[go: up one dir, main page]

CN118158167A - Method, device, electronic device and storage medium for identifying small-category business traffic - Google Patents

Method, device, electronic device and storage medium for identifying small-category business traffic Download PDF

Info

Publication number
CN118158167A
CN118158167A CN202211566771.8A CN202211566771A CN118158167A CN 118158167 A CN118158167 A CN 118158167A CN 202211566771 A CN202211566771 A CN 202211566771A CN 118158167 A CN118158167 A CN 118158167A
Authority
CN
China
Prior art keywords
target
address information
traffic
service
subclass
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211566771.8A
Other languages
Chinese (zh)
Inventor
吕丹丹
刘遂江
王莉莉
李程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Henan Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Henan Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Henan Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202211566771.8A priority Critical patent/CN118158167A/en
Publication of CN118158167A publication Critical patent/CN118158167A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method and a device for identifying subclass service flow, electronic equipment and a storage medium. Belongs to the technical field of flow identification and is used for realizing the accurate identification of service flow. The method comprises the following steps: collecting flow data to be identified; acquiring target flow data corresponding to each target address information according to the target address information of the flow data; obtaining target subclass services corresponding to the target address information according to a pre-obtained subclass service identification library, wherein the subclass service identification library comprises: the corresponding relation between the address information and the subclass service; and acquiring the flow of each target subclass service in the flow data according to the target flow data corresponding to each target address information and the target subclass service corresponding to each target address information.

Description

小类业务流量的识别方法、装置、电子设备及存储介质Method, device, electronic device and storage medium for identifying small-category business traffic

技术领域Technical Field

本申请属于流量识别技术领域,具体涉及一种小类业务流量的识别方法、装置、电子设备及存储介质。The present application belongs to the technical field of traffic identification, and specifically relates to a method, device, electronic device and storage medium for identifying small-category business traffic.

背景技术Background technique

随着宽带业务及智能产品的快速普及,运营商需要通过可靠、高效的网络业务流量监测系统对其网络流量、质量以及网络承载的各项业务进行实时的流量流向监测分析,目前常见的互联网流量监测手段为深度包检测技术和网络流量检测系统技术。深度包检测技术是一种基于应用层的流量检测和控制技术,可实现业务识别;With the rapid popularization of broadband services and smart products, operators need to use reliable and efficient network service traffic monitoring systems to monitor and analyze the real-time traffic flow of their network traffic, quality, and various services carried by the network. Currently, the common means of Internet traffic monitoring are deep packet inspection technology and network traffic detection system technology. Deep packet inspection technology is a traffic detection and control technology based on the application layer, which can realize service identification;

但随着加密技术发展,业务交互网际互联协议中加密流量越来越多,无法识别的数据流占比逐步增大,网络流量检测系统流量采集系统可根据网际互联协议五元组实现全省固网/移网流量监测,但缺乏对业务流量的精准识别。However, with the development of encryption technology, more and more encrypted traffic is included in the business interaction Internet protocol, and the proportion of unrecognizable data flows is gradually increasing. The network traffic detection system and traffic collection system can monitor the fixed/mobile network traffic in the entire province based on the Internet protocol quintuple, but lacks accurate identification of business traffic.

发明内容Summary of the invention

本申请实施例提供一种小类业务流量的识别方法、装置、电子设备及存储介质,能够解决小类业务流量的精准识别问题。The embodiments of the present application provide a method, device, electronic device and storage medium for identifying small-category business traffic, which can solve the problem of accurate identification of small-category business traffic.

第一方面,本申请实施例提供了一种小类业务流量的识别方法,包括:采集待识别的流量数据;根据所述流量数据的目标地址信息,获取各个目标地址信息对应的目标流量数据;根据预先获取的小类业务识别库,获取各个所述目标地址信息对应的目标小类业务,其中,所述小类业务识别库包括:地址信息与小类业务的对应关系;根据各个所述目标地址信息对应的所述目标流量数据以及各个所述目标地址信息对应的所述目标小类业务,获取所述流量数据中各个所述目标小类业务的流量。In the first aspect, an embodiment of the present application provides a method for identifying small-category business traffic, comprising: collecting traffic data to be identified; obtaining target traffic data corresponding to each target address information based on the target address information of the traffic data; obtaining target small-category businesses corresponding to each target address information based on a pre-acquired small-category business identification library, wherein the small-category business identification library includes: a correspondence between address information and small-category businesses; obtaining the traffic of each target small-category business in the traffic data based on the target traffic data corresponding to each target address information and the target small-category business corresponding to each target address information.

第二方面,本申请实施例提供了一种小类业务流量的识别装置,包括:采集模块,用于采集待识别的流量数据;第一获取模块,用于根据所述流量数据的目标地址信息,获取各个目标地址信息对应的目标流量数据;第二获取模块,根据预先获取的小类业务识别库,获取各个所述目标地址信息对应的目标小类业务,其中,所述小类业务识别库包括:地址信息与小类业务的对应关系;第三获取模块,用于根据各个所述目标地址信息对应的所述目标流量数据以及各个所述目标地址信息对应的所述目标小类业务,获取所述流量数据中各个所述目标小类业务的流量。In the second aspect, an embodiment of the present application provides a device for identifying small-category business traffic, including: a collection module for collecting traffic data to be identified; a first acquisition module for acquiring target traffic data corresponding to each target address information based on the target address information of the traffic data; a second acquisition module for acquiring target small-category businesses corresponding to each target address information based on a pre-acquired small-category business identification library, wherein the small-category business identification library includes: a correspondence between address information and small-category business; a third acquisition module for acquiring the traffic of each target small-category business in the traffic data based on the target traffic data corresponding to each target address information and the target small-category business corresponding to each target address information.

第三方面,本申请实施例提供了一种电子设备,该电子设备包括处理器、存储器及存储在所述存储器上并可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现如第一方面所述的小类业务流量的识别方法的步骤。In a third aspect, an embodiment of the present application provides an electronic device, comprising a processor, a memory, and a program or instruction stored in the memory and executable on the processor, wherein the program or instruction, when executed by the processor, implements the steps of the method for identifying small-category business traffic as described in the first aspect.

第四方面,本申请实施例提供了一种可读存储介质,所述可读存储介质上存储程序或指令,所述程序或指令被处理器执行时实现如第一方面所述的小类业务流量的识别方法的步骤。In a fourth aspect, an embodiment of the present application provides a readable storage medium, on which a program or instruction is stored. When the program or instruction is executed by a processor, the steps of the method for identifying small-category business traffic as described in the first aspect are implemented.

第五方面,本申请实施例提供了一种芯片,所述芯片包括处理器和通信接口,所述通信接口和所述处理器耦合,所述处理器用于运行程序或指令,实现如第一方面所述的小类业务流量的识别方法。In a fifth aspect, an embodiment of the present application provides a chip, comprising a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the method for identifying small-category business traffic as described in the first aspect.

在本申请实施例中,通过获取流量数据的相关目标地址信息的目标流量数据,根据地址信息与小类业务的对应关系,通过各个所述目标地址信息对应的所述目标小类业务,以及所述目标小类业务对应的所述目标流量数据,获取所述流量数据中各个所述目标小类业务的流量,能够实现小类业务流量的精准识别。In an embodiment of the present application, by acquiring the target traffic data of the target address information related to the traffic data, based on the correspondence between the address information and the sub-category of business, through the target sub-category of business corresponding to each of the target address information, and the target traffic data corresponding to the target sub-category of business, the traffic of each of the target sub-category of business in the traffic data is acquired, thereby enabling accurate identification of the sub-category of business traffic.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本申请实施例提供的一种小类业务流量的识别方法的流程示意图;FIG1 is a flow chart of a method for identifying small-category business traffic provided in an embodiment of the present application;

图2是本申请实施例中一种获取目标小类业务流量的流程示意图;FIG2 is a schematic diagram of a process for obtaining target sub-category service traffic in an embodiment of the present application;

图3a是本申请实施例提供的小类业务流量的识别方法的一种流程示意图;FIG3a is a flow chart of a method for identifying small-category business traffic provided in an embodiment of the present application;

图3b是本申请实施例提供的小类业务流量的识别方法的另一种流程示意图;FIG3b is another schematic diagram of a flow chart of a method for identifying small-category business traffic provided in an embodiment of the present application;

图4a是本申请实施例中的一种小类业务与IP地址的对应关系的示意图;FIG4a is a schematic diagram of a correspondence between a small class of services and an IP address in an embodiment of the present application;

图4b是本申请实施例中一种流量变化趋势确定示意图;FIG4b is a schematic diagram of determining a flow rate change trend in an embodiment of the present application;

图5是本申请实施例提供的一种小类业务流量的识别装置的流程示意图;FIG5 is a schematic diagram of a flow chart of a device for identifying small-category business traffic provided in an embodiment of the present application;

图6是本申请的一个实施例的电子设备的结构示意图。FIG. 6 is a schematic diagram of the structure of an electronic device according to an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

本申请的说明书和权利要求书中的术语“第一”、“第二”等是用于区别类似的对象,而不用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施,且“第一”、“第二”等所区分的对象通常为一类,并不限定对象的个数,例如第一对象可以是一个,也可以是多个。此外,说明书以及权利要求中“和/或”表示所连接对象的至少其中之一,字符“/”,一般表示前后关联对象是一种“或”的关系。The terms "first", "second", etc. in the specification and claims of this application are used to distinguish similar objects, and are not used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable under appropriate circumstances, so that the embodiments of the present application can be implemented in an order other than those illustrated or described here, and the objects distinguished by "first", "second", etc. are generally of one type, and the number of objects is not limited. For example, the first object can be one or more. In addition, "and/or" in the specification and claims represents at least one of the connected objects, and the character "/" generally indicates that the objects associated with each other are in an "or" relationship.

下面结合附图,通过具体的实施例及其应用场景对本申请实施例提供的小类业务流量的识别方法、装置、电子设备及存储介质进行详细地说明。In conjunction with the accompanying drawings, the following describes in detail the method, device, electronic device and storage medium for identifying small-category business traffic provided by the embodiments of the present application through specific embodiments and their application scenarios.

图1示出本发明的一个实施例提供的一种小类业务流量的识别方法,该方法可以由电子设备执行,该电子设备可以包括:终端设备,其中终端设备可以例如电脑终端或手机终端等。换言之,该方法可以由安装在终端设备的软件或硬件来执行,该方法包括如下步骤:FIG1 shows a method for identifying small-category traffic provided by an embodiment of the present invention. The method can be executed by an electronic device, and the electronic device may include: a terminal device, wherein the terminal device may be, for example, a computer terminal or a mobile phone terminal. In other words, the method can be executed by software or hardware installed in the terminal device, and the method includes the following steps:

步骤101:采集待识别的流量数据。Step 101: Collect traffic data to be identified.

在一实施例中,可以通过网络流量检测(NetFlow)系统的数据采集程序对需要识别的流量数据进行采集,当然,在本申请实施例中,对于流量数据的采集方式不做具体限定。In one embodiment, the flow data to be identified can be collected through a data collection program of a network flow detection (NetFlow) system. Of course, in the embodiment of the present application, there is no specific limitation on the method of collecting the flow data.

步骤102:根据所述流量数据的目标地址信息,获取各个目标地址信息对应的目标流量数据。Step 102: According to the target address information of the flow data, the target flow data corresponding to each target address information is obtained.

例如,可以根据NetFlow系统采集到的流量数据的相关目标地址信息,获取到目标地址信息对应的目标数据流量,其中目标地址信息为与目标数据流量相关的字段,目标地址信息的数量可以是一个或者多个,本申请实施例中不做具体限定。For example, the target data flow corresponding to the target address information can be obtained based on the relevant target address information of the traffic data collected by the NetFlow system, where the target address information is a field related to the target data flow, and the number of target address information can be one or more, which is not specifically limited in the embodiments of the present application.

步骤103:根据预先获取的小类业务识别库,获取各个所述目标地址信息对应的目标小类业务,其中,所述小类业务识别库包括:地址信息与小类业务的对应关系。Step 103: acquiring the target sub-category service corresponding to each target address information according to the pre-acquired sub-category service identification library, wherein the sub-category service identification library includes: the correspondence between address information and sub-category service.

例如,可以通过小类业务识别库,匹配NetFlow系统中与所述目标地址信息对应的目标小类业务,形成目标小类业务与所述目标地址信息对应的形式,进一步达到目标小类业务与目标地址信息的数据流量的对应效果,获取各个所述目标地址信息对应的目标小类业务能够达到对目标小类业务精准识别的效果,且所述小类业务识别库中的地址信息与小类业务同样存在对应关系,其中,所述目标地址信息可以是与一个目标小类业务对应的独立目标地址信息,也可以是与多个目标小类业务对应的混合目标地址信息,可以对混合的目标地址信息进行拆分,得到混合目标地址信息中的各个目标小类业务,当然,在本申请实施例中不做具体限定。For example, the target subclass service corresponding to the target address information in the NetFlow system can be matched through the subclass service identification library, so as to form a form in which the target subclass service corresponds to the target address information, thereby further achieving a corresponding effect of the data flow of the target subclass service and the target address information. Obtaining the target subclass service corresponding to each target address information can achieve the effect of accurately identifying the target subclass service, and the address information in the subclass service identification library and the subclass service also have a corresponding relationship, wherein the target address information can be an independent target address information corresponding to a target subclass service, or it can be a mixed target address information corresponding to multiple target subclass services. The mixed target address information can be split to obtain each target subclass service in the mixed target address information. Of course, this is not specifically limited in the embodiments of the present application.

在本申请实施例中,小类业务可以根据具体需求划分,例如,可以根据应用的类型分为视频类业务、音频类业务等,当然,并不限于此,还可以根据服务商进行分类,具体本申请实施例不作限定。In the embodiment of the present application, sub-categories of services can be divided according to specific needs. For example, they can be divided into video services, audio services, etc. according to the type of application. Of course, it is not limited to this. They can also be classified according to service providers, which is not limited to the specific embodiment of the present application.

步骤104:根据各个所述目标地址信息对应的所述目标流量数据以及各个所述目标地址信息对应的所述目标小类业务,获取所述流量数据中各个所述目标小类业务的流量。Step 104: According to the target traffic data corresponding to each target address information and the target sub-category service corresponding to each target address information, the traffic of each target sub-category service in the traffic data is acquired.

例如,可以在NetFlow系统中对混合目标地址信息进行拆分,实现所述流量数据中各个所述目标小类业务的流量的精准识别,形成混合目标地址信息、所述目标小类业务、以及所述目标流量数据的对应关系,得到混合目标地址信息中各个目标小类业务的流量,再加上与独立目标地址信息对应的目标小类业务的流量,能够达到准确输出小类业务流量的效果,当然,在本申请实施例中,对目标地址信息的类型不做具体限定,可根据具体应用选择。For example, the mixed target address information can be split in the NetFlow system to achieve accurate identification of the traffic of each target sub-class service in the traffic data, form a correspondence between the mixed target address information, the target sub-class service, and the target traffic data, and obtain the traffic of each target sub-class service in the mixed target address information. When the traffic of the target sub-class service corresponding to the independent target address information is added, the effect of accurately outputting the sub-class service traffic can be achieved. Of course, in the embodiment of the present application, the type of target address information is not specifically limited and can be selected according to the specific application.

在本申请实施例中,通过获取流量数据的相关目标地址信息的目标流量数据,根据地址信息与小类业务的对应关系,通过各个所述目标地址信息对应的所述目标小类业务,以及所述目标小类业务对应的所述目标流量数据,获取所述流量数据中各个所述目标小类业务的流量,能够实现小类业务流量的精准识别。In an embodiment of the present application, by acquiring the target traffic data of the target address information related to the traffic data, based on the correspondence between the address information and the sub-category of business, through the target sub-category of business corresponding to each of the target address information, and the target traffic data corresponding to the target sub-category of business, the traffic of each of the target sub-category of business in the traffic data is acquired, thereby enabling accurate identification of the sub-category of business traffic.

在一实施例中,在步骤101之前,还包括以下步骤:In one embodiment, before step 101, the following steps are also included:

从深度地址识别(Deep Packet Inspection,DPI)系统获取所述小类业务的全量域名信息和所述地址信息;根据所述全量域名信息,获取所述小类业务对应的全量地址信息;建立所述小类业务识别库,其中,所述小类业务识别库中与所述小类业务对应的所述地址信息为从所述DPI系统中获取所述小类业务的所述地址信息与所述小类业务对应的全量地址信息的并集。通过DPI系统获取各个小类业务的全量域名信息和地址信息(例如,IP地址),然后再获取全量域名信息对应的全量地址信息,将该全量地址信息与从DPI系统中的地址信息取并集,从而可以保证能够获取到各个小类业务对应的所有地址信息,提高后续流量识别的准确性。The full domain name information and the address information of the sub-category service are obtained from the Deep Packet Inspection (DPI) system; based on the full domain name information, the full address information corresponding to the sub-category service is obtained; and the sub-category service identification library is established, wherein the address information corresponding to the sub-category service in the sub-category service identification library is the union of the address information of the sub-category service obtained from the DPI system and the full address information corresponding to the sub-category service. The full domain name information and address information (for example, IP address) of each sub-category service are obtained through the DPI system, and then the full address information corresponding to the full domain name information is obtained, and the full address information is taken as the union with the address information from the DPI system, thereby ensuring that all address information corresponding to each sub-category service can be obtained, thereby improving the accuracy of subsequent traffic identification.

例如,可以通过所述DPI系统的可拓展威胁检测与响应(Exten ded Detectionand Response,XDR)底层识别详单中的业务识别编码,识别匹配得到所述小类业务全量域名信息和所述地址信息,其中,识别编码不做具体限定;再根据所述全量域名信息,从域名系统(Domain Name System,DNS)中解析得到所述小类业务对应的所述全量地址信息,根据全量地址信息与所述地址信息建立所述小类业务识别库,其中,所述小类识别库中与所述小类业务对应的所述地址信息为从所述DPI系统中获取所述小类业务的所述地址信息与所述小类业务对应的全量地址信息的并集,小类业务识别库能够达到对小类业务及相关地址信息流量的匹配效果。For example, the service identification code in the Extended Detection and Response (XDR) bottom-level identification list of the DPI system can be used to identify and match the full domain name information and the address information of the sub-category service, wherein the identification code is not specifically limited; then, based on the full domain name information, the full address information corresponding to the sub-category service is parsed from the Domain Name System (DNS), and the sub-category service identification library is established based on the full address information and the address information, wherein the address information corresponding to the sub-category service in the sub-category identification library is the union of the address information of the sub-category service obtained from the DPI system and the full address information corresponding to the sub-category service, and the sub-category service identification library can achieve a matching effect on the sub-category service and related address information traffic.

在一实施例中,如图2所示,步骤104可以包括以下步骤:In one embodiment, as shown in FIG. 2 , step 104 may include the following steps:

步骤201:根据第一目标地址信息对应的流量变化情况,获取所述第一目标小类业务的流量变化规则,其中,所述第一目标地址信息为多个所述目标地址信息中只与所述第一目标小类业务对应的所述目标地址信息,所述第一目标小类业务为多个所述目标小类业务中的任一个。Step 201: According to the traffic change corresponding to the first target address information, obtain the traffic change rule of the first target subclass service, wherein the first target address information is the target address information that only corresponds to the first target subclass service among multiple target address information, and the first target subclass service is any one of the multiple target subclass services.

例如,可以取多个所述目标地址信息中只与所述第一目标小类业务对应的所述目标地址信息为第一目标地址信息,取多个所述目标小类业务中的任一个为第一目标小类业,获取所述第一目标地址信息对应的流量的至少一个第一预定时间段Xt1的变化情况,将至少一个第一预定时间段的流量变化情况记为ΔX,根据所述第一目标地址信息对应的所述流量的变化情况ΔX得到所述第一目标小类业务流量变化规则为ΔX/Xt1,所述第一目标小类业务流量变化规则ΔX/Xt1能够达到对第一目标小类业务的流量的预测,在本申请实施例中对于预设时间段的选择不做具体限定,可根据需求自行选择。For example, the target address information among the multiple target address information that only corresponds to the first target subclass service can be taken as the first target address information, and any one of the multiple target subclass services can be taken as the first target subclass service, and the change of the traffic corresponding to the first target address information in at least one first predetermined time period Xt1 is obtained, and the traffic change in at least one first predetermined time period is recorded as ΔX. According to the change ΔX of the traffic corresponding to the first target address information, the traffic change rule of the first target subclass service is obtained as ΔX/Xt1. The traffic change rule ΔX/Xt1 of the first target subclass service can achieve the prediction of the traffic of the first target subclass service. In the embodiment of the present application, there is no specific limitation on the selection of the preset time period, and it can be selected according to the needs.

步骤202:根据所述第一目标小类业务的流量变化规则,获取第二目标地址信息对应的流量中所述目标小类业务所占的第一流量,其中,所述第二目标地址信息为多个所述目标地址信息中与所述第一目标小类业务和至少一个第二目标小类业务对应的所述目标地址信息,所述第二目标小类业务为多个所述目标小类业务中除所述第一目标小类业务之外的所述目标小类业务。Step 202: According to the traffic change rule of the first target subclass service, obtain the first traffic occupied by the target subclass service in the traffic corresponding to the second target address information, wherein the second target address information is the target address information corresponding to the first target subclass service and at least one second target subclass service among the multiple target address information, and the second target subclass service is the target subclass service among the multiple target subclass services except the first target subclass service.

例如,多个所述目标地址信息中与所述第一目标小类业务和至少一个第二目标小类业务对应的所述目标地址信息为第二目标地址信息,将多个所述目标小类业务中除所述第一目标小类业务之外的所述目标小类业务作为第二目标小类业务,假设所述第二目标地址信息对应的流量的第二预定时间段Xt2的第一变化量为MT2,根据所述第一目标小类业务的流量变化规则ΔX/Xt1、所述第二目标小类业务的变化规则ΔY/Yt1、以及所述第一变化量MT2,可以获取所述第一目标小类业务的流量在所述第二预定时间段的第二变化量Xm,则所述第二变化量与所述第一变化量的比值为Xm/MT2,若当前第二目标地址信息对应的流量为M,则可以获取到第一目标小类业务的第一流量为M*Xm/MT2,通过所述第一流量能够准确得到第二目标地址信息对应的流量中所述目标小类业务所占的流量,当然,具体计算方法本申请实施例中不做具体限定。For example, the target address information corresponding to the first target subclass service and at least one second target subclass service among the multiple target address information is the second target address information, and the target subclass services other than the first target subclass service among the multiple target subclass services are taken as the second target subclass services. It is assumed that the first change in the second predetermined time period Xt2 of the traffic corresponding to the second target address information is MT2. According to the traffic change rule ΔX/Xt1 of the first target subclass service, the change rule ΔY/Yt1 of the second target subclass service, and the first change MT2, the second change Xm of the traffic of the first target subclass service in the second predetermined time period can be obtained. Then, the ratio of the second change to the first change is Xm/MT2. If the traffic corresponding to the current second target address information is M, the first traffic of the first target subclass service can be obtained as M*Xm/MT2. The traffic occupied by the target subclass service in the traffic corresponding to the second target address information can be accurately obtained through the first traffic. Of course, the specific calculation method is not specifically limited in the embodiment of the present application.

可选地,第二预设时间段可以为与第一预设时间段重叠的时间段,即第二预设时间段与第一预设时间内为相同的时间段。由于在相同时间内小类业务独立IP流量变化趋势与混合IP各个业务流量变化趋势相同的概率比较大,因此,在第二预设时间段与第一预设时间段为相同的时间段的情况下,识别出的小类业务的流量更为准确。Optionally, the second preset time period may be a time period overlapping with the first preset time period, that is, the second preset time period is the same time period as the first preset time period. Since the probability that the traffic change trend of the independent IP of the small-category service is the same as the traffic change trend of each service of the mixed IP within the same time period is relatively high, therefore, when the second preset time period is the same as the first preset time period, the traffic of the identified small-category service is more accurate.

步骤203:根据所述第一目标地址信息对应的流量以及所述第一流量,获取所述流量数据中所述第一目标小类业务的目标流量。Step 203: Acquire the target flow of the first target subcategory service in the flow data according to the flow corresponding to the first target address information and the first flow.

根据上述实施例中对所述第一流量的计算方法得到所述第一流量,能够根据所述第一目标地址信息对应的流量以及所述第一流量,准确获取到所述流量数据中所述第一目标小类业务的目标流量,即第一目标小类业务的目标流量为第一目标地址信息对应的流量以各个第二目标地址信息对应的流量中第一目标小类业务的流量的总和。The first flow is obtained according to the calculation method of the first flow in the above embodiment. The target flow of the first target subcategory business in the flow data can be accurately obtained according to the flow corresponding to the first target address information and the first flow, that is, the target flow of the first target subcategory business is the sum of the flow corresponding to the first target address information and the flow corresponding to each second target address information.

在本申请实施例中,通过获取流量数据的相关目标地址信息的目标流量数据,根据地址信息与小类业务的对应关系,通过各个所述目标地址信息对应的所述目标小类业务,以及所述目标小类业务对应的所述目标流量数据,获取所述流量数据中各个所述目标小类业务的流量,能够实现小类业务流量的精准识别。In an embodiment of the present application, by acquiring the target traffic data of the target address information related to the traffic data, based on the correspondence between the address information and the sub-category of business, through the target sub-category of business corresponding to each of the target address information, and the target traffic data corresponding to the target sub-category of business, the traffic of each of the target sub-category of business in the traffic data is acquired, thereby enabling accurate identification of the sub-category of business traffic.

下面通过具体实施例对本申请实施例提供的小类业务流量的识别方法进行说明。The following describes a method for identifying small-category business traffic provided by an embodiment of the present application through a specific example.

图3a示出了本申请实施例中的小类业务流量的识别方法的一种流程示意图,图3b示出了本申请实施例中的小类业务流量的识别方法的另一种流程示意图,如图3a和图3b所示,FIG. 3a shows a schematic flow chart of a method for identifying small-category service traffic in an embodiment of the present application, and FIG. 3b shows another schematic flow chart of a method for identifying small-category service traffic in an embodiment of the present application. As shown in FIG. 3a and FIG. 3b,

在流程一中,依据DPI系统的XDR详单,可以形成小类业务识别库,可选地,可以依据DPI识别系统的XDR底层识别详单中大类、小类业务识别编码匹配识别到得小类业务全量域名信息和IP地址地址信息。然后可以根据业务全量域名从省网DNS系统中解析小类业务的全量IP地址,将全量IP地址与DPI识别清单中的IP地址混合取并集形成“小类业务名称”加全量“IP”的小类业务识别库。In process one, a sub-category business identification library can be formed based on the XDR detailed list of the DPI system. Optionally, the full domain name information and IP address information of the sub-category business can be identified by matching the major and minor business identification codes in the XDR underlying identification detailed list of the DPI identification system. Then, the full IP address of the sub-category business can be parsed from the provincial network DNS system based on the full domain name of the business, and the full IP address can be mixed and combined with the IP address in the DPI identification list to form a sub-category business identification library of "sub-category business name" plus full "IP".

流程二,在NetFlow系统中引入业务小类识别库。在NetFlow系统中引入DPI系统中形成的新的小类业务识别库,根据“业务小类名称+IP五元组”(例如,可以将小类业务识别库中的IP地址转换为IP五元组的形式)配置,NetFlow系统可以进行小类业务及相关IP的流量及流向匹配。Process 2: Introduce the service subclass identification library into the NetFlow system. Introduce the new service subclass identification library formed in the DPI system into the NetFlow system. According to the configuration of "service subclass name + IP five-tuple" (for example, the IP address in the service subclass identification library can be converted into the form of IP five-tuple), the NetFlow system can match the traffic and flow direction of the subclass service and related IP.

流程三,NetFlow系统在识别流量数据中各个小类业务的流量时,可以根据流量数据中包括IP地址,查询小类业务识别库,可以获取各个IP地址对应的小类业务,再划分各个小类业务的IP类型,其中,IP地址与小类业务的关联关系存在两种情况:①独立IP,一个IP地址仅对应一个小类业务;②混合IP,一个IP地址对应多个小类业务。例如,假设流量数据中的各个IP地址对应的小类业务如图4a所示左半,则通过匹配IP地址类型,可以得到各个小类业务对应的独立IP和混合IP,例如,小类业务X对应的独立IP包括IP1,小类业务Y对应的独立IP包括IP3,小类业务Z对应的独立IP包括IPx,小类业务X对应的混合IP包括IP2等。Process 3: When the NetFlow system identifies the traffic of each sub-category of services in the traffic data, it can query the sub-category of services identification library according to the IP address included in the traffic data, obtain the sub-category of services corresponding to each IP address, and then divide the IP type of each sub-category of services. There are two situations for the association between IP address and sub-category of services: ① Independent IP, one IP address corresponds to only one sub-category of services; ② Mixed IP, one IP address corresponds to multiple sub-category of services. For example, assuming that the sub-category of services corresponding to each IP address in the traffic data is shown in the left half of Figure 4a, by matching the IP address type, the independent IP and mixed IP corresponding to each sub-category of services can be obtained. For example, the independent IP corresponding to sub-category of service X includes IP1, the independent IP corresponding to sub-category of service Y includes IP3, the independent IP corresponding to sub-category of service Z includes IPx, and the mixed IP corresponding to sub-category of service X includes IP2, etc.

流程四,计算业务小类对应的独立IP地址在Δt时间内业务流量的变化趋势。对于目标小类业务对应的独立IP,即一个IP地址对应一个小类业务,则该IP地址对应的流量均为该小类业务的流量,对于目标小类业务对应的混合IP,即一个IP地址对应多个小类业务,则该IP地址对应的流量为该混合IP对应的所有的小类业务的总流量,在本申请实施例中,需要识别出混合IP对应的总流量中各个小类业务的流量。Process 4, calculate the change trend of the business traffic of the independent IP address corresponding to the business subclass within the Δt time. For the independent IP corresponding to the target subclass business, that is, one IP address corresponds to a subclass business, then the traffic corresponding to the IP address is the traffic of the subclass business. For the mixed IP corresponding to the target subclass business, that is, one IP address corresponds to multiple subclass businesses, then the traffic corresponding to the IP address is the total traffic of all subclass businesses corresponding to the mixed IP. In the embodiment of the present application, it is necessary to identify the traffic of each subclass business in the total traffic corresponding to the mixed IP.

经分析,在相同时间内小类业务独立IP流量变化趋势与混合IP各个业务流量变化趋势基本相同,因此,可以通过同一小类业务对应的独立IP的流量,获取该小类业务在某个时间段的变化趋势,再将该变化趋势应用到该小类业务对应的混合IP,可以得到该小类业务在混合IP中对应的流量变化量,从而获取该小类业务在混合IP中的流量。After analysis, it is found that the traffic change trend of independent IP of small-category services is basically the same as the traffic change trend of each service of hybrid IP within the same period of time. Therefore, the traffic of independent IP corresponding to the same small-category service can be used to obtain the change trend of the small-category service in a certain period of time, and then the change trend can be applied to the hybrid IP corresponding to the small-category service to obtain the traffic change corresponding to the small-category service in the hybrid IP, thereby obtaining the traffic of the small-category service in the hybrid IP.

具体地,对于目标小类业务对应的独立IP,可以计算独立IP流量变化量计算,随机选取小类业务的独立IP的相同变化时间T1和T2,计算T1至T2时间内独立IP流量变化情况ΔX、ΔY、ΔZ、……等,得到T1至T2时间内独立IP流量变化趋势ΔA/ΔT、ΔB/ΔT、……等。例如,对于图4a中的小类业务X、Y和Z,如图4b所示,在T1时刻,小类业务X、Y和Z对应的独立IP的流量分别为Xt1、Yt1和Zt1,在T2时刻,小类业务X、Y和Z对应的独立IP的流量分别为Xt2、Yt2和Zt2,则从T1到T2,小类业务X、Y和Z对应的独立IP的流量的变化量分别为:ΔX=Xt2-Xt1、ΔY=Yt2-Yt1和ΔZ=Zt2-Zt1,从而得到小类业务X、Y和Z对应的变化趋势分别为:ΔX/Δt、ΔY/Δt和ΔY/Δt,Δt=T2-T1。Specifically, for the independent IP corresponding to the target small category business, the change in independent IP traffic can be calculated. The same change time T1 and T2 of the independent IP of the small category business can be randomly selected, and the independent IP traffic change ΔX, ΔY, ΔZ, ... etc. from T1 to T2 can be calculated to obtain the independent IP traffic change trend ΔA/ΔT, ΔB/ΔT, ... etc. from T1 to T2. For example, for the small categories of services X, Y and Z in Figure 4a, as shown in Figure 4b, at time T1, the traffic of the independent IPs corresponding to the small categories of services X, Y and Z are Xt1, Yt1 and Zt1 respectively, and at time T2, the traffic of the independent IPs corresponding to the small categories of services X, Y and Z are Xt2, Yt2 and Zt2 respectively. Then, from T1 to T2, the changes in the traffic of the independent IPs corresponding to the small categories of services X, Y and Z are: ΔX=Xt2-Xt1, ΔY=Yt2-Yt1 and ΔZ=Zt2-Zt1 respectively, so that the corresponding change trends of the small categories of services X, Y and Z are: ΔX/Δt, ΔY/Δt and ΔY/Δt respectively, and Δt=T2-T1.

流程五,根据小类业务对应的混合IP流量组成情况与业务小类对应的独立IP地址在Δt时间内业务流量的变化情况利用方程式计算出混合IP所包含的业务小类的具体流量。Process five, according to the composition of the mixed IP traffic corresponding to the small-class business and the change of the business traffic of the independent IP address corresponding to the business small-class within the time Δt, use the equation to calculate the specific traffic of the business small-class included in the mixed IP.

在本申请实施例中,对于混合IP流量拆分,由于在相同时间内小类业务独立IP流量变化趋势与混合IP各个业务流量变化趋势相同,根据混合IP流量组成的小类业务个数与名称设混合IP流量组成为Xm、Ym、Zm、……等,小类业务T1、T2时间内独立IP流量变化情况、T2时间点多个业务混合IP流量变化情况MT2,对下面方程进行求解计算出Xm、Ym、Zm流量的变化大小。In the embodiment of the present application, for the splitting of hybrid IP traffic, since the changing trend of the independent IP traffic of the small-category service is the same as the changing trend of the traffic of each hybrid IP service within the same period of time, the hybrid IP traffic composition is set to Xm, Ym, Zm, etc. according to the number and name of the small-category services composed of the hybrid IP traffic. The changes in the independent IP traffic of the small-category service during T1 and T2, and the changes in the mixed IP traffic of multiple services at the time point T2 are MT2. The following equations are solved to calculate the changes in the traffic of Xm, Ym, and Zm.

其中,Mt2为一个混合IP在Δt时间内的流量变化量,Mt4为另一个混合IP在Δt时间内的流量变化量。Among them, Mt2 is the traffic change of a hybrid IP within Δt time, and Mt4 is the traffic change of another hybrid IP within Δt time.

通过获取到在Δt时间内各个小类业务在各个混合IP的流量变化量,可以获取在T1或T2时刻小类业务在各个混合IP的流量,例如,在T1时刻,某个混合IP的流量为M,流量变化量为MT2,某个小类业务的变化量为Xm,则该小类业务在该混合IP所占的流量为M*Xm/MT2。By obtaining the traffic change of each sub-category of service in each hybrid IP within the time Δt, the traffic of the sub-category of service in each hybrid IP at time T1 or T2 can be obtained. For example, at time T1, the traffic of a hybrid IP is M, the traffic change is MT2, and the change of a sub-category of service is Xm. Then the traffic occupied by the sub-category of service in the hybrid IP is M*Xm/MT2.

流程六,根据上述步骤,计算小类业务对应的独立IP的流量+该小类业务在混合IP对应的流量,得到该小类业务的精准流量。Process six, according to the above steps, calculate the traffic of the independent IP corresponding to the small category of business + the traffic corresponding to the small category of business on the hybrid IP to obtain the precise traffic of the small category of business.

需要说明的是,本申请实施例提供的小类业务流量的识别方法,执行主体可以为小类业务流量的识别装置或者该小类业务流量的识别装置中的用于执行小类业务流量的识别方法的控制模块。本申请实施例中以小类业务流量的识别装置执行业小类业务流量的识别方法为例,说明本申请实施例提供的小类业务流量的识别装置。It should be noted that the method for identifying small-category business traffic provided in the embodiment of the present application can be executed by a device for identifying small-category business traffic or a control module in the device for identifying small-category business traffic for executing the method for identifying small-category business traffic. In the embodiment of the present application, the device for identifying small-category business traffic provided in the embodiment of the present application is described by taking the method for identifying small-category business traffic executed by the device for identifying small-category business traffic as an example.

图5是根据本发明实施例的小类业务流量的识别装置的结构示意图。如图5所示,小类业务流量的识别装置包括:采集模块301、第一获取模块302、第二获取模块303、第三获取模块304;其中,采集模块301,用于采集待识别的流量数据;第一获取模块302,用于根据所述流量数据的目标地址信息,获取各个目标地址信息对应的目标流量数据;第二获取模块303,根据预先获取的小类业务识别库,获取各个所述目标地址信息对应的目标小类业务,其中,所述小类业务识别库包括:地址信息与小类业务的对应关系;第三获取模块304,用于根据各个所述目标地址信息对应的所述目标流量数据以及各个所述目标地址信息对应的所述目标小类业务,获取所述流量数据中各个所述目标小类业务的流量。Fig. 5 is a schematic diagram of the structure of the device for identifying small-category service traffic according to an embodiment of the present invention. As shown in Fig. 5, the device for identifying small-category service traffic includes: a collection module 301, a first acquisition module 302, a second acquisition module 303, and a third acquisition module 304; wherein, the collection module 301 is used to collect traffic data to be identified; the first acquisition module 302 is used to obtain target traffic data corresponding to each target address information according to the target address information of the traffic data; the second acquisition module 303 is used to obtain the target small-category service corresponding to each target address information according to the pre-acquired small-category service identification library, wherein the small-category service identification library includes: the correspondence between address information and small-category service; the third acquisition module 304 is used to obtain the traffic of each target small-category service in the traffic data according to the target traffic data corresponding to each target address information and the target small-category service corresponding to each target address information.

在一实施例中,所述装置还包括:建立小类业务识别库模块,用于从深度地址识别DPI系统获取所述小类业务的全量域名信息和所述地址信息;根据所述全量域名信息,获取所述小类业务对应的全量地址信息;建立所述小类业务识别库,其中,所述小类业务识别库中与所述小类业务对应的所述地址信息为从所述DPI系统中获取所述小类业务的所述地址信息与所述小类业务对应的全量地址信息的并集。In one embodiment, the device also includes: establishing a small class business identification library module, which is used to obtain the full domain name information and the address information of the small class business from a deep address identification DPI system; obtaining the full address information corresponding to the small class business based on the full domain name information; establishing the small class business identification library, wherein the address information corresponding to the small class business in the small class business identification library is the union of the address information of the small class business obtained from the DPI system and the full address information corresponding to the small class business.

在一实施例中,第三获取模块用于:根据第一目标地址信息对应的流量变化情况,获取所述第一目标小类业务的流量变化规则,其中,所述第一目标地址信息为多个所述目标地址信息中只与所述第一目标小类业务对应的所述目标地址信息,所述第一目标小类业务为多个所述目标小类业务中的任一个;根据所述第一目标小类业务的流量变化规则,获取第二目标地址信息对应的流量中所述目标小类业务所占的第一流量,其中,所述第二目标地址信息为多个所述目标地址信息中与所述第一目标小类业务和至少一个第二目标小类业务对应的所述目标地址信息,所述第二目标小类业务为多个所述目标小类业务中除所述第一目标小类业务之外的所述目标小类业务;根据所述第一目标地址信息对应的流量以及所述第一流量,获取所述流量数据中所述第一目标小类业务的目标流量。In one embodiment, the third acquisition module is used to: obtain the traffic change rule of the first target subclass service according to the traffic change corresponding to the first target address information, wherein the first target address information is the target address information corresponding only to the first target subclass service among multiple target address information, and the first target subclass service is any one of the multiple target subclass services; obtain the first traffic occupied by the target subclass service in the traffic corresponding to the second target address information according to the traffic change rule of the first target subclass service, wherein the second target address information is the target address information corresponding to the first target subclass service and at least one second target subclass service among multiple target address information, and the second target subclass service is the target subclass service among the multiple target subclass services except the first target subclass service; obtain the target traffic of the first target subclass service in the traffic data according to the traffic corresponding to the first target address information and the first traffic.

在一实施例中,第一目标小类业务流量变化规则模块用于:获取所述第一目标地址信息对应的流量的至少一个第一预定时间段的变化情况;根据所述第一目标地址信息对应的所述流量的变化情况,得到所述第一目标小类业务的流量变化规则。In one embodiment, the first target subcategory service traffic change rule module is used to: obtain the change of the traffic corresponding to the first target address information in at least one first predetermined time period; and obtain the traffic change rule of the first target subcategory service based on the change of the traffic corresponding to the first target address information.

在一实施例中,获取第一流量模块用于:获取所述第二目标地址信息对应的流量的第二预定时间段的第一变化量;根据所述第一目标小类业务的流量变化规则、所述第二目标小类业务的变化规则、以及所述第一变化量,获取所述第一目标小类业务的流量在所述第二预定时间段的第二变化量;获取所述第二变化量与所述第一变化量的比值;获取所述第一流量,其中,所述第一流量为所述第二目标地址信息对应的流量与所述比值的乘积。In one embodiment, the first traffic acquisition module is used to: acquire the first change in the traffic corresponding to the second target address information in the second predetermined time period; acquire the second change in the traffic of the first target subclass business in the second predetermined time period according to the traffic change rule of the first target subclass business, the change rule of the second target subclass business, and the first change; acquire the ratio of the second change to the first change; acquire the first traffic, wherein the first traffic is the product of the traffic corresponding to the second target address information and the ratio.

在一实施例中,获取信息模块用于:根据所述DPI系统的可拓展威胁检测与响应XDR底层识别详单中的业务识别编码,识别匹配得到所述小类业务全量域名信息和所述地址信息。In one embodiment, the information acquisition module is used to: identify and match the full domain name information of the sub-category business and the address information according to the business identification code in the scalable threat detection and response XDR underlying identification details list of the DPI system.

在一实施例中,获取全量地址信息模块用于:根据所述全量域名信息,从域名系统DNS中解析得到所述小类业务对应的所述全量地址信息。In one embodiment, the module for obtaining full address information is used to: parse the full address information corresponding to the sub-category service from the domain name system DNS according to the full domain name information.

本申请实施例中的小类业务流量的识别装置可以是装置,也可以是终端中的部件、集成电路、或芯片。该装置可以是移动电子设备,也可以为非移动电子设备。示例性的,移动电子设备可以为手机、平板电脑、笔记本电脑、掌上电脑、车载电子设备、可穿戴设备、超级移动个人计算机(ultra-mobile personal computer,UMPC)、上网本或者个人数字助理(personal digital assistant,PDA)等,非移动电子设备可以为服务器、网络附属存储器(Network Attached Storage,NAS)、个人计算机(personal computer,PC)、电视机(television,TV)、柜员机或者自助机等,本申请实施例不作具体限定。The identification device of the small class traffic flow in the embodiment of the present application can be a device, or a component, integrated circuit, or chip in a terminal. The device can be a mobile electronic device or a non-mobile electronic device. Exemplarily, the mobile electronic device can be a mobile phone, a tablet computer, a laptop computer, a PDA, an in-vehicle electronic device, a wearable device, an ultra-mobile personal computer (ultra-mobile personal computer, UMPC), a netbook or a personal digital assistant (personal digital assistant, PDA), etc., and the non-mobile electronic device can be a server, a network attached storage (Network Attached Storage, NAS), a personal computer (personal computer, PC), a television (television, TV), a teller machine or a self-service machine, etc., which is not specifically limited in the embodiment of the present application.

本申请实施例中的小类业务流量的识别装置可以为具有操作系统的装置。该操作系统可以为安卓(Android)操作系统,可以为ios操作系统,还可以为其他可能的操作系统,本申请实施例不作具体限定。The device for identifying small-category traffic in the embodiment of the present application may be a device having an operating system. The operating system may be an Android operating system, an iOS operating system, or other possible operating systems, which are not specifically limited in the embodiment of the present application.

本申请实施例提供的小类业务流量的识别装置能够实现图1至图2的方法实施例中实现的各个过程,为避免重复,这里不再赘述。The device for identifying small-category business traffic provided in the embodiment of the present application can implement each process implemented in the method embodiments of Figures 1 to 2, and will not be described again here to avoid repetition.

基于相同的技术构思,本申请实施例还提供了一种电子设备,该电子设备用于执行上述小类业务流量的识别方法,图6为实现本申请各个实施例的一种电子设备的结构示意图。电子设备可因配置或性能不同而产生比较大的差异,可以包括处理器(processor)401、通信接口(Communications Interface)402、存储器(memory)403和通信总线404,其中,处理器401,通信接口402,存储器403通过通信总线404完成相互间的通信。处理器401可以调用存储在存储器403上并可在处理器401上运行的计算机程序,具体执行步骤可以参见上述小类业务流量的识别方法实施例的各个步骤,且能达到相同的技术效果,为避免重复,这里不再赘述。Based on the same technical concept, the embodiment of the present application also provides an electronic device, which is used to execute the above-mentioned method for identifying small-category business traffic. FIG6 is a schematic diagram of the structure of an electronic device that implements each embodiment of the present application. The electronic device may have relatively large differences due to different configurations or performances, and may include a processor (processor) 401, a communication interface (Communications Interface) 402, a memory (memory) 403 and a communication bus 404, wherein the processor 401, the communication interface 402, and the memory 403 communicate with each other through the communication bus 404. The processor 401 can call a computer program stored in the memory 403 and can be run on the processor 401. The specific execution steps can refer to the various steps of the embodiment of the method for identifying small-category business traffic, and can achieve the same technical effect. To avoid repetition, it will not be repeated here.

需要说明的是,本申请实施例中的电子设备包括:服务器、终端或除终端之外的其他设备。It should be noted that the electronic devices in the embodiments of the present application include: servers, terminals or other devices except terminals.

以上电子设备结构并不构成对电子设备的限定,电子设备可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置,例如,输入单元,可以包括图形处理器(Graphics Processing Unit,GPU)和麦克风,显示单元可以采用液晶显示器、有机发光二极管等形式来配置显示面板。用户输入单元包括触控面板以及其他输入设备中的至少一种。触控面板也称为触摸屏。其他输入设备可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆,在此不再赘述。The above electronic device structure does not constitute a limitation on the electronic device. The electronic device may include more or fewer components than shown in the figure, or combine certain components, or arrange the components differently. For example, the input unit may include a graphics processing unit (GPU) and a microphone, and the display unit may be configured with a display panel in the form of a liquid crystal display, an organic light-emitting diode, etc. The user input unit includes a touch panel and at least one of other input devices. The touch panel is also called a touch screen. Other input devices may include, but are not limited to, a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, and a joystick, which will not be repeated here.

存储器可用于存储软件程序以及各种数据。存储器可主要包括存储程序或指令的第一存储区和存储数据的第二存储区,其中,第一存储区可存储操作系统、至少一个功能所需的应用程序或指令(比如声音播放功能、图像播放功能等)等。此外,存储器可以包括易失性存储器或非易失性存储器,或者,存储器可以包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Me mory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDR AM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SD RAM,DDRSDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synchlink DR AM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RA M,DRRAM)。The memory can be used to store software programs and various data. The memory may mainly include a first storage area for storing programs or instructions and a second storage area for storing data, wherein the first storage area may store an operating system, an application program or instructions required for at least one function (such as a sound playback function, an image playback function, etc.), etc. In addition, the memory may include a volatile memory or a non-volatile memory, or the memory may include both volatile and non-volatile memories. Among them, the non-volatile memory may be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), or a flash memory. Volatile memory can be random access memory (Random Access Memory, RAM), static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDR AM), double data rate synchronous dynamic random access memory (Double Data Rate SD RAM, DDRSDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (Synchlink DR AM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DRRAM).

处理器可包括一个或多个处理单元;可选的,处理器集成应用处理器和调制解调处理器,其中,应用处理器主要处理涉及操作系统、用户界面和应用程序等的操作,调制解调处理器主要处理无线通信信号,如基带处理器。可以理解的是,上述调制解调处理器也可以不集成到处理器中。The processor may include one or more processing units; optionally, the processor integrates an application processor and a modem processor, wherein the application processor mainly processes operations related to the operating system, user interface, and application programs, and the modem processor mainly processes wireless communication signals, such as a baseband processor. It is understandable that the modem processor may not be integrated into the processor.

本申请实施例还提供一种可读存储介质,所述可读存储介质上存储有程序或指令,该程序或指令被处理器执行时实现上述小类业务流量的识别方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。An embodiment of the present application also provides a readable storage medium, on which a program or instruction is stored. When the program or instruction is executed by a processor, each process of the above-mentioned small category business traffic identification method embodiment is implemented, and the same technical effect can be achieved. To avoid repetition, it will not be repeated here.

其中,所述处理器为上述实施例中所述的电子设备中的处理器。所述可读存储介质,包括计算机可读存储介质,如计算机只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等。The processor is a processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a computer read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk.

本申请实施例另提供了一种芯片,所述芯片包括处理器和通信接口,所述通信接口和所述处理器耦合,所述处理器用于运行程序或指令,实现上述小类业务流量的识别方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。An embodiment of the present application further provides a chip, which includes a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the various processes of the above-mentioned small-category business traffic identification method embodiment, and can achieve the same technical effect. To avoid repetition, it will not be repeated here.

应理解,本申请实施例提到的芯片还可以称为系统级芯片、系统芯片、芯片系统或片上系统芯片等。It should be understood that the chip mentioned in the embodiments of the present application can also be called a system-level chip, a system chip, a chip system or a system-on-chip chip, etc.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。此外,需要指出的是,本申请实施方式中的方法和装置的范围不限按示出或讨论的顺序来执行功能,还可包括根据所涉及的功能按基本同时的方式或按相反的顺序来执行功能,例如,可以按不同于所描述的次序来执行所描述的方法,并且还可以添加、省去、或组合各种步骤。另外,参照某些示例所描述的特征可在其他示例中被组合。It should be noted that, in this article, the terms "comprise", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the sentence "comprises one..." does not exclude the presence of other identical elements in the process, method, article or device including the element. In addition, it should be noted that the scope of the method and device in the embodiment of the present application is not limited to performing functions in the order shown or discussed, and may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved, for example, the described method may be performed in an order different from that described, and various steps may also be added, omitted, or combined. In addition, the features described with reference to certain examples may be combined in other examples.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present application, or the part that contributes to the prior art, can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), and includes a number of instructions for a terminal (which can be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in each embodiment of the present application.

上面结合附图对本申请的实施例进行了描述,但是本申请并不局限于上述的具体实施方式,上述的具体实施方式仅仅是示意性的,而不是限制性的,本领域的普通技术人员在本申请的启示下,在不脱离本申请宗旨和权利要求所保护的范围情况下,还可做出很多形式,均属于本申请的保护之内。The embodiments of the present application are described above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific implementation methods. The above-mentioned specific implementation methods are merely illustrative and not restrictive. Under the guidance of the present application, ordinary technicians in this field can also make many forms without departing from the purpose of the present application and the scope of protection of the claims, all of which are within the protection of the present application.

Claims (10)

1. A method for identifying traffic of a subclass, comprising:
Collecting flow data to be identified;
Acquiring target flow data corresponding to each target address information according to the target address information of the flow data;
obtaining target subclass services corresponding to the target address information according to a pre-obtained subclass service identification library, wherein the subclass service identification library comprises: the corresponding relation between the address information and the subclass service;
And acquiring the flow of each target subclass service in the flow data according to the target flow data corresponding to each target address information and the target subclass service corresponding to each target address information.
2. The method of claim 1, wherein prior to the collecting the traffic data to be identified, the method further comprises:
acquiring the full domain name information and the address information of the subclass service from a deep address identification DPI system;
acquiring full address information corresponding to the subclass service according to the full domain name information;
The subclass service identification library is established, wherein the address information corresponding to the subclass service in the subclass service identification library is a union set of the address information of the subclass service and the total address information corresponding to the subclass service obtained from the DPI system.
3. The method according to claim 1 or 2, wherein obtaining the traffic of each target subclass service in the traffic data according to the target traffic data corresponding to each target address information and the target subclass service corresponding to each target address information comprises:
Acquiring a flow change rule of a first target subclass service according to a flow change condition corresponding to first target address information, wherein the first target address information is only the target address information corresponding to the first target subclass service in a plurality of target address information, and the first target subclass service is any one of the plurality of target subclass services;
Obtaining a first flow occupied by the target subclass service in a flow corresponding to second target address information according to a flow change rule of the first target subclass service, wherein the second target address information is the target address information corresponding to the first target subclass service and at least one second target subclass service in a plurality of target address information, and the second target subclass service is the target subclass service except the first target subclass service in a plurality of target subclass services;
And acquiring the target flow of the first target subclass service in the flow data according to the flow corresponding to the first target address information and the first flow.
4. The method of claim 3, wherein obtaining the traffic variation rule of the first target subclass service according to the traffic variation condition corresponding to the first target address information comprises:
Acquiring the change condition of at least one first preset time period of the flow corresponding to the first target address information;
And obtaining a flow change rule of the first target subclass service according to the flow change condition corresponding to the first target address information.
5. The method of claim 3, wherein the obtaining, according to the traffic change rule of the first target subclass service, the first traffic occupied by the first target subclass service in the traffic corresponding to the second target address information includes:
acquiring a first variable quantity of a second preset time period of the flow corresponding to the second target address information;
Acquiring a second variable quantity of the flow of the first target subclass service in the second preset time period according to the flow change rule of the first target subclass service, the change rule of the second target subclass service and the first variable quantity;
Acquiring the ratio of the second variation to the first variation;
and acquiring the first flow, wherein the first flow is the product of the flow corresponding to the second target address information and the ratio.
6. The method of claim 2, wherein said obtaining full amount domain name information and said address information for said sub-class of traffic from a deep address recognition, DPI, system comprises:
and obtaining the full-scale domain name information and the address information of the subclass service according to the expandable threat detection and response XDR bottom layer identification codes in the detail list of the DPI system by identification matching.
7. The method according to claim 2, wherein the obtaining full-size address information corresponding to the subclass service according to the full-size domain name information includes:
And according to the full-volume domain name information, resolving the full-volume address information corresponding to the subclass service from a Domain Name System (DNS).
8. An apparatus for identifying traffic of a subclass, comprising:
The acquisition module is used for acquiring flow data to be identified;
the first acquisition module is used for acquiring target flow data corresponding to each piece of target address information according to the target address information of the flow data;
the second acquisition module acquires target subclass services corresponding to the target address information according to a pre-acquired subclass service identification library, wherein the subclass service identification library comprises: the corresponding relation between the address information and the subclass service;
And a third obtaining module, configured to obtain, according to the target traffic data corresponding to each target address information and the target subclass service corresponding to each target address information, a traffic of each target subclass service in the traffic data.
9. An electronic device comprising a processor, a memory and a program or instruction stored on the memory and executable on the processor, which program or instruction when executed by the processor implements the method steps of identifying sub-class traffic according to any one of claims 1 to 7.
10. A readable storage medium, characterized in that it has stored thereon a program or instructions which, when executed by a processor, implement the method steps of identifying sub-class traffic according to any of claims 1 to 7.
CN202211566771.8A 2022-12-07 2022-12-07 Method, device, electronic device and storage medium for identifying small-category business traffic Pending CN118158167A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211566771.8A CN118158167A (en) 2022-12-07 2022-12-07 Method, device, electronic device and storage medium for identifying small-category business traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211566771.8A CN118158167A (en) 2022-12-07 2022-12-07 Method, device, electronic device and storage medium for identifying small-category business traffic

Publications (1)

Publication Number Publication Date
CN118158167A true CN118158167A (en) 2024-06-07

Family

ID=91295542

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211566771.8A Pending CN118158167A (en) 2022-12-07 2022-12-07 Method, device, electronic device and storage medium for identifying small-category business traffic

Country Status (1)

Country Link
CN (1) CN118158167A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2026001098A1 (en) * 2024-06-25 2026-01-02 中兴通讯股份有限公司 Service type identification method, electronic device, and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2026001098A1 (en) * 2024-06-25 2026-01-02 中兴通讯股份有限公司 Service type identification method, electronic device, and storage medium

Similar Documents

Publication Publication Date Title
CA3152018A1 (en) Business parameter collecting method, device, computer equipment and storage medium
CN110765295A (en) Graph database-based query method and device, computer equipment and storage medium
US20090307191A1 (en) Techniques to establish trust of a web page to prevent malware redirects from web searches or hyperlinks
CN104219230B (en) Identify method and the device of malicious websites
CN104978267A (en) Web page testing method, terminal and server
CN112733045A (en) User behavior analysis method and device and electronic equipment
CN111047434B (en) Operation record generation method, device, computer equipment and storage medium
CN114157568B (en) A browser secure access method, device, equipment and storage medium
WO2021121130A1 (en) Method and apparatus for information collection, computer device, and storage medium
CN118158167A (en) Method, device, electronic device and storage medium for identifying small-category business traffic
CN114531345A (en) Method, device and equipment for storing flow comparison result and storage medium
CN105068926A (en) Program test method and device thereof
CN110674386B (en) Resource recommendation method, device and storage medium
US11562553B2 (en) Method, apparatus, and computer program for detecting abusing act in online service
CN113760696B (en) A program problem locating method, device, electronic device and storage medium
CN111539641A (en) Abnormity monitoring method and device, computer equipment and storage medium
CN114564856B (en) Data sharing method based on FMEA and electronic equipment
CN113923190B (en) Equipment identification jump identification method and device, server and storage medium
CN113778399B (en) Configuration method and device of bottom layer channel
CN117009202A (en) Buried data processing method, buried data processing device, buried data processing equipment and storage medium
CN111143526B (en) Method and device for generating and controlling configuration information of counsel service control
US9485242B2 (en) Endpoint security screening
CN112486815B (en) Analysis method and device of application program, server and storage medium
CN118827093B (en) Content recognition methods, network devices, and computer-readable storage media
Laudadio et al. Personal Data Transfers to Non-EEA Domains: A Tool for Citizens and An Analysis on Italian Public Administration Websites

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination