The method can accurately represent the network traffic, and the representation form is relatively simple, which solves the problems of the prior art.

Figure 201810438595

Description

Method and device for representing network flow
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for representing network traffic.
Background
The network traffic detection refers to detecting traffic generated by a specific network application, network service or network protocol from mixed traffic generated by a plurality of network applications in the internet, and is the basis of network attack, malicious code detection, network traffic engineering, route management and other works. The basic unit of network traffic detection is a network packet or a network flow, wherein the network flow is a network packet sequence with the same five tuples (source address, destination address, source port number, destination port number, protocol) in the network.
Before network traffic detection is performed, network traffic needs to be represented, and the existing representation formats mainly include two types: the raw packet format, which is a packet-level (data frame-level) record obtained directly from the network, and the NetFlow network flow format, which is a flow-level record. Both the two expression modes have inconvenience, the granularity expressed by the original data packet format is too fine, and a network flow detection system needs to be recombined in the whole process of 'data frame layer-network layer-transmission layer-application layer', so that a large amount of processing performance needs to be consumed; if the data packet is not recorded, only limited information can be obtained from the data packet header, and the specific content of the data packet is recorded, a large amount of storage is consumed during network traffic detection, and the network traffic detection effect may be affected due to legal restrictions and the requirements of user data privacy protection. The NetFlow format mainly records flow-level information, has relatively coarse granularity, and does not support application-level analysis and deep packet-based network flow detection.
The two ways of representing network traffic are both structured numerical representation ways, for a large-scale network system, the scale of detecting network traffic is large, if the traffic generated by a specific network application, network service or network protocol is to be detected, a detection rule needs to be preset (for example, index is established for a specific field, connection of the specific field, and flow statistics of the specific field), and if the demand for monitoring, querying, analyzing or statistics changes, a processing rule needs to be reset, even the whole network traffic detection system needs to be upgraded, which has no universality, low efficiency and high operation cost.
Disclosure of Invention
The invention provides a method and a device for representing network flow, which are used for solving the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity.
To solve the above technical problem, the present invention provides a method and an apparatus for representing network traffic, including: expressing the semantics of the network traffic according to a predetermined event semantics method by adopting a preset basic predicate, an argument of the preset basic predicate, a preset extended predicate and an argument of the preset extended predicate; defining semantic relations between the network traffic and other network traffic according to the semantics of the network traffic; generating a network flow set according to the semantics of the network flow and the semantic relation between the network flow and other network flows and according to preset characteristics; and determining the operation condition of the communication main body corresponding to the network flow according to the set of the network flow.
Optionally, the basic predicate includes: the method comprises the following steps of five-tuple of the network flow, a client host address, a server host address, the number of bytes contained in the network flow, the number of network flow packets contained in the network flow, the occurrence time of the network flow, connection establishment of the five-tuple of the network flow, and the start time and the end time of the network flow, wherein the five-tuple of the network flow comprises: a source address, a destination address, a source port, a destination port, and a transport layer protocol of the network traffic; and the argument of the basic predicate expresses communication parameters in the network traffic expressed by the basic predicate.
Optionally, the extended predicate includes: the network traffic comprises an interval time sequence of the network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic location of an address in the network traffic, an entropy of the network traffic in a predetermined direction, and a reset time of the network traffic; and the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
Optionally, the predetermined event semantics method is a novidesson event semantics method.
Optionally, the semantic relationship between the network traffics includes: sequential, concurrent, causal and conditional.
In addition, to achieve the above object, the present invention further provides a device for representing network traffic, including: the expression module is used for expressing the semantics of the network traffic according to a predetermined event semantics method by adopting a preset basic predicate, arguments of the preset basic predicate, a preset extended predicate and arguments of the preset extended predicate; the definition module is used for defining the semantic relation between the network flow and other network flows according to the semantics of the network flow; the set generation module is used for generating a set of network traffic according to the semantics of the network traffic and the semantic relation between the network traffic and other network traffic and according to the preset characteristics; and the determining module is used for determining the operating condition of the communication main body corresponding to the network flow according to the set of the network flow.
Optionally, the basic predicate includes: the method comprises the following steps of five-tuple of the network flow, a client host address, a server host address, the number of bytes contained in the network flow, the number of network flow packets contained in the network flow, the occurrence time of the network flow, connection establishment of the five-tuple of the network flow, and the start time and the end time of the network flow, wherein the five-tuple of the network flow comprises: a source address, a destination address, a source port, a destination port, and a transport layer protocol of the network traffic; and the argument of the basic predicate expresses communication parameters in the network traffic expressed by the basic predicate.
Optionally, the extended predicate includes: the network traffic comprises an interval time sequence of the network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic location of an address in the network traffic, an entropy of the network traffic in a predetermined direction, and a reset time of the network traffic; and the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
Optionally, the predetermined event semantics method is a novidesson event semantics method.
Optionally, the semantic relationship between the network traffics includes: sequential, concurrent, causal and conditional.
The invention provides a method and a device for representing network flow, wherein the method comprises the following steps: the method comprises the steps of representing the semantics of network traffic by a preset predicate and argument thereof according to a predetermined event semantics method, defining the relation between the network traffic and other network traffic according to the semantics of the network traffic, generating a set of the network traffic according to the preset characteristics according to the relation, and finally determining the operation condition of a communication main body corresponding to the network traffic according to the set of the network traffic. The method generates related predicates and arguments by defining the network traffic, performs semantic representation on the network traffic by adopting a predetermined semantic method, and forms a network traffic set according to the semantics and semantic relations of the network traffic to represent the operation condition of a communication main body, can accurately represent the network traffic from proper granularity, has a simple representation form, and solves the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity.
Drawings
FIG. 1 is a flow chart of a method of network traffic representation in a first embodiment of the invention;
FIG. 2 is a schematic diagram of a second embodiment of the present invention illustrating the structure of a device for network traffic representation;
fig. 3 is a flow chart of a method of network traffic representation in a third embodiment of the present invention.
Detailed Description
In order to solve the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity. A first embodiment of the present invention provides a method for representing network traffic, and a flowchart of the method is shown in fig. 1, and includes steps S102 to S108:
and S102, representing the semantics of the network traffic according to a predetermined event semantics method by adopting a preset basic predicate, an argument of the preset basic predicate, a preset extended predicate and an argument of the preset extended predicate.
In this embodiment, for network traffic, regarding the network traffic as an event, a set of predicates may be defined to describe a communication action corresponding to the network traffic, and the argument may be used to describe a corresponding communication parameter in the network traffic.
And S104, defining the semantic relation between the network flow and other network flows according to the semantics of the network flow.
After the semantics of a series of network traffic are expressed, the relationship between the network traffic and other network traffic is defined according to the expressed semantics of each network traffic.
And S106, generating a network flow set according to the semantic of the network flow and the semantic relation between the network flow and other network flows and the preset characteristics.
The collection of network traffic includes a series of network traffic having semantic relationships. The predetermined feature in this embodiment may be time or space, that is, a set may be generated for network traffic within a certain time range, or a set may be generated according to a region range corresponding to an IP address in the network traffic.
And S108, determining the operation condition of the communication main body corresponding to the network flow according to the set of the network flow.
The network traffic set generated in the above step may be a set formed by different network traffic generated by one communication subject under different conditions, so that the operation condition of the communication subject corresponding to the network traffic may be determined according to the generated network traffic set.
In addition, in this embodiment, predicates and arguments of the network traffic are defined, which are specifically defined as follows:
the basic predicates can at least include: a quintuple corresponding to the network traffic, a client host address, a server host address, a byte number included in the network traffic, a network traffic packet number included in the network traffic, an occurrence time of the network traffic, a connection establishment of the quintuple of the network traffic, a start time and an end time of the network traffic, in this embodiment, the quintuple of the network traffic includes: source address, destination address, source port, destination port, and transport layer protocol of the network traffic. Furthermore, arguments of the basic predicate represent communication parameters in the network traffic represented by the basic predicate. For example, the argument of the client host address is a specific network address corresponding to the client host in the network traffic generated by the specific client host.
In addition, in addition to the basic predicate, the extended predicate in this embodiment at least includes: the network traffic comprises an interval time sequence of network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic position of a certain address in the network traffic, entropy of the network traffic in a preset direction, and reset time of the network traffic. In this embodiment, the predetermined direction of the network traffic refers to from the client to the server or from the server to the client, and the reset time of the network traffic refers to that the network traffic is reset at a certain time. And the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
In order to make the semantic representation structure of the network traffic clear, the event semantics method adopted in the embodiment is a new davison time semantics method, and the method corresponds to a predicate argument structure and can clearly represent the semantic of the network traffic.
Furthermore, in this embodiment, the semantic relationship between network traffic at least includes: sequential, concurrent, causal and conditional.
The method for representing network traffic provided by this embodiment adopts a preset predicate and its argument to represent the semantics of network traffic according to a predetermined event semantics method, defines the relationship between network traffic and other network traffic according to the semantics of network traffic, generates a set of network traffic according to a predetermined characteristic according to the relationship, and finally determines the operating condition of a communication subject corresponding to network traffic according to the set of network traffic. The method generates related predicates and arguments by defining the network traffic, performs semantic representation on the network traffic by adopting a predetermined semantic method, and forms a network traffic set according to the semantics and semantic relations of the network traffic to represent the operation condition of a communication main body, can accurately represent the network traffic, has a simple representation form, and solves the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity.
A second embodiment of the present invention provides an apparatus for representing network traffic, where a schematic structural diagram of the apparatus is shown in fig. 2, and the apparatus includes: the expression module 10 is configured to express semantics of network traffic according to a predetermined event semantics method by using a preset basic predicate, arguments of the preset basic predicate, a preset extended predicate, and arguments of the preset extended predicate; a defining module 20, coupled to the representing module 10, for defining a semantic relationship between the network traffic and other network traffic according to the semantics of the network traffic; a set generating module 30, coupled to the defining module 20, for generating a set of network traffic according to a predetermined characteristic according to the semantics of the network traffic and the semantic relationship between the network traffic and other network traffic; and the determining module 40 is coupled to the set generating module and configured to determine, according to the set of network traffic, an operating condition of the communication subject corresponding to the network traffic.
In the expression module, the predicate is a term used for describing or determining the property, feature, or relationship between objects, and a noun collocated with the predicate is called an argument.
Further, after representing the semantics of a series of network traffic, a definition module may be used to define the relationship between the network traffic and other network traffic based on the represented semantics of each network traffic.
Further, the set generating module generates a set of network traffic according to the semantic of the network traffic and the semantic relationship between the network traffic and other network traffic and according to the predetermined characteristics. The collection of network traffic includes a series of network traffic having semantic relationships. The predetermined feature in this embodiment may be time or space, that is, a set may be generated for network traffic within a certain time range, or a set may be generated according to a region range corresponding to an IP address in the network traffic.
And finally, the determining module determines the operation condition of the communication main body corresponding to the network flow according to the set of the network flow. The network traffic set generated by the set generating module may be a set formed by different network traffic generated by a communication subject under different conditions, and therefore, according to the generated network traffic set, the operating condition of the communication subject corresponding to the network traffic may be determined.
In addition, in this embodiment, predicates and arguments of the network traffic are defined, which are specifically defined as follows:
the basic predicates can at least include: a quintuple corresponding to the network traffic, a client host address, a server host address, a byte number included in the network traffic, a network traffic packet number included in the network traffic, an occurrence time of the network traffic, a connection establishment of the quintuple of the network traffic, a start time and an end time of the network traffic, in this embodiment, the quintuple of the network traffic includes: source address, destination address, source port, destination port, and transport layer protocol of the network traffic. Furthermore, arguments of the basic predicate represent communication parameters in the network traffic represented by the basic predicate. For example, the argument of the client host address is a specific network address corresponding to the client host in the network traffic generated by the specific client host.
In addition, in addition to the basic predicate, the extended predicate in this embodiment at least includes: the network traffic comprises an interval time sequence of network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic position of a certain address in the network traffic, entropy of the network traffic in a preset direction, and reset time of the network traffic. In this embodiment, the predetermined direction of the network traffic refers to from the client to the server or from the server to the client, and the reset time of the network traffic refers to that the network traffic is reset at a certain time. And the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
In order to make the semantic representation structure of the network traffic clear, the event semantics method adopted in the embodiment is a new davison time semantics method, and the method corresponds to a predicate argument structure and can clearly represent the semantic of the network traffic.
Furthermore, in this embodiment, the semantic relationship between network traffic at least includes: sequential, concurrent, causal and conditional.
In the apparatus for representing network traffic provided in the second embodiment of the present invention, the representing module uses a preset predicate and its argument to represent the semantics of the network traffic according to a predefined event semantics method, the defining module defines a relationship between the network traffic and other network traffic according to the semantics of the network traffic, the set generating module generates a set of the network traffic according to a predefined feature according to the relationship, and the determining module determines the operation condition of the communication subject corresponding to the network traffic according to the set of the network traffic. The device generates related predicates and arguments by defining the network traffic, performs semantic representation on the network traffic by adopting a predetermined semantic method, forms a network traffic set according to the semantics and semantic relations of the network traffic to represent the operation condition of a communication main body, can accurately represent the network traffic, has a simple representation form, and solves the following problems in the prior art: the existing means for representing network traffic indicate that the granularity of the network traffic is not suitable.
A third embodiment of the present invention provides a method for representing network traffic, where a flowchart of the method is shown in fig. 3, and includes steps S302 to S308:
s302, the semantics of the network flow is represented.
In this embodiment, the semantics of the network traffic are expressed by a predetermined event semantics method by using a preset basic predicate, an argument of the preset basic predicate, a preset extended predicate, and an argument of the preset extended predicate.
In this embodiment, for network traffic, regarding network traffic as an event, a set of predicates may be defined to describe a communication action corresponding to the network traffic, and the argument may be used to describe a corresponding communication parameter in the network traffic.
In this embodiment, predicates and arguments of network traffic are defined, and specifically defined as shown in table 1, the arguments of the basic predicate are the part in parentheses after the basic predicate, and the specific content of the arguments is related to the specific network traffic.
TABLE 1
Predicate (argument) Description of the invention
IP_ADDRsource(ip1) Source address ip1
IP_ADDRdest(ip1) Destination address ip1
PORTsource(pt1) Source port pt1
PORTdest(pt1) Destination port pt1
PROTO(pr1) Protocol pr1
HOSTclient(ip) Client host ip
HOSTserver(ip) Host ip of server
COUNTbytes(cb1) Byte count cb1
COUNTpkts(cp1) Packet count cp1
TIME(t1) The network flow has a time t1
CONNECT(f1) Network flow f1Establishing connections in corresponding quintuple
TIME(f1,st1,et1) Network flow f1Respectively, the start and stop time of1And et1
The basic predicates can at least include: a quintuple corresponding to the network traffic, a client host address, a server host address, a byte number included in the network traffic, a network traffic packet number included in the network traffic, an occurrence time of the network traffic, a connection establishment of the quintuple of the network traffic, a start time and an end time of the network traffic, in this embodiment, the quintuple of the network traffic includes: source address, destination address, source port, destination port, and transport layer protocol of the network traffic. Furthermore, arguments of the basic predicate represent communication parameters in the network traffic represented by the basic predicate. For example, the argument of the client host address is a specific network address corresponding to the client host in the network traffic generated by the specific client host.
In addition, in addition to the basic predicate, the extended predicate in this embodiment is shown in table 2, where arguments of the extended predicate are parts in parentheses after the extended predicate, and specific contents of the arguments are related to specific network traffic, and the specific contents at least include: the network traffic comprises an interval time sequence of network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic position of a certain address in the network traffic, entropy of the network traffic in a preset direction, and reset time of the network traffic. In this embodiment, the predetermined direction of the network traffic refers to from the client to the server or from the server to the client, and the reset time of the network traffic refers to that the network traffic is reset at a certain time. And the argument of the expanded predicate expresses communication parameters in the network traffic expressed by the expanded predicate.
TABLE 2
Figure BDA0001655314030000101
Further, in order to make the semantic representation structure of the network traffic clear, the event semantics method adopted in the embodiment is a new davison time semantics method, and the method corresponds to a predicate argument structure and can clearly represent the semantic of the network traffic.
For example, the network traffic realizes that the client sip establishes the connection by the tcp protocol, and the semantic representation method of this embodiment may be represented as:
Figure BDA0001655314030000102
s304, defining semantic relation between the network traffic according to the semantics of the network traffic.
After the semantics of a series of network traffic are expressed, the relationship between the network traffic and other network traffic is defined according to the expressed semantics of each network traffic.
In this embodiment, the semantic relationship between network traffic at least includes: sequential, concurrent, causal and conditional. For representing the relationship between network traffic, this embodiment specifically means:
event e for two network traffic representations1And e2If e is1In time sequence at e2When it has occurred previously, it is called e1And e2Satisfy a sequential bearing relationship, and are denoted as e1→e2
If e1And e2All occur within a certain time window W, then are called e1And e2Satisfy the concurrency relationship, and is marked as e1↑↑e2
If it is e1Generation, e2If it happens, it is called e1And e2Satisfy the causal relationship, is recorded as
Figure BDA0001655314030000103
If only e1Happen to result in e2When it occurs, it is called e1And e2Satisfy the conditional relationship, which can be denoted as e in this embodiment1↗e2
For example, let us say network traffic s1The events represented are: the client with the IP address sip initiates a DNS request to the domain name server with the IP address dip, and the network flow s2The events represented are: the client with the IP address sip receives the DNS response returned by the domain name server with the IP address dip, and then the network flow s1Expressed as:
Figure BDA0001655314030000111
network traffic s2Expressed as:
Figure BDA0001655314030000112
Figure BDA0001655314030000113
and s1And s2Satisfy the causal relationship, is recorded as
Figure BDA0001655314030000114
E.g. network traffic s1The client with the IP address sip accesses the Web server dip
Figure BDA0001655314030000115
And also network traffic s2The method realizes the dip of the Web page and simultaneously downloads the dip from another Web server2Downloading a picture by a concurrent network stream includes:
Figure BDA0001655314030000116
Figure BDA0001655314030000117
and s1And s2Satisfy the concurrency relationship, and is marked as s1↑↑s2
S306, generating a network flow set according to the semantic relation between the network flow and the preset characteristics.
The collection of network traffic includes a series of network traffic having semantic relationships. The predetermined feature in this embodiment may be time or space, that is, a set may be generated for network traffic within a certain time range, or a set may be generated according to a region range corresponding to an IP address in the network traffic.
And S308, determining the operation condition of the communication main body corresponding to the network flow according to the set of the network flow.
The network traffic set generated in the above step may be a set formed by different network traffic generated by one communication subject under different conditions, so that the operation condition of the communication subject corresponding to the network traffic may be determined according to the generated network traffic set.
For example, suppose there is a set S of network traffic, there is a set
Figure BDA0001655314030000118
Figure BDA0001655314030000119
The set T represents the case of network traffic generated by the server host over a certain time frame.
In addition, it is assumed that there is a network traffic set S, with a set
Figure BDA00016553140300001110
Figure BDA00016553140300001111
The P server hosts are aggregated for the case of network traffic generated within the geographic range corresponding to their IP addresses.
The method for representing network traffic provided by this embodiment adopts a preset predicate and its argument to represent the semantics of network traffic according to a predetermined event semantics method, defines the relationship between network traffic and other network traffic according to the semantics of network traffic, generates a set of network traffic according to a predetermined characteristic according to the relationship, and finally determines the operating condition of a communication subject corresponding to network traffic according to the set of network traffic. The method generates related predicates and arguments by defining the network traffic, performs semantic representation on the network traffic by adopting a predetermined semantic method, and forms a network traffic set according to the semantics and semantic relations of the network traffic to represent the operation condition of a communication main body, can accurately represent the network traffic, has a simple representation form, and solves the following problems in the prior art: the existing representation method of the network traffic has inappropriate granularity.
Although the preferred embodiments of the present invention have been disclosed for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, and the scope of the invention should not be limited to the embodiments described above.

Claims (10)

1. A method of network traffic representation, comprising:
representing the semantics of network traffic by a predetermined event semantics method by adopting a preset basic predicate, an argument of the preset basic predicate, a preset extension predicate and an argument of the preset extension predicate, wherein the preset basic predicate and the preset extension predicate are defined to describe communication actions corresponding to the generated network traffic, the argument of the basic predicate represents communication parameters in the network traffic represented by the basic predicate, and the argument of the extension predicate represents communication parameters in the network traffic represented by the extension predicate;
defining semantic relations between the network traffic and other network traffic according to the semantics of the network traffic;
generating a network flow set according to the semantics of the network flow and the semantic relation between the network flow and other network flows and according to preset characteristics;
and determining the operation condition of the communication main body corresponding to the network flow according to the set of the network flow.
2. The method of claim 1,
the basic predicates comprise: the method comprises the following steps of five-tuple of the network flow, a client host address, a server host address, the number of bytes contained in the network flow, the number of network flow packets contained in the network flow, the occurrence time of the network flow, connection establishment of the five-tuple of the network flow, and the start time and the end time of the network flow, wherein the five-tuple of the network flow comprises: source address, destination address, source port, destination port, and transport layer protocol of the network traffic.
3. The method of claim 1,
the extended predicate includes: the network traffic comprises an interval time sequence of the network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic location of an address in the network traffic, an entropy of the network traffic in a predetermined direction, and a reset time of the network traffic.
4. The method of claim 1, wherein the predetermined event semantics method is a New Thewesson event semantics method.
5. The method of claim 1, wherein the semantic relationship between the network traffic comprises: sequential, concurrent, causal and conditional.
6. An apparatus for network traffic representation, comprising:
the system comprises a representation module, a processing module and a processing module, wherein the representation module is used for representing the semantics of network traffic according to a predetermined event semantics method by adopting a preset basic predicate, an argument of the preset basic predicate, a preset extension predicate and an argument of the preset extension predicate, wherein the preset basic predicate and the preset extension predicate are defined to describe communication actions corresponding to the generated network traffic, the argument of the basic predicate represents communication parameters in the network traffic represented by the basic predicate, and the argument of the extension predicate represents communication parameters in the network traffic represented by the extension predicate;
the definition module is used for defining the semantic relation between the network flow and other network flows according to the semantics of the network flow;
the set generation module is used for generating a set of network traffic according to the semantics of the network traffic and the semantic relation between the network traffic and other network traffic and according to the preset characteristics;
and the determining module is used for determining the operating condition of the communication main body corresponding to the network flow according to the set of the network flow.
7. The apparatus of claim 6,
the basic predicates comprise: the method comprises the following steps of five-tuple of the network flow, a client host address, a server host address, the number of bytes contained in the network flow, the number of network flow packets contained in the network flow, the occurrence time of the network flow, connection establishment of the five-tuple of the network flow, and the start time and the end time of the network flow, wherein the five-tuple of the network flow comprises: source address, destination address, source port, destination port, and transport layer protocol of the network traffic.
8. The apparatus of claim 6,
the extended predicate includes: the network traffic comprises an interval time sequence of the network traffic packets, a length sequence of the network traffic packets, a feature string of the network traffic, a geographic location of an address in the network traffic, an entropy of the network traffic in a predetermined direction, and a reset time of the network traffic.
9. The apparatus of claim 6, in which the predetermined event semantics method is a New Thewesson event semantics method.
10. The apparatus of claim 6, wherein the semantic relationship between the network traffic comprises: sequential, concurrent, causal and conditional.
CN201810438595.7A 2018-05-09 2018-05-09 Method and device for representing network flow Active CN108737291B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810438595.7A CN108737291B (en) 2018-05-09 2018-05-09 Method and device for representing network flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810438595.7A CN108737291B (en) 2018-05-09 2018-05-09 Method and device for representing network flow

Publications (2)

Publication Number Publication Date
CN108737291A CN108737291A (en) 2018-11-02
CN108737291B true CN108737291B (en) 2022-04-05

Family

ID=63938173

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810438595.7A Active CN108737291B (en) 2018-05-09 2018-05-09 Method and device for representing network flow

Country Status (1)

Country Link
CN (1) CN108737291B (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070217435A1 (en) * 2006-03-15 2007-09-20 Crocker Ronald T Method and apparatus to provide network event messages
US8971217B2 (en) * 2006-06-30 2015-03-03 Microsoft Technology Licensing, Llc Transmitting packet-based data items
AU2010223925A1 (en) * 2009-03-13 2011-11-03 Rutgers, The State University Of New Jersey Systems and methods for the detection of malware
CN102468987B (en) * 2010-11-08 2015-01-14 清华大学 NetFlow characteristic vector extraction method
CN102045363B (en) * 2010-12-31 2013-10-09 华为数字技术(成都)有限公司 Establishment, identification control method and device for network flow characteristic identification rule
CN105162626B (en) * 2015-08-20 2018-07-06 西安工程大学 Network flow depth recognition system and recognition methods based on many-core processor
CN107733937A (en) * 2017-12-01 2018-02-23 广东奥飞数据科技股份有限公司 A kind of Abnormal network traffic detection method

Also Published As

Publication number Publication date
CN108737291A (en) 2018-11-02

Similar Documents

Publication Publication Date Title
US11757739B2 (en) Aggregation of select network traffic statistics
JP5520231B2 (en) ACL configuration method of network device based on flow information
JP4126707B2 (en) Technology for analyzing the state of information systems
EP2240854B1 (en) Method of resolving network address to host names in network flows for network device
CN115499230B (en) Network attack detection method and device, equipment and storage medium
CN107888605B (en) A method and system for traffic security analysis of Internet of Things cloud platform
JP2020113924A (en) Monitoring program, programmable device, and monitoring method
US20120026914A1 (en) Analyzing Network Activity by Presenting Topology Information with Application Traffic Quantity
WO2017185912A1 (en) Method and apparatus for collecting statistics about terminal device information based on hash node
WO2022105691A1 (en) Method for preventing ipfix message loss, application thereof, and asic chip
CN102523296B (en) Method, device and system for optimizing wireless webpage browsing resources
CN115225544A (en) Network flow counting and monitoring method, device, electronic equipment and medium
CN109327356B (en) User portrait generation method and device
CN113098727A (en) Data packet detection processing method and device
CN107392020A (en) Database manipulation analysis method, device, computing device and computer-readable storage medium
HK1204728A1 (en) System and method for generating blacklist of requests to access from network
AU2018253491B2 (en) Adaptive event aggregation
WO2022100581A1 (en) Method for processing ipfix message, storage medium, network switching chip and asic chip
CN108737291B (en) Method and device for representing network flow
CN112398796B (en) Information processing method, device, equipment and computer readable storage medium
CN116318849A (en) Asset identification method, device and readable storage medium
JP2006067279A (en) Intrusion detection system and communication device
CA3118929A1 (en) Systems and methods to filter out noisy application signatures to improve precision of first packet application classification
CN117082147B (en) Application network access control methods, systems, devices and media
CN117439824B (en) AI-based smart city evaluation method, system, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant