CN114338437B - Network traffic classification method and device, electronic equipment and storage medium - Google Patents

Abstract

The invention provides a network traffic classification method, device, electronic equipment and storage medium, which divides the captured pcap file into a flow sequence, and the flow sequence is composed of multiple flow data packets; and extracts the characters of each flow data packet from the flow sequence. node features, obtain a byte sequence in units of streams; perform position encoding on each byte in the byte sequence, and input the encoded byte sequence into the traffic classification network model to obtain the traffic The traffic classification result output by the classification network model; wherein the traffic classification network model is obtained after training based on samples in flow units and the traffic classification results corresponding to the samples. The present invention separately performs position coding for each byte in the byte sequence, can effectively extract the key position information of each byte in the byte sequence, and improves the accuracy of traffic classification network model identification.

Description

Network traffic classification method, device, electronic equipment and storage medium

Technical field

The present invention relates to the technical field of network traffic management, and in particular to a network traffic classification method, device, electronic equipment and storage medium.

Background technique

Traffic classification is an important task in modern communication networks. Due to the rapid growth in demand for high-throughput traffic, it has become critical to properly manage network resources and identify the different types of applications that use network resources.

Currently, the emergence of new applications on the Internet and the interactions between various components have greatly increased the complexity and diversity of the network, making traffic classification itself a difficult problem. Network traffic classification faces more and more challenges. In order to cope with these challenges, existing technologies apply deep learning methods in the field of traffic classification to achieve high-performance classifiers.

However, this deep learning network traffic classification method relies on a large amount of expert experience in the process of extracting traffic features, and there is a certain deviation in the feature extraction results. On the other hand, after the traffic feature sequence is extracted, the contextual key information contained in each byte in the feature sequence is not fully explored, resulting in a low accuracy of the traffic classification result finally output by the deep learning-based traffic classification model.

Contents of the invention

The present invention provides a network traffic classification method, device, electronic equipment and storage medium to solve the defect of low accuracy of network traffic classification results in the prior art and achieve effective extraction of key position information of each byte of a byte sequence. Improve the classification accuracy of deep learning traffic classification models.

The present invention provides a network traffic classification method, including:

Divide the captured pcap file into a flow sequence, which consists of multiple traffic data packets;

Extract the byte characteristics of each traffic data packet from the flow sequence to obtain a byte sequence in units of flows;

Positionally encode each byte in the byte sequence, and input the encoded byte sequence into the traffic classification network model to obtain the traffic classification result output by the traffic classification network model; wherein, The traffic classification network model is trained based on samples in flow units and the traffic classification results corresponding to the samples.

According to a network traffic classification method provided by the present invention, dividing the captured pcap file into flow sequences includes:

The data packet flow in the pcap file is segmented based on the five-tuple to obtain a flow sequence; the five-tuple includes: source IP address, source port, destination IP address, destination port, and protocol number.

According to a network traffic classification method provided by the present invention, the byte characteristics of each traffic data packet are extracted from the flow sequence to obtain a byte sequence in units of flows, including:

Based on preset rules, a preset number of byte features of each traffic data packet are extracted from the flow sequence to obtain a byte sequence in units of flows.

According to a network traffic classification method provided by the present invention, position encoding each byte in the byte sequence includes:

Position encoding is performed on each byte in the byte sequence based on the following formula, and the position of each byte in the data packet is converted into a d-dimensional feature vector P _pos . The formula is:

P(pos,2i)＝sin(pos/m ^2i/d )

P(pos,2i+1)＝cos(pos/m ²ⁱ )

Among them, 2i, 2i+1∈[0,d-1] represents each channel of the generated position code, and m is a constant used to make the position of each byte correspond to a unique position code.

According to a network traffic classification method provided by the present invention, the traffic classification network model is composed of N autoencoder layers, N≥2, and the loss function of the traffic classification network model is:

Among them, h _i-1 is the input layer of the i-th autoencoder, and N is the number of samples in units of streams.

The present invention also provides a network traffic classification device, including:

The first processing module is used to segment the captured pcap file into a flow sequence, where the flow sequence is composed of multiple traffic data packets;

The second processing module is used to extract the byte characteristics of each traffic data packet from the flow sequence to obtain a byte sequence in units of flows;

The third processing module is used to perform position encoding on each byte in the byte sequence, and input the encoded byte sequence into the traffic classification network model to obtain the traffic output by the traffic classification network model. Classification results; wherein, the traffic classification network model is obtained after training based on samples in flow units and the traffic classification results corresponding to the samples.

According to a network traffic classification device provided by the present invention, the third processing module is specifically used for:

Position encoding is performed on each byte in the byte sequence based on the following formula, and the position of each byte in the data packet is converted into a d-dimensional feature vector P _pos . The formula is:

P(pos,2i)＝sin(pos/m ^2i/d )

P(pos,2i+1)＝cos(pos/m ²ⁱ )

Among them, 2i, 2i+1∈[0,d-1] represents each channel of the generated position code, and m is a constant used to make the position of each byte correspond to a unique position code.

The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, it implements any of the above network traffic classifications. Method steps.

The present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps of any of the above network traffic classification methods are implemented.

The present invention also provides a computer program product, which includes a computer program. When the computer program is executed by a processor, the steps of any one of the above network traffic classification methods are implemented.

The network traffic classification method, device, electronic equipment and storage medium provided by the present invention divide the captured pcap file into a flow sequence, extract the byte characteristics of each flow data packet from the flow sequence, and obtain the word character in flow units. section sequence. Then, each byte in the byte sequence is position-encoded, and the encoded byte sequence is input into the traffic classification network model to obtain the traffic classification result output by the traffic classification network model; wherein, The traffic classification network model described above is obtained after training based on samples in flow units and the traffic classification results corresponding to the samples. The present invention extracts the byte characteristics of each traffic data packet from the original flow sequence, and obtains the byte sequence in flow units as the input of the traffic classification network model. Compared with the existing manual extraction of statistical characteristics of the flow, it not only reduces The scale of model input data fully exploits the time series characteristics of traffic data. In addition, the present invention separately performs position coding for each byte in the byte sequence, which can effectively extract the key position information of each byte in the byte sequence and improve the accuracy of traffic classification network model identification.

Description of the drawings

In order to explain the present invention or the technical solutions in the prior art more clearly, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description are of the present invention. For some embodiments of the invention, those of ordinary skill in the art can also obtain other drawings based on these drawings without exerting creative efforts.

Figure 1 is one of the flow diagrams of the network traffic classification method provided by the present invention;

Figure 2 is the second schematic flow chart of the network traffic classification method provided by the present invention;

Figure 3 is a schematic structural diagram of the network traffic classification device provided by the present invention;

Figure 4 is a schematic structural diagram of the electronic device provided by the present invention.

Detailed ways

In order to make the purpose, technical solutions and advantages of the present invention more clear, the technical solutions in the present invention will be clearly and completely described below in conjunction with the accompanying drawings of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention. , not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without making creative efforts fall within the scope of protection of the present invention.

As shown in Figure 1, the network traffic classification method provided by the present invention includes:

Step 101: Divide the captured pcap file into a flow sequence, where the flow sequence is composed of multiple traffic data packets;

In this step, the pcap file of the application is first captured in the link connection, and the packet flow in the pcap file is divided according to the five-tuple to obtain a flow sequence composed of multiple packets.

Step 102: Extract the byte characteristics of each traffic data packet from the flow sequence to obtain a byte sequence in units of flows;

In this step, optionally, select the initial value M = 40 as the number of bytes used in each data packet (because the header is located at the header of the data packet, and the length of the public header of TCP is greater than the length of the header of UDP, which is 40 bytes ). In addition, considering that commonly used random port allocation and network address translation techniques may confuse the classification results, the present invention uses zeros to replace IP addresses and port numbers to avoid this effect. Therefore, the byte processing result of a single data packet is D={d ₁ ,...,d _i ,...,d _M }, where _di is the i-th (i<M) byte of the data packet, and the value range is [0,255], normalized so that the value range is [0,1]. For each sequence sample _fi in flow units, the byte sequence F _packet is as follows, with the size of N equal to the number of packets.

F _packet = {D ₁ , D ₂ , D ₃ ...D _N }, N = packet length of f _i

Step 103: Perform position encoding on each byte in the byte sequence, and input the encoded byte sequence into the traffic classification network model to obtain the traffic classification result output by the traffic classification network model; wherein , the traffic classification network model is obtained after training based on samples in flow units and the traffic classification results corresponding to the samples.

In this step, it should be noted that the data packet contains the IP header, transport layer header and payload. Bytes in different positions often represent different meanings and influence each other. For example, the "version" in the IP header determines whether the length of the "source IP address" is 4 bytes (IPv4) or 16 bytes (IPv6). Therefore, when applications exchange information through well-formed headers, the location factor of the information is very important and cannot be ignored. Therefore, when the present invention uses a traffic classification network model to analyze the characteristics of data packets, it first performs position coding on each byte of the data packet to improve the accuracy of subsequent traffic identification.

In this step, after completing the position encoding of each byte, the encoded byte sequence is input into the traffic classification network model and the traffic classification result is output. Among them, the traffic classification network model consists of N autoencoder layers, N≥2, which can automatically extract latent features. The autoencoder is an unsupervised neural network model that can learn the hidden features of the input data, which is called coding. At the same time, the new features learned can be used to reconstruct the original input data, which is called coding. decoding. The softmax classifier layer is connected to the last layer of the traffic classification network model to generate traffic classification results.

The network traffic classification method provided by the present invention divides the captured pcap file into a flow sequence, extracts the byte characteristics of each traffic data packet from the flow sequence, and obtains a byte sequence in units of flows. Then each byte in the byte sequence is position-encoded, and the encoded byte sequence is input into the traffic classification network model to output the traffic classification result. The present invention extracts the byte characteristics of each traffic data packet from the original flow sequence, and obtains the byte sequence in flow units as the input of the traffic classification network model. Compared with the existing manual extraction of statistical characteristics of the flow, it not only reduces The scale of model input data fully exploits the time series characteristics of traffic data. In addition, the present invention separately performs position coding for each byte in the byte sequence, which can effectively extract the key position information of each byte in the byte sequence and improve the accuracy of traffic classification network model identification.

Based on the content of the above embodiment, in this embodiment, dividing the captured pcap file into flow sequences includes:

The data packet flow in the pcap file is segmented based on the five-tuple to obtain a flow sequence; the five-tuple includes: source IP address, source port, destination IP address, destination port, and protocol number.

In this embodiment, the flow sequence is used as the only original traffic classification unit to classify the encrypted traffic into specific applications. The original stream can be represented as multiple sequences with the same stream length and different types (such as message type sequence and packet length sequence). In the present invention, the original traffic set P in the pcap file is divided into a plurality of subset sets F = {f ¹ ,..., ^fi ,..., f ^m }, m is the number of subsets divided by the original traffic, ^fi Indicates dividing the original traffic into any subflow among multiple subsets. The data packets in subflow ^fi = (xi ^, di ^{, ti} ) are arranged in time order, where ^xi represents a five-tuple including source IP address, source port, destination IP address, destination port and protocol number; d ⁱ is the total transmission time of sub-flow ^fi ; t ⁱ is the time when the first packet of the packet stream in sub-flow ^fi starts to be transmitted.

Based on the content of the above embodiment, in this embodiment, the byte characteristics of each traffic data packet are extracted from the flow sequence to obtain a byte sequence in units of flows, including:

Based on preset rules, a preset number of byte features of each traffic data packet are extracted from the flow sequence to obtain a byte sequence in units of flows.

In this embodiment, optionally, the initial value M=40 is selected as the number of bytes used in each data packet (because the header is located at the header of the data packet, and the length of the public header of TCP is greater than the length of the header of UDP, which is 40 words. Festival). In addition, considering that commonly used random port allocation and network address translation techniques may confuse the classification results, the present invention uses zeros to replace IP addresses and port numbers to avoid this effect. Therefore, the byte processing result of a single data packet is D={d ₁ ,...,d _i ,...,d _M }, where _di is the i-th (i<M) byte of the data packet, and the value range is [0,255], normalized so that the value range is [0,1]. For each sequence sample _fi in flow units, the byte sequence F _packet is as follows, with the size of N equal to the number of packets.

F _packet = {D ₁ , D ₂ , D ₃ ...D _N }, N = packet length of f _i

It can be seen that the present invention intercepts the first 40 bytes of the flow data packet byte sequence, including part of the packet header as a representative feature, which not only reduces the scale of the input data of the traffic classification network model, but also fully exploits the timing characteristics of the traffic data.

Based on the content of the above embodiment, in this embodiment, position encoding of each byte in the byte sequence includes:

Position encoding is performed on each byte in the byte sequence based on the following formula, and the position of each byte in the data packet is converted into a d-dimensional feature vector P _pos . The formula is:

P(pos,2i)＝sin(pos/m ^2i/d )

P(pos,2i+1)＝cos(pos/m ²ⁱ )

Among them, 2i, 2i+1∈[0,d-1] represents each channel of the generated position code, and m is a constant used to make the position of each byte correspond to a unique position code.

In this embodiment, optionally, a trigonometric function is used to encode the position, and the position of each byte is converted into a d-dimensional vector P _pos :

P(pos,2i)＝sin(pos/10000 ^2i/d )

P(pos,2i+1)＝cos(pos/10000 ²ⁱ )

Among them, 2i, 2i+1∈[0,d-1] represents each channel of the generated position code, and setting the constant 10000 ensures that each position can correspond to a unique position code.

It can be seen that the present invention performs position coding on each byte in the byte sequence to fully mine the contextual key information contained in each byte in the data packet byte sequence. The present invention uses trigonometric function encoding to enable the traffic classification network The model can more easily learn to focus on relative byte positions, and it can output a unique encoding for each byte. Positional encoding enables the traffic classification network model to know the relative and absolute position information of each byte in the byte sequence.

Based on the content of the above embodiment, in this embodiment, the traffic classification network model is composed of N autoencoder layers, N≥2, and the loss function of the traffic classification network model is:

Among them, h _i-1 is the input layer of the i-th autoencoder, and N is the number of samples in units of streams.

In this embodiment, after the position encoding of each byte is completed, the encoded byte sequence is input into the traffic classification network model and the traffic classification result is output. Among them, the traffic classification network model consists of N autoencoder layers, N≥2, which can automatically extract latent features. The autoencoder is an unsupervised neural network model that can learn the hidden features of the input data, which is called coding. At the same time, the new features learned can be used to reconstruct the original input data, which is called coding. decoding. The softmax classifier layer is connected to the last layer of the traffic classification network model to generate traffic classification results. The present invention fully extracts higher-level information through multi-layer encoders and further improves classifier performance.

Specifically, for a single encoder, the input layer is where di _-1 is the dimension of the input layer h _i-1 , and the hidden layer is/> where _di is the dimension of the hidden layer. According to the following formula, the encoding process is: the input layer h _i-1 is mapped to the hidden layer h _i , and the decoding process is: the hidden layer h _i is mapped to the output layer/>

h _i =f(W _i,1 h _i-1 +b _i,1 )

where W _i,1 (d _i ×d _i-1 ) and W _i,2 (d _i-1 ×d _i ) are the weight matrices of the encoder and decoder, and is the bias vector, activation function f(·) and/> Usually the sigmoid function is used.

In a general sense, the i-th autoencoder attempts to reconstruct the input h _i-1 such that Be as similar as possible to h _i-1 . Therefore, the goal of the traffic classification network model is to make the reconstruction error as small as possible, and the loss function is as follows:

For stacked autoencoders, it is assumed that samples are input to a single encoder as raw data, and the resulting encoding features are reused as input to the next encoder. The stacked encoder is trained on a loss function and ultimately generates more abstract features. For the application identification task, in the last layer of the proposed traffic classification network model SAE (Stacked AutoEncoder), the softmax classifier layer is connected to generate traffic classification results.

It can be seen that, aiming at the problem of network encrypted traffic classification in the modern Internet environment, the present invention designs a network traffic data packet feature classification method based on improved position coding, intercepts the partial byte sequence of each data packet from the flow sequence, and processes The resulting byte sequence is encoded with a trigonometric function position, and the traffic classification network model SAE is used to extract representative features of the traffic data to improve the accuracy of the classification model. By position encoding the byte sequence, the present invention can effectively extract the key position information of each byte of the byte sequence, and significantly improve the accuracy of the deep learning traffic classification model.

The following is explained through specific examples:

Example 1:

In this embodiment, it should be noted that accurate traffic classification has become one of the prerequisites for advanced network management tasks, such as providing appropriate QoS (Quality of Service), anomaly detection, traffic pricing, etc. At the same time, the growing need for user privacy and data encryption has greatly increased the amount of encrypted traffic in today's Internet. Encryption programs convert raw data into a pseudo-random-like format with the goal of making it difficult to decrypt. The result is that encrypted data contains almost no discriminative patterns for identifying network traffic. Therefore, accurate classification of encrypted traffic has become a real challenge in modern networks. Additionally, existing network traffic classification methods, such as payload inspection as well as machine learning-based and statistics-based methods, require experts to extract patterns or features, a process that is error-prone, time-consuming, and costly. Finally, many Internet service providers block file sharing applications due to their high bandwidth consumption and copyright issues. To circumvent this problem, these applications use protocol embedding and obfuscation techniques to bypass traffic control systems, therefore identifying such applications is one of the most challenging tasks in network traffic classification.

The above-mentioned existing network traffic classification methods have the following shortcomings:

(1) Classify application traffic based on the byte distribution characteristics of the byte stream of load data packets. The process of generating byte distribution characteristics relies on a large amount of expert experience, which may cause deviations and lead to differences in classification results.

(2) Convert the packet payload data into a byte sequence. The byte sequence is then input into the one-dimensional neural network for training and feature extraction, and traffic classification is performed based on this. This method does not use the information in the header, which actually contains a lot of useful information. At the same time, the existing technology is classified based on data packets, and the scale of the classification unit is small, which is not suitable for flow-level traffic classification.

With the rapid development of network technology and encryption technology, network security issues have attracted more and more public attention. The scale of network encrypted traffic continues to increase, which brings huge challenges to network traffic classification. Combining machine learning algorithms with human design has become a mainstream method to solve this problem, but it requires a lot of manpower to extract and process features, which relies heavily on professional experience. However, the success of machine learning methods relies on the quality of hand-designed features. As the network traffic environment evolves toward fast-paced mobile traffic, such a process is impractical because it can neither be automated nor highly specialized. In recent years, deep learning methods have been applied in the field of encrypted traffic classification to achieve high-performance classifiers. Deep learning traffic classification methods allow training classifiers directly from input data by automatically extracting structured and complex feature representations, which is compared to traditional machine learning. The method has great advantages, but the deep learning method still has some problems. How to extract features from the original traffic data and use the deep learning model to accurately classify applications is a major problem faced by researchers in related fields.

In the present invention, the data packet characteristics of the flow are extracted based on the original stream as the basic classification unit, and the data packet byte sequence is converted using position coding to retain the position information of the bytes during the process of extracting the data packet characteristics. The present invention uses the stacked autoencoder SAE as a classification model to extract higher-level flow packet features to make application classification more accurate.

As shown in Figure 2, a network traffic classification method provided by the present invention includes:

Step 201: Extract the representative byte sequence of each traffic data packet from the flow sequence;

In this step, network traffic monitoring software is first used to capture a series of traffic packets generated during application use in real time and continuously and store them in internal or external memory in real time. Then convert the original traffic into a flow sequence and segment the original packet flow according to the source IP address, source port, destination IP address, destination port and protocol number, and extract the first 40 bytes of each packet from the flow sequence for normalization deal with.

Step 202: Positionally encode each byte in the byte sequence, and use the stacked autoencoder SAE to analyze the byte sequence;

In this step, a traffic classification network model based on position coding and SAE is established. First, position encoding is performed on each byte of the data packet, and then the encoded byte sequence is input into the SAE encoder for analysis. The SAE architecture used in the present invention consists of three fully connected layers stacked on top of each other, consisting of 64, 32, and 16 neurons respectively. To prevent overfitting problems, a random dropout rate of 0.05 is adopted after each layer.

Step 203: Output the traffic application classification results through the trained SAE model.

In this step, the stacked encoder SAE is trained, and the model is finally connected to the softmax layer to output the classification results. Some traffic classification results are shown in Table 1 below.

Table 1

The traffic classification device provided by the present invention will be described below. The traffic classification device described below and the traffic classification method described above can be referenced correspondingly.

As shown in Figure 3, the network traffic classification device provided by the present invention includes:

The first processing module 1 is used to segment the captured pcap file into a flow sequence, where the flow sequence is composed of multiple traffic data packets;

The second processing module 2 is used to extract the byte characteristics of each traffic data packet from the flow sequence to obtain a byte sequence in units of flows;

The third processing module 3 is used to perform position encoding on each byte in the byte sequence, and input the encoded byte sequence into the traffic classification network model to obtain the output of the traffic classification network model. Traffic classification results; wherein, the traffic classification network model is obtained after training based on samples in flow units and traffic classification results corresponding to the samples.

In this embodiment, the pcap file of the application is first captured in the link connection, and the data packet flow in the pcap file is divided according to five-tuple to obtain a flow sequence composed of multiple data packets.

In this embodiment, optionally, the initial value M=40 is selected as the number of bytes used in each data packet (because the header is located at the header of the data packet, and the length of the public header of TCP is greater than the length of the header of UDP, which is 40 words. Festival). In addition, considering that commonly used random port allocation and network address translation techniques may confuse the classification results, the present invention uses zeros to replace IP addresses and port numbers to avoid this effect. Therefore, the byte processing result of a single data packet is D={d ₁ ,...,d _i ,...,d _M }, where _di is the i-th (i<M) byte of the data packet, and the value range is [0,255], normalized so that the value range is [0,1]. For each sequence sample _fi in flow units, the byte sequence F _packet is as follows, with the size of N equal to the number of packets.

F _packet = {D ₁ , D ₂ , D ₃ ...D _N }, N = packet length of f _i

In this embodiment, it should be noted that the data packet includes an IP header, a transport layer header and a payload. Bytes in different positions often represent different meanings and influence each other. For example, the "version" in the IP header determines whether the length of the "source IP address" is 4 bytes (IPv4) or 16 bytes (IPv6). Therefore, when applications exchange information through well-formed headers, the location factor of the information is very important and cannot be ignored. Therefore, when the present invention uses a traffic classification network model to analyze the characteristics of data packets, it first performs position coding on each byte of the data packet to improve the accuracy of subsequent traffic identification.

In this embodiment, after the position encoding of each byte is completed, the encoded byte sequence is input into the traffic classification network model and the traffic classification result is output. Among them, the traffic classification network model consists of N autoencoder layers, N≥2, which can automatically extract latent features. The autoencoder is an unsupervised neural network model that can learn the hidden features of the input data, which is called coding. At the same time, the new features learned can be used to reconstruct the original input data, which is called coding. decoding. The softmax classifier layer is connected to the last layer of the traffic classification network model to generate traffic classification results.

The network traffic classification device provided by the present invention divides the captured pcap file into a flow sequence, extracts the byte characteristics of each traffic data packet from the flow sequence, and obtains a byte sequence in units of flows. Then each byte in the byte sequence is position-encoded, and the encoded byte sequence is input into the traffic classification network model to output the traffic classification result. The present invention extracts the byte characteristics of each traffic data packet from the original flow sequence, and obtains the byte sequence in flow units as the input of the traffic classification network model. Compared with the existing manual extraction of statistical characteristics of the flow, it not only reduces The scale of model input data fully exploits the time series characteristics of traffic data. In addition, the present invention separately performs position coding for each byte in the byte sequence, which can effectively extract the key position information of each byte in the byte sequence and improve the accuracy of traffic classification network model identification.

Figure 4 illustrates a schematic diagram of the physical structure of an electronic device. As shown in Figure 4, the electronic device may include: a processor (processor) 410, a communications interface (Communications Interface) 420, a memory (memory) 430 and a communication bus 440. Among them, the processor 410, the communication interface 420, and the memory 430 complete communication with each other through the communication bus 440. The processor 410 can call logical instructions in the memory 430 to perform a network traffic classification method, which method includes: dividing the captured pcap file into a flow sequence, the flow sequence is composed of a plurality of traffic data packets; from the flow Extract the byte characteristics of each traffic data packet in the sequence to obtain a byte sequence in units of streams; perform position encoding on each byte in the byte sequence, and input the encoded byte sequence into the traffic flow In the classification network model, the traffic classification results output by the traffic classification network model are obtained; wherein the traffic classification network model is obtained after training based on samples in flow units and the traffic classification results corresponding to the samples.

In addition, the above-mentioned logical instructions in the memory 430 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present invention essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code. .

On the other hand, the present invention also provides a computer program product. The computer program product includes a computer program. The computer program can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer can Executing the network traffic classification method provided by each of the above methods, the method includes: dividing the captured pcap file into a flow sequence, the flow sequence is composed of multiple traffic data packets; extracting each traffic data packet from the flow sequence The byte characteristics of the byte sequence are obtained to obtain a byte sequence in units of streams; perform position encoding on each byte in the byte sequence, and input the encoded byte sequence into the traffic classification network model to obtain the The traffic classification result output by the traffic classification network model; wherein, the traffic classification network model is obtained after training based on samples in flow units and the traffic classification results corresponding to the samples.

In another aspect, the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored. The computer program is implemented when executed by a processor to perform the network traffic classification method provided by each of the above methods. The method includes : Divide the captured pcap file into a flow sequence, which is composed of multiple traffic data packets; extract the byte characteristics of each traffic data packet from the flow sequence to obtain a byte sequence in units of flows; Positionally encode each byte in the byte sequence, and input the encoded byte sequence into the traffic classification network model to obtain the traffic classification result output by the traffic classification network model; wherein, The traffic classification network model is trained based on samples in flow units and the traffic classification results corresponding to the samples.

The device embodiments described above are only illustrative. The units described as separate components may or may not be physically separated. The components shown as units may or may not be physical units, that is, they may be located in One location, or it can be distributed across multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. Persons of ordinary skill in the art can understand and implement the method without any creative effort.

Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and of course, it can also be implemented by hardware. Based on this understanding, the part of the above technical solution that essentially contributes to the existing technology can be embodied in the form of a software product. The computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., including a number of instructions to cause a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods described in various embodiments or certain parts of the embodiments.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be used Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent substitutions are made to some of the technical features; however, these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (7)

1. A method for classifying network traffic, comprising:

capturing a pcap file of an application program in link connection, segmenting a data packet stream in the pcap file according to five-tuple, and taking an original stream as a basic classification unit to obtain a stream sequence consisting of a plurality of data packets, wherein the stream sequence consists of a plurality of flow data packets;

extracting byte characteristics of each flow data packet from the flow sequence to obtain a byte sequence taking the flow as a unit;

position coding is carried out on each byte in the byte sequence, and the coded byte sequence is input into a flow classification network model to obtain a flow classification result output by the flow classification network model; the flow classification network model is obtained after training based on a sample taking a flow as a unit and a flow classification result corresponding to the sample;

the performing position coding on each byte in the byte sequence comprises the following steps:

position encoding is performed on each byte in the byte sequence based on the following formula, and the position of each byte in a data packet is converted into a d-dimensional feature vector P _pos The formula is as follows:

P(pos，2i)＝sin(pos/m ^2i/d )

P(pos，2i+1)＝cos(pos/m ²ⁱ )

wherein 2i,2i+1 ε [0, d-1], represent each channel of the generated position code, m is a constant for making the position of each byte correspond to a unique position code.

2. The method of classifying network traffic according to claim 1, wherein,

the five-tuple comprises: source IP address, source port, destination IP address, destination port, and protocol number.

3. The network traffic classification method according to claim 1, wherein extracting byte characteristics of each traffic packet from the stream sequence to obtain a byte sequence in stream units comprises:

and extracting the byte characteristics of the preset quantity of each flow data packet from the flow sequence based on a preset rule to obtain a byte sequence taking the flow as a unit.

4. The network traffic classification method according to claim 1, wherein the traffic classification network model is composed of N automatic encoder layers, N is equal to or greater than 2, and the loss function of the traffic classification network model is:

wherein h is _i-1 For the input layer of the i-th auto-encoder, N is the number of samples in stream units.

5. A network traffic classification device, comprising:

the first processing module is used for capturing a pcap file of an application program in link connection, segmenting a data packet stream in the pcap file according to a five-tuple, taking an original stream as a basic classification unit, and obtaining a stream sequence consisting of a plurality of data packets, wherein the stream sequence consists of a plurality of flow data packets;

the second processing module is used for extracting byte characteristics of each flow data packet from the flow sequence to obtain a byte sequence taking the flow as a unit;

the third processing module is used for carrying out position coding on each byte in the byte sequence, inputting the coded byte sequence into a flow classification network model and obtaining a flow classification result output by the flow classification network model; the flow classification network model is obtained after training based on a sample taking a flow as a unit and a flow classification result corresponding to the sample; the third processing module is specifically configured to: position encoding is performed on each byte in the byte sequence based on the following formula, and the position of each byte in a data packet is converted into a d-dimensional feature vector P _pos The formula is as follows:

P(pos，2i)＝sin(pos/m ^2i/d )

P(pos，2i+1)＝cos(pos/m ²ⁱ )

wherein 2i,2i+1 ε [0, d-1], represent each channel of the generated position code, m is a constant for making the position of each byte correspond to a unique position code.

6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the network traffic classification method according to any of claims 1 to 4 when the program is executed.

7. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the network traffic classification method according to any of claims 1 to 4.