[go: up one dir, main page]

CN101645806A - Network flow classifying system and network flow classifying method combining DPI and DFI - Google Patents

Network flow classifying system and network flow classifying method combining DPI and DFI Download PDF

Info

Publication number
CN101645806A
CN101645806A CN200910034643A CN200910034643A CN101645806A CN 101645806 A CN101645806 A CN 101645806A CN 200910034643 A CN200910034643 A CN 200910034643A CN 200910034643 A CN200910034643 A CN 200910034643A CN 101645806 A CN101645806 A CN 101645806A
Authority
CN
China
Prior art keywords
module
traffic
dpi
dfi
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910034643A
Other languages
Chinese (zh)
Other versions
CN101645806B (en
Inventor
裴文江
王梁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN2009100346437A priority Critical patent/CN101645806B/en
Publication of CN101645806A publication Critical patent/CN101645806A/en
Application granted granted Critical
Publication of CN101645806B publication Critical patent/CN101645806B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种DPI和DFI相结合的网络流量分类系统及分类方法,包括DPI业务识别系统和DFI流量识别系统两个模块结合而成;其中DPI模块又包括流表检测模块和流量识别模块;DFI模块包括样本获取模块,分类器训练模块和分类器分类预测模块。样本获取模块将DPI中的流量识别模块能够准确识别的数据流划分成几个大类,并且将其作为样本对分类器训练模块进行训练,获得能对网络流量进行大类区分的分类模型,然后DPI的流量识别模块无法识别的流量再通过DFI的分类器分类预测模块就能达到对DPI无法识别的流量进行大类区分的目的。本发明比单纯地使用DPI或者DFI更全面,能够对应用层没有加密的业务进行精确地识别,也能够对应用层加密的业务进行大类的区分。

Figure 200910034643

The invention discloses a network traffic classification system and a classification method combining DPI and DFI, which are formed by combining two modules of a DPI business identification system and a DFI traffic identification system; wherein the DPI module further includes a flow table detection module and a traffic identification module ; The DFI module includes a sample acquisition module, a classifier training module and a classifier classification prediction module. The sample acquisition module divides the data flow that can be accurately identified by the traffic identification module in DPI into several major categories, and uses them as samples to train the classifier training module to obtain a classification model that can distinguish between major categories of network traffic, and then The traffic that cannot be identified by the traffic identification module of DPI can be classified and predicted by the classifier of DFI to achieve the purpose of classifying the traffic that cannot be identified by DPI. The present invention is more comprehensive than simply using DPI or DFI, can accurately identify services that are not encrypted at the application layer, and can also distinguish large categories of services that are encrypted at the application layer.

Figure 200910034643

Description

DPI和DFI相结合的网络流量分类系统及分类方法 Network Traffic Classification System and Classification Method Combining DPI and DFI

技术领域 technical field

本发明涉及DPI和DFI相结合的网络流量分类系统及分类方法,属于网络数据传输领域。The invention relates to a network flow classification system and a classification method combining DPI and DFI, belonging to the field of network data transmission.

背景技术 Background technique

随着网络应用层出不穷,P2P、网络游戏、IPTV、WEBTV等新兴业务,占用了互联网大部分带宽,以BT和Edonkey为代表的P2P应用已经占据了整个互联网流量的2/3以上,运营商的基础网络建设陷入了“拥塞-扩容-再拥塞”的非正常局面,盈利能力相应降低。无法实现业务识别增加了运营商的运营成本,降低了客户的满意度。于是,如何深度感知网络应用,提供网络业务控制和管理手段,构建可以运营、可以管理的和谐网络,对P2P有效限制,合理引导,化不利为我所用,已经成为电信运营商目前亟需研究的一个热门课题。With the continuous emergence of network applications, emerging services such as P2P, online games, IPTV, and WEBTV occupy most of the bandwidth of the Internet. P2P applications represented by BT and Edonkey have already occupied more than 2/3 of the entire Internet traffic. Network construction has fallen into an abnormal situation of "congestion-expansion-re-congestion", and the profitability is correspondingly reduced. Failure to realize service identification increases the operator's operating costs and reduces customer satisfaction. Therefore, how to deeply perceive network applications, provide network service control and management methods, build a harmonious network that can be operated and managed, effectively restrict P2P, guide it reasonably, and turn disadvantages to my own use, has become an urgent need for research by telecom operators. A hot topic.

基于以上原因,必须通过技术手段识别出不同的网络数据流量,从而可以对其进行控制和管理。Based on the above reasons, different network data flows must be identified through technical means so that they can be controlled and managed.

目前识别网络数据流业务的方法主要有以下几种:Currently, there are mainly the following methods for identifying network data flow services:

(1)基于端口的网络数据流业务识别技术:这种识别技术是通过各种不同的应用在IANA(Internet Assigned Numbers Authority)中注册的不同端口号来进行识别的。例如检测到端口号为80时,则认为该应用代表着普通上网应用。而当前网络上的一些非法应用会采用隐藏或假冒端口号的方式躲避检测和监管,造成仿冒合法报文的数据流侵蚀着网络。比如新型的P2P协议所使用的端口是变化的,因此端口号识别的准确率已经越来越低,该方法已经越来越不适合对现有网络数据流业务的识别。(1) Port-based network data flow service identification technology: This identification technology is identified through different port numbers registered in the IANA (Internet Assigned Numbers Authority) by various applications. For example, when the detected port number is 80, it is considered that the application represents a common Internet access application. However, some illegal applications on the current network hide or forge port numbers to evade detection and supervision, causing the data flow of counterfeit legal packets to erode the network. For example, the port used by the new P2P protocol changes, so the accuracy of port number identification has become lower and lower, and this method has become increasingly unsuitable for identification of existing network data flow services.

(2)DPI(Deep Packet Inspection)深度包检测网络数据流业务识别技术:当碰到某些使用动态端口的新型的协议时,采用基于端口的识别技术就会无能为力。DPI技术除了对4层以下的基础信息进行分析外,还增加了应用层分析,识别各种应用及其内容。就是通过对一系列数据包的应用层负载特征进行分析,找出其应用层的特征字,从而对各种业务进行识别。这种方法在遇到应用层数据加密的时候处理起来就会非常困难。(2) DPI (Deep Packet Inspection) deep packet inspection network data flow service identification technology: When encountering some new protocols that use dynamic ports, the port-based identification technology will be powerless. In addition to analyzing the basic information below the 4th layer, DPI technology also adds application layer analysis to identify various applications and their contents. It is to identify various services by analyzing the application layer load characteristics of a series of data packets to find out the characteristic words of the application layer. This method will be very difficult to deal with when encountering application layer data encryption.

(3)DFI(Deep Flow Inspection)深度流检测网络数据流业务识别技术:当DPI识别技术遇到应用层数据加密的时候,就很难通过分析应用层数据的特征来对其进行识别。DFI技术是根据流的特征来对业务进行识别的技术,即不同的应用类型体现在会话连接或数据流上的状态各有不同。DFI的特点是对整个数据流的特征进行分析,例如每个流的平均包长,每个包到达的时间间隔等。无须对应用层数据进行检测,因而应用层数据加密与否对这种识别技术来讲没有区别。属于同种类型业务的数据流的特征一般都是非常接近的,例如QQ和MSN这两种IM软件的流量特征可能就非常接近,因此这种方法的缺点是只能对网络流量的几个大类进行区分。例如IM,P2P,WEB等。(3) DFI (Deep Flow Inspection) deep flow inspection network data flow service identification technology: When DPI identification technology encounters application layer data encryption, it is difficult to identify it by analyzing the characteristics of application layer data. DFI technology is a technology for identifying services based on flow characteristics, that is, different application types have different states reflected in session connections or data flows. The characteristic of DFI is to analyze the characteristics of the entire data flow, such as the average packet length of each flow, the time interval between the arrival of each packet, and so on. There is no need to detect the application layer data, so whether the application layer data is encrypted or not has no difference for this identification technology. The characteristics of the data flow belonging to the same type of business are generally very close. For example, the traffic characteristics of the two IM software, QQ and MSN, may be very close. Therefore, the disadvantage of this method is that it can only analyze several large network traffic. class to distinguish. Such as IM, P2P, WEB, etc.

发明内容 Contents of the invention

发明目的:Purpose of the invention:

本发明要解决的技术问题在于,针对基于端口识别技术的准确率低,DPI和DFI技术分别存在对应用层数据加密的业务的识别非常困难,以及只能对网络流量进行大类区分的缺陷,提出了将DPI和DFI相结合的网络流量分类系统及分类方法。The technical problem to be solved by the present invention is that, for the low accuracy rate of the port identification technology, the DPI and DFI technologies respectively have the defects that it is very difficult to identify the business of application layer data encryption, and they can only distinguish between large categories of network traffic. A network traffic classification system and classification method combining DPI and DFI are proposed.

技术方案:Technical solutions:

本发明解决其技术问题所采用的技术方案是:先对网络流量进行大类的区分,然后构造DPI网络数据流业务识别系统,对应用层没有加密的业务进行应用层特征提取,将提取到的特征放入特征库中,然后以DPI能够识别的协议的数据流作为DFI业务识别模块的样本,对DFI进行训练,训练完成以后将DFI模块加在DPI业务识别系统后面,让DPI无法识别的数据流再经过DFI模块的识别,从而对DPI无法识别的数据流进行大类的区分。具体技术方案如下:The technical solution adopted by the present invention to solve the technical problem is: first classify the network traffic into categories, then construct a DPI network data flow business identification system, and extract the application layer features for the business without encryption in the application layer, and extract the extracted The features are put into the feature library, and then the data flow of the protocol that DPI can recognize is used as the sample of the DFI business recognition module to train DFI. After the training is completed, the DFI module is added behind the DPI business recognition system, so that the data that DPI cannot recognize The stream is then identified by the DFI module, so that the data streams that cannot be identified by the DPI are classified into categories. The specific technical scheme is as follows:

本发明的DPI和DFI相结合的网络流量分类系统,包括DPI业务识别系统和DFI流量识别系统两个模块结合而成;The network traffic classification system combining DPI and DFI of the present invention is formed by combining two modules of a DPI business identification system and a DFI traffic identification system;

所述的DPI业务识别系统中,包括:In the described DPI service identification system, comprising:

A.流表检测模块,判断当前的数据流是否为已经标记类型的数据流;A. The flow table detection module determines whether the current data flow is a marked type of data flow;

B.数据流特征库,存储数据流的特征;B. Data stream feature library, which stores the features of data stream;

C.流量识别模块,根据数据流特征库中的特征识别网络流量代表的不同业务;C. The traffic identification module identifies different services represented by network traffic according to the characteristics in the data flow feature database;

D.协议处理模块,用于对具体业务的处理,以及对网络大类的处理;D. The protocol processing module is used for processing specific services and processing network categories;

所述的DFI流量识别系统中,包括:The DFI traffic identification system includes:

E.样本获取模块,用于将DPI能够精确识别的业务的流特征提取出来,分成不同的类别,作为分类器训练模块的训练样本;E. The sample acquisition module is used to extract the flow characteristics of the business that can be accurately identified by the DPI, and divide them into different categories as training samples for the classifier training module;

F.分类器训练模块,对样本获取模块提供的样本进行训练获得一个训练模型;F. The classifier training module trains the samples provided by the sample acquisition module to obtain a training model;

G.分类器分类预测模块,根据分类器训练模块获得的模型对其他数据进行分类;G. The classifier classification prediction module classifies other data according to the model obtained by the classifier training module;

本发明还提供一种基于本发明的网络流量分类方法,包括以下步骤:The present invention also provides a network traffic classification method based on the present invention, comprising the following steps:

(a)数据流先经过DPI业务识别系统中的流表检测模块,流表检测模块检测当前数据流是否在流表检测模块维护的状态表中,当该数据流在状态表中,则流表检测模块直接将当前数据流标记以后,发送至协议处理模块;当该数据流不在状态表中,则流标检测模块将该数据流发送至流量识别模块,进入(b)步骤;(a) The data flow first passes through the flow table detection module in the DPI service identification system, and the flow table detection module detects whether the current data flow is in the state table maintained by the flow table detection module. When the data flow is in the state table, the flow table After the detection module directly marks the current data flow, it is sent to the protocol processing module; when the data flow is not in the state table, the flow label detection module sends the data flow to the traffic identification module, and enters (b) step;

(b)流量识别模块检查该数据流是否含有DPI业务识别系统中的数据流特征库中的任意一条特征;当流量识别模块在数据流特征库中识别到与该数据流有匹配的流量特征,则标记当前报文对应的该数据流为特定的数据流,更新流表检测模块中维护的状态表,同时将当前数据流标记以后发送至协议处理模块;当流量识别模块在数据流特征库中没有识别到与该数据流匹配的流量特征,则将该数据流发送至DFI流量识别系统,进入(c)步骤;(b) The traffic identification module checks whether the data stream contains any feature in the data stream feature library in the DPI business identification system; when the traffic identification module identifies a matching traffic feature with the data stream in the data stream feature library, Then mark the data flow corresponding to the current message as a specific data flow, update the state table maintained in the flow table detection module, and send the current data flow mark to the protocol processing module; when the traffic identification module is in the data flow feature library If no traffic characteristic matching the data flow is identified, the data flow is sent to the DFI traffic identification system, and step (c) is entered;

(c)流量识别模块将能够识别的数据流发送至DFI流量识别系统中的样本获取模块,样本获取模块在线获得该数据流的样本文件以后,将该样本文件发送至分类器训练模块进行离线训练,获得分类模型,分类器训练模块将此分类模型发送至分类器分类预测模块;分类器分类预测模块根据训练得到的分类模型对(b)步骤中流量识别模块无法识别的数据流进行分类;(c) The traffic identification module sends the identifiable data stream to the sample acquisition module in the DFI traffic identification system. After the sample acquisition module obtains the sample file of the data stream online, it sends the sample file to the classifier training module for offline training , to obtain a classification model, the classifier training module sends the classification model to the classifier classification prediction module; the classifier classification prediction module classifies the data streams that cannot be identified by the traffic identification module in (b) step according to the classification model obtained through training;

(d)分类器分类预测模块将分好类的数据流做好相应标记发送至协议处理模块,协议处理模块根据以上步骤中对数据流的不同标记,分别进行具体业务或者针对不同大类的处理。(d) The classification prediction module of the classifier will mark the classified data streams and send them to the protocol processing module, and the protocol processing module will perform specific services or processes for different categories according to the different marks of the data streams in the above steps .

在本发明所述的DPI业务识别系统中,所述数据流特征库,包括网络流量各个大类中的部分业务的应用层特征。例如:属于即时消息这一大类的业务有QQ和百度HI等,QQ的应用层特征为数据包以0x02开始,以0x03结束,百度HI的应用层特征为前八个字节为0x0000010031564d49。属于P2P这一大类的业务有TTlive和Sopcast等,TTlive的应用层特征为每个流的第一个包的净载荷长度为52字节,前三个字节为0xffff01,最后两个字节为0x0002,Sopcast的应用层特征为第一个有净载荷的数据包的特征字用正则表达式表示为:^DESCRIBE.*User-Agent:WMPlayer。In the DPI service identification system of the present invention, the data flow feature library includes application layer features of some services in each category of network traffic. For example, services belonging to the category of instant messaging include QQ and Baidu HI. The application layer characteristic of QQ is that the data packet starts with 0x02 and ends with 0x03. The application layer characteristic of Baidu HI is that the first eight bytes are 0x0000010031564d49. Services belonging to the P2P category include TTlive and Sopcast, etc. The application layer of TTlive is characterized by the fact that the payload length of the first packet of each flow is 52 bytes, the first three bytes are 0xffff01, and the last two bytes are 0xffff01. It is 0x0002, and the Sopcast application layer feature is the feature word of the first data packet with payload, which is expressed by regular expression as: ^DESCRIBE.*User-Agent: WMPlayer.

有益效果Beneficial effect

本发明的DPI和DFI相结合的网络流量分类系统及方法,先对网络数据进行DPI识别,DPI无法识别的数据流再进过DFI进行分类,增加了对网络流量进行分类的准确性。The network traffic classification system and method combining DPI and DFI of the present invention firstly performs DPI identification on network data, and the data flow that cannot be identified by DPI is then classified through DFI, which increases the accuracy of classifying network traffic.

附图说明 Description of drawings

图1是DPI识别模块的结构框图;Fig. 1 is a structural block diagram of a DPI identification module;

图2是DFI识别模块的结构框图;Fig. 2 is a structural block diagram of a DFI identification module;

图3是本发明DPI和DFI相结合的网络流量分类方法的框图;Fig. 3 is the block diagram of the network traffic classification method that DPI and DFI combine in the present invention;

图4是本发明DPI和DFI相结合的网络流量分类方法的流程图。Fig. 4 is a flow chart of the network traffic classification method combining DPI and DFI according to the present invention.

具体实施方式 Detailed ways

下面结合附图对本发明进行进一步详细的说明。The present invention will be described in further detail below in conjunction with the accompanying drawings.

如图1所示,在本发明的DPI和DFI相结合的网络流量分类系统的第一实施步骤中,网络流量识别系统连接到基于TCP/IP协议的网络中,其中有一个流表检测模块,一个协议处理模块,一个流量识别模块以及一个数据流特征库。As shown in Figure 1, in the first implementation step of the network traffic classification system combining DPI and DFI of the present invention, the network traffic identification system is connected in the network based on TCP/IP protocol, wherein there is a flow table detection module, A protocol processing module, a traffic identification module and a data flow feature library.

数据流特征库中包含有分别属于几个网络流量大类的各种不同的业务。举例如下:The data flow feature library includes various services belonging to several network traffic categories. Examples are as follows:

(1)属于IM(即时通讯)这一大类的有QQ和百度HI等,QQ的应用层特征为数据包以0x02开始,以0x03结束,百度HI的应用层特征为前八个字节为0x0000010031564d49。(1) There are QQ and Baidu HI belonging to the category of IM (Instant Messaging), etc. The application layer characteristic of QQ is that the data packet starts with 0x02 and ends with 0x03, and the application layer characteristic of Baidu HI is that the first eight bytes are 0x0000010031564d49.

(2)属于P2P这一大类的业务有TTlive和Sopcast等,TTlive的应用层特征为每个流的第一个包的净载荷长度为52字节,前三个字节为0xffff01,最后两个字节为0x0002,Sopcast的应用层特征为第一个有净载荷的数据包的特征字用正则表达式表示为:^DESCRIBE.*User-Agent:WMPlayer。(2) P2P services include TTlive and Sopcast, etc. The application layer of TTlive is characterized by the fact that the payload length of the first packet of each stream is 52 bytes, the first three bytes are 0xffff01, and the last two bytes are 0xffff01. A byte is 0x0002, and the Sopcast application layer feature is the feature word of the first data packet with a payload. The regular expression is expressed as: ^DESCRIBE.*User-Agent: WMPlayer.

数据流特征库中存储有上述各类业务的特征。The characteristics of the above-mentioned various services are stored in the data flow characteristic library.

流表检测模块维护一张状态表,表中信息包括数据流的五元组(源ip地址,目的ip地址,源端口,目的端口,协议号)以及所属协议类型的ID,网络数据流进入以后首先将自己的五元组与状态表中的信息比对,查看是否在该状态表中,若在该状态表中则将其用所属协议类型的ID标注后送入协议处理模块。The flow table detection module maintains a state table. The information in the table includes the quintuple of data flow (source ip address, destination ip address, source port, destination port, protocol number) and the ID of the protocol type. After the network data flow enters First compare your own quintuple with the information in the state table to see if it is in the state table, if it is in the state table, mark it with the ID of the protocol type it belongs to and send it to the protocol processing module.

例如状态表中维护的一条信息格式如下表第二行For example, the format of a piece of information maintained in the status table is as follows in the second line of the table

  源ip地址 source ip address   目的ip地址 destination ip address   源端口 source port   目的端口 destination port   协议类型 agreement type   协议ID Protocol ID   119.147.18.47 119.147.18.47   10.8.7.43 10.8.7.43   8000 8000   4000 4000   0x11 0x11   5 5

其中119.147.18.47是源ip地址,10.8.7.43是目的ip地址,8000是源端口,4000是目的端口,0x11是协议号(UDP协议),5是可以自己定义的协议ID,比如我们把QQ的协议ID定为5,那么5就代表QQ的数据流。一旦有新数据流进入流表检测模块,首先将自己的五元组与表中的信息的前五项(五元组)进行比对,如果发现状态表中存在有自己的五元组,则将该数据流用协议ID进行标注后送入协议处理模块,若在状态表中没有发现与自己五元组匹配的记录则进入流量识别模块。Among them, 119.147.18.47 is the source IP address, 10.8.7.43 is the destination IP address, 8000 is the source port, 4000 is the destination port, 0x11 is the protocol number (UDP protocol), and 5 is the protocol ID that can be defined by ourselves. The protocol ID is set to 5, then 5 represents the data flow of QQ. Once a new data flow enters the flow table detection module, first compare its own five-tuple with the first five items (five-tuple) of the information in the table, if it is found that there is its own five-tuple in the state table, then The data flow is marked with the protocol ID and then sent to the protocol processing module. If no record matching its own quintuple is found in the state table, it will enter the traffic identification module.

流量识别模块先对网络数据流应用层数据进行分析,并将其应用层特征与数据流特征库中的特征进行比对,若应用层数据的特征字符串符合数据流特征库中的一个或者多个特征,则流量识别模块将其标记为对应的协议ID,并且将该流量更新到流表检测模块,若在数据流特征库中不存在与其特征字符串匹配的特征,则数据流量识别模块不对其进行标记,而是将其送入DFI识别模块,由DFI识别模块对其进行进一步识别。The traffic identification module first analyzes the application layer data of the network data flow, and compares its application layer characteristics with the characteristics in the data flow characteristic database. If the characteristic string of the application layer data matches one or more of the data flow characteristic database feature, the traffic identification module marks it as the corresponding protocol ID, and updates the traffic to the flow table detection module. If there is no feature matching its feature string in the data flow feature database, the data traffic identification module is wrong. Instead of marking it, it is fed into the DFI recognition module, which further recognizes it.

数据流特征库中存放有事先已经识别的业务的应用层特征字,比如bitspirit的应用层前20个字节恒为0x13426974546f7272656e742070726f746f636f6c,PP点点通下载文件时应用层前5个字节恒为0x3c00000001。流量识别模块就是通过与库中特征比对来判断数据流是否能够识别以及属于何种协议。The data flow feature database stores the application layer feature words of the previously identified services. For example, the first 20 bytes of the application layer of bitspirit are always 0x13426974546f7272656e742070726f746f636f6c, and the first 5 bytes of the application layer are always 0x3c00000001 when PP downloads files. The traffic identification module judges whether the data stream can be identified and which protocol it belongs to by comparing it with the characteristics in the library.

如图2所示,是DPI和DFI相结合的网络流量分类系统中的DFI部分的结构框图,其中主要有样本获取模块,分类器训练模块,和分类器分类预测模块,样本获取模块将图1中的流量识别模块能够准确识别的数据流作为样本,将其归入之前分好的几个网络流量的大类中,并从中提取出所需要的流特征,比如QQ是流量识别模块能够准确识别的,并且QQ属于IM(即时通讯)这一大类,那么每个QQ网络数据流都可以作为一个IM这一大类的样本。同样我们也能对百度HI进行准确识别,并且百度HI也属于IM这一大类,那么每个百度HI网络数据流也可以作为一个IM这一大类的样本。获得样本后我们计算出每个样本的流特征,比如该流的平均包长,包的平均时间间隔等,并对这个样本进行标记以确定其所属的大类。采用同样的方法我们可以通过对TTlive和Sopcast网络数据流提取出P2P这一个大类的样本,以及其他几个大类的样本,将所有这些样本集中在一起我们就可以获得一个样本文件。其文件格式如下表:As shown in Figure 2, it is a structural block diagram of the DFI part of the network traffic classification system combining DPI and DFI, which mainly includes a sample acquisition module, a classifier training module, and a classifier classification prediction module, and the sample acquisition module will be as shown in Figure 1. The data flow that can be accurately identified by the traffic identification module in the network is used as a sample, and it is classified into several categories of network traffic that have been divided before, and the required flow characteristics are extracted from it. For example, QQ is a data flow that the traffic identification module can accurately identify , and QQ belongs to the category of IM (instant messaging), then each QQ network data stream can be used as a sample of the category of IM. Similarly, we can also accurately identify Baidu HI, and Baidu HI also belongs to the category of IM, so each Baidu HI network data stream can also be used as a sample of the category of IM. After obtaining the sample, we calculate the flow characteristics of each sample, such as the average packet length of the flow, the average time interval of the packet, etc., and mark this sample to determine the category it belongs to. Using the same method, we can extract samples of the P2P category and several other categories of samples from TTlive and Sopcast network data streams, and we can obtain a sample file by combining all these samples together. Its file format is as follows:

Figure A20091003464300091
Figure A20091003464300091

该文件中每一行都代表一个样本,每列的第一个字符表示该行样本所属的大类,例如我们把P2P这一大类用1这个ID表示,把IM(即时通讯)这一大类用2表示,把WEB应用这一大类用3表示,那么这个文件的第一行和第三行表示是P2P的样本数据,第二行表示是IM(即时通讯)的样本数据,第四行表示是WEB应用的样本数据。文件每一行的大类ID后面是特征索引和该特征的值,例如我们把流的平均包长这一流特征用1索引,把包到达的平均时间间隔用2索引,那么代表第一行就表明这一样本数据的平均包长为1000,包到达的平均时间间隔为0.005。每个流的特征肯定不止两项,其他特征这里不再列出。样本获取模块的作用就是从流量识别模块能够准确识别的数据流中提取其流特征,将该特征以样本文件的形式保存。Each row in the file represents a sample, and the first character in each column indicates the category to which the row sample belongs. For example, we use the ID 1 for the category P2P, and the category IM (instant messaging) Use 2 to represent the category of WEB applications as 3, then the first and third lines of this file represent P2P sample data, the second line represents IM (instant messaging) sample data, and the fourth line Indicates the sample data of the WEB application. The category ID of each line of the file is followed by the feature index and the value of the feature. For example, if we index the flow feature of the average packet length of the flow with 1, and use the average time interval between packet arrivals with 2, it means that the first line indicates that The average packet length of this sample data is 1000, and the average time interval between packet arrivals is 0.005. There must be more than two features of each stream, other features will not be listed here. The role of the sample acquisition module is to extract the flow characteristics from the data flow that can be accurately identified by the traffic identification module, and save the characteristics in the form of sample files.

分类器训练模块通过对样本获取模块获取的样本的训练获得一个预测模型。The classifier training module obtains a prediction model by training the samples obtained by the sample obtaining module.

分类器分类预测模块通过预测模型对流量识别模块无法识别的流量进行分类。The classification prediction module of the classifier classifies the traffic that cannot be identified by the traffic identification module through the prediction model.

图3是DPI识别模块和DFI识别模块的结合,可以将其分成在线和离线两个大类,流表检测模块,协议处理模块,流量识别模块,数据流特征库,样本获取模块,分类器分类预测模块是在线的,分类器训练模块是离线的。在进行在线的分类之前,需要先进行样本获取和分类器训练生成一个分类模型的过程,这时候流量识别模块将能够准确识别的数据流直接送入样本获取模块。Figure 3 is the combination of the DPI identification module and the DFI identification module, which can be divided into two categories: online and offline, flow table detection module, protocol processing module, traffic identification module, data flow feature library, sample acquisition module, classifier classification The prediction module is online, and the classifier training module is offline. Before performing online classification, it is necessary to carry out the process of sample acquisition and classifier training to generate a classification model. At this time, the traffic identification module will directly send the data flow that can be accurately identified to the sample acquisition module.

样本获取模块在线获得样本文件以后可以对分类器进行离线训练,获得分类模型,当DPI系统中的流量识别模块无法识别时,再经过DFI系统的分类器分类预测模块,分类器分类预测模块根据训练得到的分类模型对流量识别模块无法识别数据流进行分类。After the sample acquisition module obtains the sample files online, it can perform offline training on the classifier to obtain the classification model. When the traffic identification module in the DPI system cannot identify it, it will pass through the classifier classification prediction module of the DFI system. The classifier classification prediction module is based on the training The obtained classification model classifies the data flow that cannot be identified by the traffic identification module.

图4是本发明DPI和DFI相结合的网络流量分类方法的流程图。Fig. 4 is a flow chart of the network traffic classification method combining DPI and DFI according to the present invention.

该流程图是在线分类时网络数据的处理过程,其前提是分类器已经训练完成并且获得了分类模型。The flow chart is the processing process of network data during online classification, the premise is that the classifier has been trained and the classification model has been obtained.

首先,在网络流量到达时,首先到达流表检测模块,根据报文中的报头检测当前报文是否已经标记。若当前报文对应数据流的类型已经标记,则使用与类型对应的方式处理当前数据流。若当前报文对应数据流的类型没有标记,则进入流量识别模块进行识别判断,流量识别模块识别的依据就是图1中的数据流特征库,若流量识别模块能够识别则更新流表检测模块,以便使属于同一流量的报文在流表检测时就能检测出来。若流量识别模块无法识别,则进入分类器分类预测模块,分类器分类预测模块根据DFI离线训练得到的分类模型对无法识别的流量进行分类。由于所有网络数据流量必然属于几个大类中的一类,所以在这里所有DPI的流量识别模块无法识别的流量都被按大类进行了分类。分类完成以后送入协议处理模块,协议处理模块根据类别的不同分别进行处理。这里的协议处理模块包含两大处理对象,一个是对具体业务的处理,另外一个是对网络大类的处理。First, when network traffic arrives, it first reaches the flow table detection module, and detects whether the current packet has been marked according to the header in the packet. If the type of the data flow corresponding to the current packet has been marked, the current data flow is processed in a manner corresponding to the type. If the type of the corresponding data flow of the current message is not marked, then enter the traffic identification module to identify and judge, the basis for identification of the traffic identification module is the data flow feature library in Figure 1, if the traffic identification module can identify, then update the flow table detection module, In order to enable packets belonging to the same flow to be detected during flow table detection. If the traffic identification module cannot identify it, it enters the classifier classification prediction module, and the classifier classification prediction module classifies the unidentifiable traffic according to the classification model obtained by DFI offline training. Since all network data traffic must belong to one of several major categories, all traffic that cannot be identified by the traffic identification module of the DPI is classified according to the major categories. After the classification is completed, it is sent to the protocol processing module, and the protocol processing module performs processing according to different categories. The protocol processing module here includes two processing objects, one is processing specific services, and the other is processing network categories.

通过上述方式处理网络流量,比单纯地使用DPI或者DFI来得全面,它能够对应用层没有加密的业务进行精确地识别,也能够对应用层加密的业务进行大类的区分。Processing network traffic through the above method is more comprehensive than simply using DPI or DFI. It can accurately identify services that are not encrypted at the application layer, and can also distinguish between categories of encrypted services at the application layer.

Claims (2)

1、DPI和DFI相结合的网络流量分类系统,其特征在于:包括DPI业务识别系统和DFI流量识别系统两个模块结合而成;1. The network traffic classification system combining DPI and DFI is characterized in that it is composed of two modules: DPI service identification system and DFI traffic identification system; 所述的DPI业务识别系统中,包括:In the described DPI service identification system, comprising: A.流表检测模块,判断当前的数据流是否为已经标记类型的数据流;A. The flow table detection module determines whether the current data flow is a marked type of data flow; B.数据流特征库,存储数据流的特征;B. Data stream feature library, which stores the features of data stream; C.流量识别模块,根据数据流特征库中的特征识别网络流量代表的不同业务;C. The traffic identification module identifies different services represented by network traffic according to the characteristics in the data flow feature database; D.协议处理模块,用于对具体业务的处理,以及对网络大类的处理;D. The protocol processing module is used for processing specific services and processing network categories; 所述的DFI流量识别系统中,包括:The DFI traffic identification system includes: E.样本获取模块,用于将DPI能够精确识别的业务的流特征提取出来,分成不同的类别,作为分类器训练模块的训练样本;E. The sample acquisition module is used to extract the flow characteristics of the business that can be accurately identified by the DPI, and divide them into different categories as training samples for the classifier training module; F.分类器训练模块,对样本获取模块提供的样本进行训练获得一个训练模型;F. The classifier training module trains the samples provided by the sample acquisition module to obtain a training model; G.分类器分类预测模块,根据分类器训练模块获得的模型对其他数据进行分类。G. The classifier classification prediction module classifies other data according to the model obtained by the classifier training module. 2、一种基于权利要求1所述的DPI和DFI相结合的网络流量分类系统的网络流量分类方法,包括以下步骤:2. A network traffic classification method based on a network traffic classification system combining DPI and DFI according to claim 1, comprising the following steps: (a)数据流先经过DPI业务识别系统中的流表检测模块,流表检测模块检测当前数据流是否在流表检测模块维护的状态表中,当该数据流在状态表中,则流表检测模块直接将当前数据流标记以后,发送至协议处理模块;当该数据流不在状态表中,则流标检测模块将该数据流发送至流量识别模块,进入(b)步骤;(a) The data flow first passes through the flow table detection module in the DPI service identification system, and the flow table detection module detects whether the current data flow is in the state table maintained by the flow table detection module. When the data flow is in the state table, the flow table After the detection module directly marks the current data flow, it is sent to the protocol processing module; when the data flow is not in the state table, the flow label detection module sends the data flow to the traffic identification module, and enters (b) step; (b)流量识别模块检查该数据流是否含有DPI业务识别系统中的数据流特征库中的任意一条特征;当流量识别模块在数据流特征库中识别到与该数据流有匹配的流量特征,则标记当前报文对应的该数据流为特定的数据流,更新流表检测模块中维护的状态表,同时将当前数据流标记以后发送至协议处理模块;当流量识别模块在数据流特征库中没有识别到与该数据流匹配的流量特征,则将该数据流发送至DFI流量识别系统,进入(c)步骤;(b) The traffic identification module checks whether the data stream contains any feature in the data stream feature library in the DPI business identification system; when the traffic identification module identifies a matching traffic feature with the data stream in the data stream feature library, Then mark the data flow corresponding to the current message as a specific data flow, update the state table maintained in the flow table detection module, and send the current data flow mark to the protocol processing module; when the traffic identification module is in the data flow feature library If no traffic characteristic matching the data flow is identified, the data flow is sent to the DFI traffic identification system, and step (c) is entered; (c)流量识别模块将能够识别的数据流发送至DFI流量识别系统中的样本获取模块,样本获取模块在线获得该数据流的样本文件以后,将该样本文件发送至分类器训练模块进行离线训练,获得分类模型,分类器训练模块将此分类模型发送至分类器分类预测模块;分类器分类预测模块根据训练得到的分类模型对(b)步骤中流量识别模块无法识别的数据流进行分类;(c) The traffic identification module sends the identifiable data stream to the sample acquisition module in the DFI traffic identification system. After the sample acquisition module obtains the sample file of the data stream online, it sends the sample file to the classifier training module for offline training , to obtain a classification model, the classifier training module sends the classification model to the classifier classification prediction module; the classifier classification prediction module classifies the data streams that cannot be identified by the traffic identification module in (b) step according to the classification model obtained through training; (d)分类器分类预测模块将分好类的数据流做好相应标记发送至协议处理模块,协议处理模块根据以上步骤中对数据流的不同标记,分别进行具体业务或者针对不同大类的处理。(d) The classification prediction module of the classifier will mark the classified data streams and send them to the protocol processing module, and the protocol processing module will perform specific services or processes for different categories according to the different marks of the data streams in the above steps .
CN2009100346437A 2009-09-04 2009-09-04 Network flow classifying system and network flow classifying method combining DPI and DFI Expired - Fee Related CN101645806B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100346437A CN101645806B (en) 2009-09-04 2009-09-04 Network flow classifying system and network flow classifying method combining DPI and DFI

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100346437A CN101645806B (en) 2009-09-04 2009-09-04 Network flow classifying system and network flow classifying method combining DPI and DFI

Publications (2)

Publication Number Publication Date
CN101645806A true CN101645806A (en) 2010-02-10
CN101645806B CN101645806B (en) 2011-09-07

Family

ID=41657531

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100346437A Expired - Fee Related CN101645806B (en) 2009-09-04 2009-09-04 Network flow classifying system and network flow classifying method combining DPI and DFI

Country Status (1)

Country Link
CN (1) CN101645806B (en)

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101814977A (en) * 2010-04-22 2010-08-25 北京邮电大学 TCP flow on-line identification method and device utilizing head feature of data stream
CN102025623A (en) * 2010-12-07 2011-04-20 苏州迈科网络安全技术股份有限公司 Intelligent network flow control method
CN102201982A (en) * 2011-04-29 2011-09-28 北京网康科技有限公司 Application identification method and equipment thereof
CN102420830A (en) * 2010-12-16 2012-04-18 北京大学 A P2P protocol type identification method
CN102724317A (en) * 2012-06-21 2012-10-10 华为技术有限公司 Network data flow classification method and device
CN102868638A (en) * 2012-08-16 2013-01-09 苏州迈科网络安全技术股份有限公司 Method and system for dynamically regulating bandwidth
CN103023670A (en) * 2011-09-20 2013-04-03 中兴通讯股份有限公司 Message service type identifying method and message service type identifying device based on data processing installation (DPI)
CN103582512A (en) * 2013-02-04 2014-02-12 华为技术有限公司 Feature extraction device, network traffic identification method, device and system
CN103916294A (en) * 2014-04-29 2014-07-09 华为技术有限公司 Identification method and device for protocol type
CN104348638A (en) * 2013-07-29 2015-02-11 中国移动通信集团公司 Method for identifying service type of session flow and system and equipment thereof
CN104348675A (en) * 2013-08-02 2015-02-11 北京邮电大学 Bidirectional service data flow identification method and device
CN104394032A (en) * 2014-11-24 2015-03-04 北京美琦华悦通讯科技有限公司 System and method for rapidly identifying OTT (over the top) application flow characteristics
CN104468252A (en) * 2013-09-23 2015-03-25 重庆康拜因科技有限公司 Intelligent network service identification method based on positive transfer learning
CN105323116A (en) * 2014-08-01 2016-02-10 中国电信股份有限公司 Internet characteristic service flow acquisition method, device and system
CN105429817A (en) * 2015-10-30 2016-03-23 中兴软创科技股份有限公司 Illegal business identification device and illegal business identification method based on DPI and DFI
CN106330612A (en) * 2016-08-31 2017-01-11 国家计算机网络与信息安全管理中心 Internet traffic classification assessment method and system
CN106411775A (en) * 2016-08-31 2017-02-15 国家计算机网络与信息安全管理中心 Internet traffic classification sample labeling method
CN106603278A (en) * 2016-11-29 2017-04-26 任子行网络技术股份有限公司 Network application audit management method based on audit data management model and apparatus thereof
CN107302472A (en) * 2017-06-14 2017-10-27 苏州海加网络科技股份有限公司 Application Activity recognition method and system based on stream morphological feature
CN107431663A (en) * 2015-03-25 2017-12-01 思科技术公司 Net flow assorted
CN107819646A (en) * 2017-10-23 2018-03-20 国网冀北电力有限公司信息通信分公司 A kind of net flow assorted system and method for distributed transmission
CN108141377A (en) * 2015-10-12 2018-06-08 华为技术有限公司 Network flow early stage classifies
CN108183834A (en) * 2017-12-04 2018-06-19 中国联合网络通信集团有限公司 A kind of network flow management-control method and managing and control system based on DFI and DPI
CN108418758A (en) * 2018-01-05 2018-08-17 网宿科技股份有限公司 A single packet identification method and traffic guidance method
CN109040141A (en) * 2018-10-17 2018-12-18 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN109660656A (en) * 2018-11-20 2019-04-19 重庆邮电大学 A kind of intelligent terminal method for identifying application program
CN109729017A (en) * 2019-03-14 2019-05-07 哈尔滨工程大学 A Load Balancing Method Based on DPI Prediction
CN109951347A (en) * 2017-12-21 2019-06-28 华为技术有限公司 Business recognition method, device and the network equipment
CN110048962A (en) * 2019-04-24 2019-07-23 广东工业大学 A kind of method of net flow assorted, system and equipment
WO2019169928A1 (en) * 2018-03-06 2019-09-12 华为技术有限公司 Traffic detection method and traffic detection device
CN110855576A (en) * 2015-12-31 2020-02-28 杭州数梦工场科技有限公司 Application identification method and device
CN111049757A (en) * 2018-10-12 2020-04-21 华为技术有限公司 A service flow processing method and device
CN111245667A (en) * 2018-11-28 2020-06-05 中国移动通信集团浙江有限公司 Network service identification method and device
CN111275453A (en) * 2018-12-03 2020-06-12 中国移动通信集团上海有限公司 An industry identification method and system for Internet of Things equipment
CN111917665A (en) * 2020-07-23 2020-11-10 华中科技大学 Terminal application data stream identification method and system
CN112235160A (en) * 2020-10-14 2021-01-15 福建奇点时空数字科技有限公司 Flow identification method based on protocol data deep layer detection
CN112491643A (en) * 2020-11-11 2021-03-12 北京马赫谷科技有限公司 Deep packet inspection method, device, equipment and storage medium
CN112861894A (en) * 2019-11-27 2021-05-28 华为技术有限公司 Data stream classification method, device and system
CN113298101A (en) * 2020-02-24 2021-08-24 中国电信股份有限公司 Data message identification method, device and system
CN113382039A (en) * 2021-05-07 2021-09-10 中国科学院信息工程研究所 Application identification method and system based on 5G mobile network flow analysis
CN113949672A (en) * 2021-10-18 2022-01-18 南京中孚信息技术有限公司 Novel VPN identification universal technology and device
CN116055411A (en) * 2023-01-28 2023-05-02 广州广哈通信股份有限公司 UPF data flow classification method, system, device and medium based on machine learning
CN118612126A (en) * 2024-06-13 2024-09-06 北京天元特通科技有限公司 Network traffic identification method, device, electronic device and storage medium

Cited By (66)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8797901B2 (en) 2010-04-22 2014-08-05 Beijing University of Posts and Telecommunicaions Method and its devices of network TCP traffic online identification using features in the head of the data flow
WO2011130957A1 (en) * 2010-04-22 2011-10-27 北京邮电大学 Method and apparatus for online distinguishing transmission control protocol traffic by using data flow head characteristics
CN101814977B (en) * 2010-04-22 2012-11-21 北京邮电大学 TCP flow on-line identification method and device utilizing head feature of data stream
CN101814977A (en) * 2010-04-22 2010-08-25 北京邮电大学 TCP flow on-line identification method and device utilizing head feature of data stream
CN102025623A (en) * 2010-12-07 2011-04-20 苏州迈科网络安全技术股份有限公司 Intelligent network flow control method
CN102025623B (en) * 2010-12-07 2013-03-20 苏州迈科网络安全技术股份有限公司 Intelligent network flow control method
CN102420830A (en) * 2010-12-16 2012-04-18 北京大学 A P2P protocol type identification method
CN102201982A (en) * 2011-04-29 2011-09-28 北京网康科技有限公司 Application identification method and equipment thereof
CN103023670A (en) * 2011-09-20 2013-04-03 中兴通讯股份有限公司 Message service type identifying method and message service type identifying device based on data processing installation (DPI)
CN103023670B (en) * 2011-09-20 2017-09-08 中兴通讯股份有限公司 Message traffic kind identification method and device based on DPI
CN102724317A (en) * 2012-06-21 2012-10-10 华为技术有限公司 Network data flow classification method and device
CN102868638A (en) * 2012-08-16 2013-01-09 苏州迈科网络安全技术股份有限公司 Method and system for dynamically regulating bandwidth
CN103582512A (en) * 2013-02-04 2014-02-12 华为技术有限公司 Feature extraction device, network traffic identification method, device and system
WO2014117406A1 (en) * 2013-02-04 2014-08-07 华为技术有限公司 Feature extraction device, network traffic identification method, device and system.
CN103582512B (en) * 2013-02-04 2017-04-19 华为技术有限公司 Feature extraction device, network traffic identification method, device and system
CN104348638A (en) * 2013-07-29 2015-02-11 中国移动通信集团公司 Method for identifying service type of session flow and system and equipment thereof
CN104348638B (en) * 2013-07-29 2017-12-01 中国移动通信集团公司 Identify method, system and the equipment of the type of service of session traffic
CN104348675A (en) * 2013-08-02 2015-02-11 北京邮电大学 Bidirectional service data flow identification method and device
CN104348675B (en) * 2013-08-02 2017-10-13 北京邮电大学 Bidirectional service data stream recognition method and device
CN104468252A (en) * 2013-09-23 2015-03-25 重庆康拜因科技有限公司 Intelligent network service identification method based on positive transfer learning
US10084713B2 (en) 2014-04-29 2018-09-25 Huawei Technologies Co., Ltd. Protocol type identification method and apparatus
CN103916294A (en) * 2014-04-29 2014-07-09 华为技术有限公司 Identification method and device for protocol type
CN105323116A (en) * 2014-08-01 2016-02-10 中国电信股份有限公司 Internet characteristic service flow acquisition method, device and system
CN105323116B (en) * 2014-08-01 2018-06-29 中国电信股份有限公司 The acquisition method of internet FEATURE service flow and device, system
CN104394032A (en) * 2014-11-24 2015-03-04 北京美琦华悦通讯科技有限公司 System and method for rapidly identifying OTT (over the top) application flow characteristics
CN107431663B (en) * 2015-03-25 2021-07-06 思科技术公司 A method and system for prioritizing network traffic
CN107431663A (en) * 2015-03-25 2017-12-01 思科技术公司 Net flow assorted
CN108141377B (en) * 2015-10-12 2020-08-07 华为技术有限公司 Early classification of network flows
CN108141377A (en) * 2015-10-12 2018-06-08 华为技术有限公司 Network flow early stage classifies
CN105429817A (en) * 2015-10-30 2016-03-23 中兴软创科技股份有限公司 Illegal business identification device and illegal business identification method based on DPI and DFI
CN110855576A (en) * 2015-12-31 2020-02-28 杭州数梦工场科技有限公司 Application identification method and device
CN106330612B (en) * 2016-08-31 2019-07-23 国家计算机网络与信息安全管理中心 A kind of internet traffic classification assessment method and system
CN106411775B (en) * 2016-08-31 2019-06-14 国家计算机网络与信息安全管理中心 A kind of internet traffic classification samples mask method
CN106330612A (en) * 2016-08-31 2017-01-11 国家计算机网络与信息安全管理中心 Internet traffic classification assessment method and system
CN106411775A (en) * 2016-08-31 2017-02-15 国家计算机网络与信息安全管理中心 Internet traffic classification sample labeling method
CN106603278A (en) * 2016-11-29 2017-04-26 任子行网络技术股份有限公司 Network application audit management method based on audit data management model and apparatus thereof
CN107302472A (en) * 2017-06-14 2017-10-27 苏州海加网络科技股份有限公司 Application Activity recognition method and system based on stream morphological feature
CN107819646A (en) * 2017-10-23 2018-03-20 国网冀北电力有限公司信息通信分公司 A kind of net flow assorted system and method for distributed transmission
CN108183834A (en) * 2017-12-04 2018-06-19 中国联合网络通信集团有限公司 A kind of network flow management-control method and managing and control system based on DFI and DPI
CN108183834B (en) * 2017-12-04 2019-05-21 中国联合网络通信集团有限公司 A kind of network flow management-control method and managing and control system based on DFI and DPI
CN109951347A (en) * 2017-12-21 2019-06-28 华为技术有限公司 Business recognition method, device and the network equipment
US11153188B2 (en) 2017-12-21 2021-10-19 Huawei Technologies Co., Ltd. Service identification method and apparatus, and network device
CN108418758A (en) * 2018-01-05 2018-08-17 网宿科技股份有限公司 A single packet identification method and traffic guidance method
WO2019169928A1 (en) * 2018-03-06 2019-09-12 华为技术有限公司 Traffic detection method and traffic detection device
CN110233769A (en) * 2018-03-06 2019-09-13 华为技术有限公司 A kind of flow rate testing methods and flow detection device
CN110233769B (en) * 2018-03-06 2021-09-14 华为技术有限公司 Flow detection method and apparatus, sample training method and apparatus, and medium
CN111049757B (en) * 2018-10-12 2022-03-01 华为技术有限公司 Service flow processing method and device
CN111049757A (en) * 2018-10-12 2020-04-21 华为技术有限公司 A service flow processing method and device
CN109040141A (en) * 2018-10-17 2018-12-18 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN109660656A (en) * 2018-11-20 2019-04-19 重庆邮电大学 A kind of intelligent terminal method for identifying application program
CN111245667A (en) * 2018-11-28 2020-06-05 中国移动通信集团浙江有限公司 Network service identification method and device
CN111275453A (en) * 2018-12-03 2020-06-12 中国移动通信集团上海有限公司 An industry identification method and system for Internet of Things equipment
CN109729017A (en) * 2019-03-14 2019-05-07 哈尔滨工程大学 A Load Balancing Method Based on DPI Prediction
CN109729017B (en) * 2019-03-14 2023-02-14 哈尔滨工程大学 Load balancing method based on DPI prediction
CN110048962A (en) * 2019-04-24 2019-07-23 广东工业大学 A kind of method of net flow assorted, system and equipment
CN112861894A (en) * 2019-11-27 2021-05-28 华为技术有限公司 Data stream classification method, device and system
CN113298101A (en) * 2020-02-24 2021-08-24 中国电信股份有限公司 Data message identification method, device and system
CN111917665A (en) * 2020-07-23 2020-11-10 华中科技大学 Terminal application data stream identification method and system
CN112235160A (en) * 2020-10-14 2021-01-15 福建奇点时空数字科技有限公司 Flow identification method based on protocol data deep layer detection
CN112491643A (en) * 2020-11-11 2021-03-12 北京马赫谷科技有限公司 Deep packet inspection method, device, equipment and storage medium
CN112491643B (en) * 2020-11-11 2022-01-18 北京马赫谷科技有限公司 Deep packet inspection method, device, equipment and storage medium
CN113382039B (en) * 2021-05-07 2023-01-13 中国科学院信息工程研究所 Application identification method and system based on 5G mobile network flow analysis
CN113382039A (en) * 2021-05-07 2021-09-10 中国科学院信息工程研究所 Application identification method and system based on 5G mobile network flow analysis
CN113949672A (en) * 2021-10-18 2022-01-18 南京中孚信息技术有限公司 Novel VPN identification universal technology and device
CN116055411A (en) * 2023-01-28 2023-05-02 广州广哈通信股份有限公司 UPF data flow classification method, system, device and medium based on machine learning
CN118612126A (en) * 2024-06-13 2024-09-06 北京天元特通科技有限公司 Network traffic identification method, device, electronic device and storage medium

Also Published As

Publication number Publication date
CN101645806B (en) 2011-09-07

Similar Documents

Publication Publication Date Title
CN101741744B (en) Network flow identification method
CN101645806A (en) Network flow classifying system and network flow classifying method combining DPI and DFI
CN101707532B (en) Automatic analysis method for unknown application layer protocol
CN107819646A (en) A kind of net flow assorted system and method for distributed transmission
CN110247930B (en) An encrypted network traffic identification method based on deep neural network
CN105871832B (en) A kind of network application encryption method for recognizing flux and its device based on protocol attribute
CN108900432B (en) A Content-Aware Method Based on Internet Streaming Behavior
CN104270392B (en) A kind of network protocol identification method learnt based on three grader coorinated trainings and system
CN104009836B (en) Encryption data detection method and system
CN111147394B (en) A Multilevel Classification Detection Method for Remote Desktop Protocol Traffic Behavior
CN112085039A (en) A Random Forest-based ICMP Covert Channel Detection Method
CN108667747A (en) Method, device, and computer-readable storage medium for network stream application type identification
CN102611706A (en) Network protocol identification method and system based on semi-supervised learning
CN101442535B (en) Method for recognizing and tracking application based on keyword sequence
CN104468252A (en) Intelligent network service identification method based on positive transfer learning
CN105871619A (en) Method for n-gram-based multi-feature flow load type detection
CN111586075B (en) Hidden channel detection method based on multi-scale stream analysis technology
Kong et al. Identification of abnormal network traffic using support vector machine
CN105141455A (en) A Noisy Network Traffic Classification Modeling Method Based on Statistical Features
CN112769623A (en) Internet of things equipment identification method under edge environment
CN114650229B (en) Network encryption traffic classification method and system based on three-layer model SFTF-L
CN105429817A (en) Illegal business identification device and illegal business identification method based on DPI and DFI
CN109660656A (en) A kind of intelligent terminal method for identifying application program
CN111464510A (en) Network real-time intrusion detection method based on rapid gradient lifting tree model
CN101296224A (en) A P2P traffic identification system and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110907

Termination date: 20140904

EXPY Termination of patent right or utility model