CN106385402A - Application identification method and device, application session table sending method and server - Google Patents
Application identification method and device, application session table sending method and server Download PDFInfo
- Publication number
- CN106385402A CN106385402A CN201610785121.0A CN201610785121A CN106385402A CN 106385402 A CN106385402 A CN 106385402A CN 201610785121 A CN201610785121 A CN 201610785121A CN 106385402 A CN106385402 A CN 106385402A
- Authority
- CN
- China
- Prior art keywords
- application
- current
- tags
- confidence level
- session information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides an application identification method and device, an application session table sending method and a server. The application identification method is applied to the application identification device; the application identification device comprises an initial application session table and an application rule base; the initial application session table comprises session information of data streams and application label groups in one to one correspondence to the session information; and each application label group comprises applications and corresponding confidences. The method comprises that in response to a received present data stream, present session information of the present data stream is obtained; and the initial application session table is searched from the present session information and the corresponding present application label group, and if the present session information and the corresponding present application label group are found, the application to which the present data stream belongs is identified according to corresponding application rules in the application rule base in the sequence from high to low confidence of the present application label group. Thus, the application identification efficiency can be improved.
Description
Technical field
The application is related to internet data processing technology field, sets particularly to a kind of application and identification method and application identification
Standby, and, a kind of send the method for utility cession table and cloud server.
Background technology
With the continuous development of network technology, occur in that the application more and more providing the user network service, for example,
Baidu, Sohu etc..User carries out information exchange using network traffics and these applications, so can get up-to-date knowledge or
Message, is that the work of user provides huge facility with life.But, because the species of network application is various, to network
Management also brings certain difficulty, and, the quality applied is very different, also brings new threat to the safety of network.
In prior art, in order to more easily manage the application on network, it is supplied to the safer network experience of user,
All types of applications accurately would generally be identified, Jin Erke in the network service that user uses each application to provide
Effectively intercepted with the data flow that application is sent or the operation such as speed limit.
Content of the invention
But inventor finds in research process, prior art, when carrying out application identification, generally uses and is based on
The mode of stream feature identification, and it is only capable of identifying the application with certain category feature based on the method for stream feature identification application, and no
Method accurately identifies some application, so the granularity of identification is relatively rough, this may result in subsequently cannot be to the number in network
Effectively controlled according to stream.And accurately identify it is necessary to all packet-by-packet parse to each packet in data flow if necessary,
And the number of the packet in data flow is magnanimity, the efficiency identifying just again can be led to very low for this it is impossible to meet network real-time
The requirement of property.Therefore, how can accurately identify the efficiency that each application can improve application identification again, just become in prior art
A kind of problem demanding prompt solution.
Based on this, this application provides method for distinguishing is known in one kind application, in order to, while improving application recognition efficiency, to go back
Can guarantee that the accuracy rate to each application identification it is ensured that improving the network service experience of user while networked-induced delay requires.
Present invention also provides a kind of application identification equipment, cloud server and application identification system, above-mentioned in order to ensure
Method realization in practice and application.
In order to solve the above problems, this application discloses a kind of application and identification method, the method is applied to apply identification to set
Standby upper, described application identification equipment includes:Original application conversational list and application rule base;Described original application conversational list includes:
The session information of data flow and apply set of tags correspondingly with described session information, described application set of tags includes:Multiple
Application and corresponding confidence level, described confidence level is used for representing the probability that corresponding data flow belongs to an application;Described
Application rule base includes:Multiple application identities and corresponding application rule;The method includes:
In response to receiving current data stream, obtain the current sessions information of described current data stream;
Described current sessions information and corresponding current application set of tags is searched in described original application conversational list, if
Can find, then according to confidence level order from big to small in described current application set of tags, respectively according to described application rule
In storehouse, corresponding application rule identifies which application described current data stream belongs to.
Optionally, the session information of described data flow includes:Service end IP of data flow, service end port and transport layer association
View;Described current sessions information and corresponding current application set of tags is searched in described original application conversational list, including:
Current server IP, the current clothes that current sessions information includes are searched respectively in described original application conversational list
Business end port and current transmission layer protocol;
Corresponding for the session information finding application set of tags is defined as current application set of tags.
Optionally, described according to confidence level order from big to small in described current application set of tags, respectively according to described
In application rule base, corresponding application rule identifies which application described current data stream belongs to, including:
By the application that confidence level in described current application set of tags is maximum, it is defined as current application to be confirmed;
Obtain described current application corresponding current application rule from described application rule base;
Judge whether the content of described current data stream meets described current application rule, if it is, confirming described working as
Front data flow belongs to described current application, if it is not, then the order from big to small according to confidence level, by described current application mark
Next application identities in label group are defined as described current application to be confirmed, until the institute in described current application set of tags
There are application identities all to search to finish.
Optionally, described application set of tags also includes:With the corresponding enumerator of application, described enumerator is used for representing to be applied
The number of times being identified;Then after confirming that described current data stream belongs to described current application, also include:
In current application set of tags, the value of corresponding for current application enumerator is added one.
Optionally, if there is not described current sessions information in described original application conversational list, methods described is also wrapped
Include:
According to acquiescence recognition sequence, respectively according to each application rule corresponding in described application rule base, identification is described
Which application current data stream belongs to.
Optionally, the method also includes:
The session information of current data stream and corresponding current application set of tags are added to described utility cession table, its
In, the confidence level in described current application set of tags is default initial value, and the value of described enumerator adds one.
Optionally, the method also includes:
Judge whether to reach the default renewal time cycle, if it is, by described original application conversational list add
The session information of data flow and corresponding application set of tags send to cloud server.
Optionally, the method also includes:
Receive cloud server the returns, session information of data flow of described interpolation and the confidence level of renewal, and foundation
The confidence level of described renewal updates the confidence level in described original application conversational list;
The value of corresponding for the confidence level of renewal enumerator is updated to default initial value.
The embodiment of the present application also discloses a kind of method sending utility cession table, and the method is applied to know with multiple applications
On the cloud server that other equipment is connected, the method includes:
Generate multiple original application conversational lists, described original application conversational list bag for the plurality of application identification equipment respectively
Include:The session information of data flow and apply set of tags correspondingly with described session information, described application set of tags includes:Many
Individual application and corresponding confidence level, described confidence level is used for representing the probability that corresponding data flow belongs to an application;
By the plurality of original application conversational list, corresponding transmission identifies equipment to the plurality of application respectively.
Optionally, the method also includes:
When arriving the default renewal time cycle, receive the plurality of application and identify data that equipment sends, adding
The session information of stream and the application set of tags of interpolation;
The confidence level including according to the application set of tags of described interpolation and enumerator, calculate the corresponding target of target data stream
In application set of tags, each applies corresponding confidence level;Wherein, described target data stream is:Initial in original application conversational list
Data flow, and, the data flow of described interpolation;
By the session information of the confidence level updating and corresponding data flow, send and identify equipment to corresponding application.
The embodiment of the present application also discloses a kind of application identification equipment, and described application identification equipment includes:Original application meeting
Words table and application rule base;Described original application conversational list includes:The session information of data flow and with described session information one by one
Corresponding application set of tags, described application set of tags includes:Multiple applications and corresponding confidence level, described confidence level is used for representing
Corresponding data flow belongs to the probability of an application;Described application rule base includes:Multiple application identities and corresponding should
With rule;Described equipment includes:
Acquiring unit, in response to receiving current data stream, obtaining the current sessions information of described current data stream;
Searching unit, for searching described current sessions information and corresponding currently should in described original application conversational list
Use set of tags;
First recognition unit, for according to confidence level order from big to small in described current application set of tags, respectively according to
Identify which application described current data stream belongs to according to corresponding application rule in described application rule base.
Optionally, the session information of described data flow includes:Service end IP of data flow, service end port and transport layer association
View;Described searching unit includes:
Search subelement, current for search in described original application conversational list that current sessions information includes respectively
Server ip, current service end port and current transmission layer protocol;
First determination subelement, for being defined as current application mark by corresponding for the session information finding application set of tags
Label group.
Optionally, described first recognition unit includes:
Second determination subelement, for the application that confidence level in described current application set of tags is maximum, is defined as treating really
The current application recognized;
Obtain subelement, for obtaining described current application corresponding current application rule from described application rule base;
Judgment sub-unit, whether the content for judging described current data stream meets described current application rule;
Confirm subelement, for the result in described judgment sub-unit for, in the case of being, confirming described current data stream
Belong to described current application;
Process subelement, in the case of being no in the result of described judgment sub-unit, according to confidence level from big to small
Order, the next application identities in described current application set of tags are defined as described current application to be confirmed, until
All application identities in described current application set of tags are all searched and are finished.
Optionally, described application set of tags also includes:With the corresponding enumerator of application, described enumerator is used for representing to be applied
The number of times being identified;Then after confirming that described current data stream belongs to described current application, described recognition unit also includes:
Count sub-element, for adding one by the value of corresponding for current application enumerator in current application set of tags.
Optionally, also include:
Second recognition unit, for according to acquiescence recognition sequence, respectively according to described application rule base in corresponding each
Application rule, identifies which application described current data stream belongs to.
Optionally, also include:
Adding device, answers to described for adding the session information of current data stream and corresponding current application set of tags
With, in conversational list, wherein, the confidence level in described current application set of tags is default initial value, and the value of described enumerator adds
One.
Optionally, also include:
Judging unit, is used for judging whether to reach the default renewal time cycle;
First transmitting element, for described judging unit result be in the case of, by described original application session
In table, the session information of data flow adding and corresponding application set of tags send to cloud server.
Optionally, also include:
First receiving unit, for receiving cloud server return, the session information of the data flow of described interpolation and more
New confidence level, and the confidence level in described original application conversational list is updated according to the confidence level of described renewal;
Updating block, for being updated to default initial value by the value of corresponding for the confidence level of renewal enumerator.
The embodiment of the present application also discloses a kind of cloud server, and described cloud server identifies equipment phase with multiple applications
Even, this server includes:
Signal generating unit, for generating multiple original application conversational lists respectively for the plurality of application identification equipment, described first
Beginning utility cession table includes:The session information of data flow and apply set of tags correspondingly with described session information, described should
Included with set of tags:Multiple applications and corresponding confidence level, described confidence level is used for representing that corresponding data flow belongs to one
The probability of application;
Second transmitting element, for by the plurality of original application conversational list, corresponding transmission is known to the plurality of application respectively
Other equipment.
Optionally, also include:
Second receiving unit, for when arriving the default renewal time cycle, receiving the plurality of application and identifying equipment
The session information of data flow sending, adding and the application set of tags of interpolation;
Computing unit, for the confidence level that includes according to the application set of tags of described interpolation and enumerator, calculates number of targets
According to flowing in corresponding intended application set of tags, each applies corresponding confidence level;Wherein, described target data stream is:Original application
Initial data stream in conversational list, and, the data flow of described interpolation;
3rd transmitting element, for the session information of the confidence level that will update and corresponding data flow, sends to corresponding
Application identification equipment.
The embodiment of the present application also discloses a kind of application identification system, including:Aforesaid any one application identification equipment,
With aforesaid any one cloud server.
Compared with prior art, the application includes advantages below:
In the embodiment of the present application, application identification equipment preserves original application conversational list, wherein have recorded every number
The confidence level of multiple applications may be belonged to according to stream, the big application possibility of confidence level is just high, therefore, according to confidence level from big to
Little order to mate corresponding application rule in application rule base successively, so that preferential of the higher application of confidence level
Join, once match certain application can terminate to apply identification process, thus improve the efficiency of application identification.And, carry out
During application identification, full packet detection mode can also be adopted, also ensure that the accuracy rate of application identification.
Certainly, the arbitrary product implementing the application it is not absolutely required to reach all the above advantage simultaneously.
Brief description
For the technical scheme being illustrated more clearly that in the embodiment of the present application, will make to required in embodiment description below
Accompanying drawing be briefly described it should be apparent that, drawings in the following description are only some embodiments of the present application, for
For those of ordinary skill in the art, without having to pay creative labor, it can also be obtained according to these accompanying drawings
His accompanying drawing.
Fig. 1 is the application scenarios Organization Chart of the application;
Fig. 2 is the structural representation of the utility cession table of the application;
Fig. 3 is the structural representation of the application rule of the application;
Fig. 4 is the flow chart of the application and identification method embodiment of the application;
Fig. 5 is the schematic diagram of the utility cession record of cloud server preservation of the application;
Fig. 6 is the flow chart of the embodiment of the method for transmission utility cession table of the application;
Fig. 7 is the structured flowchart of the application identification apparatus embodiments of the application;
Fig. 8 is the structured flowchart of the cloud server embodiment of the application;
Fig. 9 is the structured flowchart of the application identification system embodiment of the application.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out clear, complete
Site preparation describes it is clear that described embodiment is only some embodiments of the present application, rather than whole embodiments.It is based on
Embodiment in the application, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work
Embodiment, broadly falls into the scope of the application protection.
With reference to shown in Fig. 1, it is the embodiment of the present application scene framework figure in actual applications.In FIG, application identification sets
Standby 102 can individually be deployed in an independent network, or, it is typically found among the borde gateway of each network.Example
As, certain company is provided with 3 LANs altogether, then can be respectively this 3 LANs and arrange 3 application identification equipment, and for this 3
Individual application identification equipment arranges a cloud server 101, and this cloud server 101 can divide with this 3 application identification equipment
Not connected, can be to this 3 application identification equipment sending datas it is also possible to receive the data that this 3 application identification equipment upload.
In application identification equipment 102, can include:Original application conversational list and application rule base.Wherein, utility cession
The concrete structure of table refers to Fig. 2.The session information and with session information one by one of data flow can be included in original application conversational list
Corresponding application set of tags.Wherein, on the left of Fig. 2 be data flow session information, can include:Service end IP (IP), service end
Port (Port) and transport layer protocol (Protocol), the session information of data flow is used for unique spy representing a data stream
Levy, each data flow can be identified.And the application set of tags on the right side of Fig. 2 and session information correspond, application set of tags is permissible
Including:Multiple applications (Appid [i]) and each the corresponding confidence level of application (Confidence [i]), confidence level is identical clothes
Under business end IP, same services end port and identical transport layer protocol, a data stream belongs to the general of this application (Appid [i])
Rate, represents that corresponding data flow belongs to the probability of an application.Additionally, application set of tags can also include enumerator
(Count [i]), enumerator is corresponded with application (Appid [i]), for representing that in a period of time, data flow is identified as this
The number of times of application.Wherein, the confidence level summation of each application in Fig. 2 is 1, i.e. Confidence [0]+Confidence [1]
+ ...+Confidence [i]=1, i is the integer more than zero.
Wherein, application rule base can include:Multiple application identities and corresponding application rule.Wherein, an application is right
Answer at least one application rule, with reference to shown in Fig. 3, for the data structure schematic diagram of utility cession table in application rule base, one
The corresponding i rule (Rule) of application (Appid), i.e. the content of a data stream needs this i rule simultaneously just can be confirmed to be
Belong to this application.Wherein, application rule can be realized using regular expression.
With reference to Fig. 4, show that the application is a kind of and be applied to apply the stream of the application and identification method embodiment on identification equipment
Cheng Tu, wherein, the application in the present embodiment identifies that equipment is that any one shown in Fig. 1 applies identification equipment, and the present embodiment can
To comprise the following steps:
Step 401:In response to receiving current data stream, obtain the current sessions information of described current data stream.
In actual applications, if application identification deployed with devices on a local area network, is applied identification can obtain access and is somebody's turn to do
The packet that all user equipmenies of LAN are sent out, and apply the packet sending to user equipment, and then, obtain
To the session information of each data stream, for example, service end IP of current data stream, service end port and transport layer protocol.When
So, the session information in the present embodiment can also be the content that other are arbitrarily capable of unique identification data stream.In the present embodiment,
Applied by any one and illustrate as a example any one data stream sending to any one user equipment.Wherein, this enforcement
Application in example refers to the webserver of network traffics generation, for example, Baidu, Sohu's video, or iqiyi.com etc..
Step 402:Described current sessions information and corresponding current application mark is searched in described original application conversational list
Label group, if can find, enters step 203.
The original application conversational list because application identification equipment is stored with, therefore, it can getting working as of current database
After front session information, search, in described original application conversational list, the current server that current sessions information includes respectively
IP, current service end port and current transmission layer protocol, if can find, illustrate that the session of current data stream is saved
In original application conversational list, then the session information corresponding application set of tags finding is defined as current application set of tags.False
If having 5 applications in the current application set of tags determining, and this 5 application corresponding 5 confidence levels respectively.Further,
The numerical value of this 5 application corresponding enumerators of difference can also be included.
Step 403:According to confidence level order from big to small in described current application set of tags, respectively according to described application
In rule base, corresponding application rule identifies which application described current data stream belongs to.
After determining to current application set of tags, 5 application corresponding 5 confidences respectively in this current application set of tags
There is size order in degree, for example, size is respectively:(Baidu) 0.43, (Sohu) 0.26, (iqiyi.com) 0.18, (youku.com) 0.11
(QQ) 0.02.Then in this step, by the order from big to small according to confidence level, respectively according to Baidu, Sohu, iqiyi.com,
Youku.com and QQ corresponding application rule in application rule base, to identify which in this 5 applications current data stream belong to.
Data flow is passed through to search utility cession table, finds corresponding application set of tags (Appid [0], Appid [1] ... Appid [i]),
Again by the corresponding application rule set in each application label lookup application identification engine, just to confirm application identification label
Really property.Without the rule searching all applications every time.According to the result searched come answering in more new opplication recognition node
With the counter information in conversational list.
Specifically, this step can include step A1~step A5:
Step A1:By the application that confidence level in described current application set of tags is maximum, it is defined as current application to be confirmed.
First, by the application that confidence level is maximum, for example, Baidu, is defined as current application to be confirmed.
Step A2:Obtain described current application corresponding current application rule from described application rule base.
Find Baidu's corresponding application rule from application rule base, that is, data flow belongs to needs satisfaction during Baidu
Regular expression.
Step A3:Judge whether the content of described current data stream meets described current application rule, if it is, entering
Step A4, if it is not, then enter step A5.
And then, judge whether the content of current data stream meets the regular expression finding in step A2, if it is satisfied,
Then can confirm that current data stream is exactly the data flow that Baidu sends.
Step A4:Confirm that described current data stream belongs to described current application.
Step A5:According to confidence level order from big to small, by the next application mark in described current application set of tags
Know and be defined as described current application to be confirmed, until all application identities in described current application set of tags have all been searched
Finish.
And if be unsatisfactory for, then the data flow that explanation current data Liu Bushi Baidu sends, in this case, just again
According to confidence level order from big to small, " Sohu " is defined as current application to be confirmed and execution step A2 is confirmed,
Until confirming that current data stream belongs to some application, or, all application identities in current application set of tags have all been searched
Finish.It is understood that all application identities in current application set of tags are all searched finishes current data stream also unconfirmed
When belonging to which application, then need the remaining all application rules that also will be mated in application rule base, according to silent
Recognize recognition sequence, all mated with current data stream one by one.
Specifically, the method that this step can have DPI (deep-packet detection, Deep Packet Inspection) with this case is entered
Row tables of data is mated.DPI is the application technology of identification on the basis in various networking products at present, and it is by the rule of certain specification
Then grammer, the signature character of application is described, and the load data in packet is packet-by-packet parsed simultaneously with rule signature
Coupling, thus reach the function of signature character identification.Certainly, partly counting current data stream can also be adopted in this step
The mode being parsed and being mated according to bag, no matter using which kind of mode, can make recognition result more accurate.
Include, with the case of the corresponding enumerator of application, after step A4, can also including walking in application set of tags
Rapid A6:
Step A6:In current application set of tags, the value of corresponding for current application enumerator is added one.
If it is confirmed that current data stream belongs to the current application in current application set of tags, such as Baidu, then by Baidu pair
The value of the enumerator answered adds one, and the value of this enumerator has meant that Baidu, and within a period of time, (time for example, pre-setting is more
In the new cycle) identified number of times.For example, the value of enumerator is 3 then it represents that within update cycle time pre-setting,
Baidu has identified 3 times altogether it is understood that being, one has 3 data streams is identified as Baidu's transmission.
If there is not current sessions information in step 402 in original application conversational list, after step 402,
Methods described can also include:
Step 404:According to acquiescence recognition sequence, respectively according to each application rule corresponding in described application rule base,
Identify which application described current data stream belongs to.
In the present embodiment, if being saved in current data stream in the original application conversational list of application identification equipment preservation
Session information, then need all to be mated each application corresponding application rule in application rule base, thus identifying current
Which application is data flow belong to.Certainly, in identification, can mate one by one according to the acquiescence recognition sequence pre-setting should
With each bar application rule in rule base.Acquiescence recognition sequence can identify one by one according to English alphabet order, for example, first know
Other initial is the application corresponding application rule of " A ", and then identification initial is the application corresponding application rule of " B ", with
This analogizes.It is, of course, also possible to identify according to the order of any other skilled in the art setting.
Assume to have identified in step 404 complete of the application rule with application " Fructus Mangifera Indicae TV " for the content of current data stream
Join, then current data stream belongs to application " Fructus Mangifera Indicae TV ", then can also include:
Step 405:The session information of current data stream and corresponding current application set of tags are added and initially should to described
With, in conversational list, wherein, the confidence level in described current application set of tags is default initial value, and the value of described enumerator adds
One.
By the session information of current data stream, and corresponding application set of tags is added separately in original application conversational list.
Confidence level in corresponding current application set of tags can be initial value, and initial value could be arranged to zero, and the value of enumerator can
To be set to one.
For application identification equipment, while execution step 401~step 405, can also include:
Step B:Judge whether to reach the default renewal time cycle, if it is, by described original application conversational list
The session information of data flow adding and corresponding application set of tags, send to cloud server.
When default renewal period of time T arrives, T could be arranged to 5 seconds etc., and application identification equipment can be by T
In section, in original application conversational list, the new session information adding and corresponding application set of tags send to cloud server, by cloud
End server is according to the numerical value of each corresponding enumerator of application in application set of tags, and the value of confidence level, to recalculate each
The confidence level of individual application.And then, the confidence level of renewal can also be distributed to each and apply identification equipment by cloud server again.Its
In, the application identification session sheet format in high in the clouds is as shown in Figure 5.In fig. 5, it is assumed that a total i application, i is whole more than zero
Number, then for application Appid [0], before its renewal of counter records, recognized sum is A0, and renewal previous belief is A0/ (A0+
A1+ ...+Ai) it is assumed that the newly-increased identification number of counter records is N0, then the confidence level that cloud server recalculates is:(A0+
N0)/(A0+A1+ ...+Ai+N0+N1 ...+Ni), by that analogy, after being presented in Fig. 5 the renewal of i-th application Appid [i]
The calculation of confidence level.
It should be noted that in actual applications, in order to ensure to apply the recognition efficiency of identification identification, each application identification
Equipment can be according to the certain applications conversational list selecting reception cloud server, such as such as, the identification of count pick up device record
Front some (such as 1000) bar utility cession records of sum (recognized sum and newly-increased identification number sum before renewal), or
Person, only receives the utility cession record that confidence level is more than preset value (such as 0.8), etc..
In this step, if not arriving default period of time T, can continue to execute this step in real time and judged.
After original application conversational list is sent to cloud server by execution step B application identification equipment, can also wrap
Include:
Step C:Receive cloud server the returns, session information of data flow of described interpolation and the confidence level of renewal,
And according to the confidence level in the confidence level described original application conversational list of renewal of described renewal, and, the confidence level pair that will update
The value of the enumerator answered is updated to default initial value.
The session information of data flow that application identification equipment receives cloud server return again, adding and the confidence of renewal
Degree, and the confidence level being recalculated according to cloud server updates oneself preservation, the confidence level in original application conversational list,
And confidence level is had the value of the corresponding enumerator of application of renewal, and also it is updated to default initial value, such as zero.
It can be seen that, in the embodiment of the present application, application identification equipment preserves original application conversational list, wherein have recorded every
Data stream may belong to the confidence level of multiple applications, and the big application possibility of confidence level is just high, therefore, according to confidence level from
To mate corresponding application rule in application rule base successively to little order greatly, so that the higher application of confidence level is excellent
First mate, once match certain application can terminate to apply identification process, thus improve the efficiency of application identification.And,
When carrying out application identification, full packet detection mode can also be adopted, also ensure that the accuracy rate of application identification.
With reference to Fig. 6, show a kind of flow chart of the embodiment of the method sending utility cession table of the application, the present embodiment can
To be applied to identify that on the cloud server that equipment is connected, the present embodiment may comprise steps of with multiple applications:
Step 601:Generate multiple original application conversational lists for the plurality of application identification equipment respectively.
In the present embodiment, the original application conversational list on application identification equipment is generated by cloud server.This initially should
Can be included with conversational list:The session information of data flow and apply set of tags correspondingly with described session information, wherein, should
Can be included with set of tags:Multiple applications and corresponding confidence level, described confidence level is used for representing that corresponding data flow belongs to
The probability of one application.The introduction of specific utility cession table may be referred to the embodiment shown in Fig. 4, will not be described here.
In addition, in a kind of possible implementation, in original application conversational list, each applies corresponding confidence level and meter
The initial value of number device could be arranged to zero.Then in this case, when default update cycle time T arrives, cloud service
Device can recalculate confidence level according to the numerical value of enumerator receiving, updating.Or, in alternatively possible reality
In existing mode, each in original application conversational list applies the initial value of corresponding enumerator to could be arranged to zero, and confidence level
Initial value can be calculated according to historical identification data.For example, cloud server can be according in past the week
The identified number of times of each application, is calculated the initial value of each corresponding confidence level of application according to the mode shown in Fig. 5.
Certainly, using which kind of implementation, the application can be realized.
Step 602:By the plurality of original application conversational list, corresponding transmission identifies equipment to the plurality of application respectively.
The multiple original application conversational lists generating are respectively sent to connected multiple application identifications and set by cloud server again
Standby.
After step 602, can also include:
Step 603:When arriving the default renewal time cycle, receive the plurality of application identify that equipment sends, add
Plus the session information of data flow and interpolation application set of tags.
Between cloud server and multiple application identification equipment, can jointly safeguard a renewal period of time T, in T
When being carved into, cloud server can receive within this T moment, in each new utility cession table adding of application identification equipment
The session information of data flow, and the application set of tags of corresponding interpolation, the numerical value of such as enumerator.
Step 604:The confidence level including according to the application set of tags of described interpolation and enumerator, calculate target data stream pair
In the intended application set of tags answered, each applies corresponding confidence level.
With this, cloud server can recalculate the initial data stream in original application conversational list in the way of according to Fig. 5
For each application confidence level, and, calculate within the T moment new data flow added for each application confidence
Degree.
Step 605:By the session information of the confidence level updating and corresponding data flow, send and set to corresponding application identification
Standby.
Cloud server will recalculate the confidence level of the renewal obtaining again, and the session information of corresponding data flow,
Send and apply identification equipment to each, so that each application identifies putting of each application in renewal of the equipment original application conversational list
The initial value of reliability.
In the present embodiment, cloud server generates original application conversational list and is then forwarded to apply identification equipment to be protected
Deposit, wherein have recorded the confidence level that every data stream may belong to multiple applications, the big application possibility of confidence level is just high, because
This, to mate corresponding application rule in application rule base successively according to confidence level order from big to small, so that putting
The higher application priority match of reliability, once match certain application can terminate to apply identification process, thus improve application
The efficiency of identification.And, when carrying out application identification, full packet detection mode can also be adopted, also ensure that application identification
Accuracy rate.
For aforesaid embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but
Those skilled in the art should know, the application is not limited by described sequence of movement, because according to the application, some
Step can be carried out using other orders or simultaneously.Secondly, those skilled in the art also should know, described in the specification
Embodiment belong to preferred embodiment, necessary to involved action and module not necessarily the application.
Corresponding with the method that a kind of above-mentioned the application application and identification method embodiment is provided, referring to Fig. 7, the application is also
Provide a kind of application identification apparatus embodiments, in the present embodiment, this application identification can include:Original application conversational list and
Application rule base;Described original application conversational list includes:The session information of data flow and one-to-one with described session information
Application set of tags, described application set of tags includes:Multiple applications and corresponding confidence level, described confidence level is used for representing corresponding
Data flow belongs to the probability of an application;Described application rule base includes:Multiple application identities and corresponding application rule;
Described application identification equipment can include:
Acquiring unit 701, in response to receiving current data stream, obtaining the current sessions letter of described current data stream
Breath.
Searching unit 702, for search in described original application conversational list described current sessions information and corresponding work as
Front application set of tags.
Wherein, the session information of described data flow includes:Service end IP of data flow, service end port and transport layer association
View;Described searching unit 702 can include:Search subelement, current for searching respectively in described original application conversational list
Current server IP, current service end port and current transmission layer protocol that session information includes;With first determines that son is single
Unit, for being defined as current application set of tags by corresponding for the session information finding application set of tags.
First recognition unit 703, for according to confidence level order from big to small in described current application set of tags, difference
Identify which application described current data stream belongs to according to corresponding application rule in described application rule base.
Wherein, described first recognition unit 703 can include:
Second determination subelement, for the application that confidence level in described current application set of tags is maximum, is defined as treating really
The current application recognized;Obtain subelement, for obtaining the corresponding current application of described current application from described application rule base
Rule;Judgment sub-unit, whether the content for judging described current data stream meets described current application rule;Confirm that son is single
Unit, for the result in described judgment sub-unit be in the case of, confirm that described current data stream belongs to and described currently should
With;With process subelement, in the case of being no in the result of described judgment sub-unit, according to confidence level from big to small
Sequentially, the next application identities in described current application set of tags are defined as described current application to be confirmed, until institute
State all application identities in current application set of tags and all search and finish.
Wherein, application set of tags can also include:With the corresponding enumerator of application, described enumerator is used for representing applies quilt
The number of times confirming;Then after confirming that described current data stream belongs to described current application, described recognition unit can also wrap
Include:Count sub-element, for adding one by the value of corresponding for current application enumerator in current application set of tags.
In actual applications, described application identification equipment can also include:
Second recognition unit 704, for according to acquiescence recognition sequence, respectively according to corresponding each in described application rule base
Individual application rule, identifies which application described current data stream belongs to.
With, adding device 705, for by the session information of current data stream and corresponding current application set of tags add to
In described utility cession table, wherein, the confidence level in described current application set of tags is default initial value, described enumerator
Value Jia one.
In actual applications, described application identification equipment can also include:
Judging unit, is used for judging whether to reach the default renewal time cycle;With the first transmitting element, in institute
State judging unit result be in the case of, by the session information of data flow adding in described original application conversational list and right
The application set of tags answered sends to cloud server.
Or, in actual applications, described application identification equipment can also include:
First receiving unit, for receiving cloud server return, the session information of the data flow of described interpolation and more
New confidence level, and the confidence level in described original application conversational list is updated according to the confidence level of described renewal;With renewal is single
Unit, for being updated to default initial value by the value of corresponding for the confidence level of renewal enumerator.
Original application conversational list is preserved, wherein have recorded every data stream may on the application identification equipment of the present embodiment
Belong to the confidence level of multiple applications, the big application possibility of confidence level is just high, therefore, according to confidence level order from big to small
To mate corresponding application rule in application rule base successively, so that the higher application priority match of confidence level, once
Match certain application can terminate to apply identification process, thus improve the efficiency of application identification.And, carry out application identification
When, full packet detection mode can also be adopted, also ensure that the accuracy rate of application identification.
With reference to shown in Fig. 8, present invention also provides a kind of cloud server embodiment, in the present embodiment, described high in the clouds
Server is connected with multiple applications identification equipment, and this server includes:
Signal generating unit 801, for generating multiple original application conversational lists respectively for the plurality of application identification equipment, described
Original application conversational list includes:The session information of data flow and apply set of tags correspondingly with described session information, described
Application set of tags includes:Multiple applications and corresponding confidence level, described confidence level is used for representing that corresponding data flow belongs to one
The probability of individual application.
Second transmitting element 802, for by the plurality of original application conversational list, corresponding transmission is answered to the plurality of respectively
With identifying equipment.
Wherein, in actual applications, this cloud server can also include:
Second receiving unit 803, sets for when arriving the default renewal time cycle, receiving the plurality of application identification
The session information of data flow that preparation is sent, adding and the application set of tags of interpolation.
Computing unit 804, for the confidence level that includes according to the application set of tags of described interpolation and enumerator, calculates target
In data flow corresponding intended application set of tags, each applies corresponding confidence level;Wherein, described target data stream is:Initially should
With the initial data stream in conversational list, and, the data flow of described interpolation.
3rd transmitting element 805, for will update confidence level and corresponding data flow session information, send to correspondence
Application identification equipment.
Original application conversational list can be sent to each application identification equipment by the cloud server in the present embodiment to be carried out
Preserve, wherein have recorded the confidence level that every data stream may belong to multiple applications, the big application possibility of confidence level is just
Height, therefore, to mate corresponding application rule in application rule base successively according to confidence level order from big to small, can make
Obtain the higher application priority match of confidence level, once match certain application can terminate to apply identification process, thus improve
The efficiency of application identification.And, when carrying out application identification, full packet detection mode can also be adopted, also ensure that application is known
Other accuracy rate.
Referring to Fig. 9, present invention also provides a kind of application identification system embodiment, in the present embodiment, this system is permissible
Identify equipment 90 including shown in Fig. 7, multiple application, and, identify, with the plurality of application, the cloud server 91 that equipment is connected.This
Embodiment employs cloud server 91 and identifies that equipment 91 is managed to multiple applications, and carries for multiple application identification equipment 91
For original application conversational list, and after receiving utility cession record that multiple applications identify equipment 91 return, adding, again
Calculate the confidence level of each application and be synchronized to the plurality of application identification equipment 91, ensure that each application identification equipment is carried out with this
During application identification, accuracy rate is higher.
It should be noted that each embodiment in this specification is all described by the way of going forward one by one, each embodiment weight
Point explanation is all difference with other embodiment, between each embodiment identical similar partly mutually referring to.
For device class embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, related part ginseng
See that the part of embodiment of the method illustrates.
Last in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by
One entity or operation are made a distinction with another entity or operation, and not necessarily require or imply these entities or operation
Between there is any this actual relation or order.And, term " inclusion ", "comprising" or its any other variant meaning
Covering comprising of nonexcludability, so that including a series of process of key elements, method, article or equipment not only include that
A little key elements, but also include other key elements being not expressly set out, or also include for this process, method, article or
The intrinsic key element of equipment.In the absence of more restrictions, the key element being limited by sentence "including a ...", does not arrange
Remove and also there is other identical element in the process including described key element, method, article or equipment.
Above application and identification method provided herein and equipment, the method for transmission utility cession table and server are entered
Go and be discussed in detail, specific case used herein has been set forth to the principle of the application and embodiment, above enforcement
The explanation of example is only intended to help and understands the present processes and its core concept;General technology people simultaneously for this area
Member, according to the thought of the application, all will change in specific embodiments and applications, in sum, this explanation
Book content should not be construed as the restriction to the application.
Claims (10)
1. it is characterised in that the method is applied to apply on identification equipment, described application identifies equipment to a kind of application and identification method
Including:Original application conversational list and application rule base;Described original application conversational list includes:The session information of data flow and with institute
State session information and apply set of tags correspondingly, described application set of tags includes:Multiple applications and corresponding confidence level, described
Confidence level is used for representing the probability that corresponding data flow belongs to an application;Described application rule base includes:Multiple applications
Mark and corresponding application rule;The method includes:
In response to receiving current data stream, obtain the current sessions information of described current data stream;
Search described current sessions information and corresponding current application set of tags in described original application conversational list, if can look into
Find, then according to confidence level order from big to small in described current application set of tags, respectively according in described application rule base
Corresponding application rule identifies which application described current data stream belongs to.
2. method according to claim 1 is it is characterised in that the session information of described data flow includes:The clothes of data flow
Business end IP, service end port and transport layer protocol;Described current sessions information and right is searched in described original application conversational list
The current application set of tags answered, including:
Current server IP, the current service end that current sessions information includes is searched respectively in described original application conversational list
Port and current transmission layer protocol;
Corresponding for the session information finding application set of tags is defined as current application set of tags.
3. method according to claim 2 it is characterised in that described according to confidence level in described current application set of tags from
Arrive greatly little order, identify which described current data stream belongs to according to corresponding application rule in described application rule base respectively
One application, including:
By the application that confidence level in described current application set of tags is maximum, it is defined as current application to be confirmed;
Obtain described current application corresponding current application rule from described application rule base;
Judge whether the content of described current data stream meets described current application rule, if it is, confirming described current number
Belong to described current application according to stream, if it is not, then the order from big to small according to confidence level, by described current application set of tags
In next application identities be defined as described current application to be confirmed, until described current application set of tags in all should
All searched with mark and finish.
4. method according to claim 3 is it is characterised in that described application set of tags also includes:With the corresponding meter of application
Number device, described enumerator is used for representing the number of times that application is identified;Then belong to described current in the described current data stream of confirmation
After application, also include:
In current application set of tags, the value of corresponding for current application enumerator is added one.
If 5. it is characterised in that there is not institute in described original application conversational list in method according to claims 1 to 4
State current sessions information, then methods described also includes:
According to acquiescence recognition sequence, respectively according to each application rule corresponding in described application rule base, identification is described current
Which application is data flow belong to.
6. method according to claim 5 is it is characterised in that also include:
The session information of current data stream and corresponding current application set of tags are added to described utility cession table, wherein,
Confidence level in described current application set of tags is default initial value, and the value of described enumerator adds one.
7. method according to claim 6 is it is characterised in that also include:
Judge whether to reach the default renewal time cycle, if it is, the data that will add in described original application conversational list
The session information of stream and corresponding application set of tags send to cloud server.
8. a kind of method sending utility cession table is it is characterised in that the method is applied to be connected with multiple applications identification equipment
Cloud server on, the method includes:
Generate multiple original application conversational lists for the plurality of application identification equipment respectively, described original application conversational list includes:
The session information of data flow and apply set of tags correspondingly with described session information, described application set of tags includes:Multiple
Application and corresponding confidence level, described confidence level is used for representing the probability that corresponding data flow belongs to an application;
By the plurality of original application conversational list, corresponding transmission identifies equipment to the plurality of application respectively.
9. a kind of application identification equipment is it is characterised in that described application identification equipment includes:Original application conversational list and application rule
Then storehouse;Described original application conversational list includes:The session information of data flow and apply mark correspondingly with described session information
Label group, described application set of tags includes:Multiple applications and corresponding confidence level, described confidence level is used for representing corresponding data flow
Belong to the probability of an application;Described application rule base includes:Multiple application identities and corresponding application rule;Described set
Standby inclusion:
Acquiring unit, in response to receiving current data stream, obtaining the current sessions information of described current data stream;
Searching unit, for searching described current sessions information and corresponding current application mark in described original application conversational list
Label group;
First recognition unit, for according to confidence level order from big to small in described current application set of tags, respectively according to institute
State corresponding application rule in application rule base and identify which application described current data stream belongs to.
10. a kind of cloud server is it is characterised in that described cloud server and multiple applications identification equipment is connected, this service
Device includes:
Signal generating unit, for generating multiple original application conversational lists respectively for the plurality of application identification equipment, described initially should
Included with conversational list:The session information of data flow and apply set of tags correspondingly with described session information, described application mark
Label group includes:Multiple applications and corresponding confidence level, described confidence level is used for representing that corresponding data flow belongs to an application
Probability;
Second transmitting element, for by the plurality of original application conversational list, corresponding transmission sets to the plurality of application identification respectively
Standby.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610785121.0A CN106385402B (en) | 2016-08-31 | 2016-08-31 | Application identification method and device, method for sending application session table and server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610785121.0A CN106385402B (en) | 2016-08-31 | 2016-08-31 | Application identification method and device, method for sending application session table and server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106385402A true CN106385402A (en) | 2017-02-08 |
CN106385402B CN106385402B (en) | 2021-07-30 |
Family
ID=57939385
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610785121.0A Active CN106385402B (en) | 2016-08-31 | 2016-08-31 | Application identification method and device, method for sending application session table and server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106385402B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110580256A (en) * | 2018-05-22 | 2019-12-17 | 华为技术有限公司 | Method, device and system for identifying application identifier |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101645892A (en) * | 2009-08-26 | 2010-02-10 | 成都市华为赛门铁克科技有限公司 | Flow detection method and equipment |
CN102222199A (en) * | 2011-06-03 | 2011-10-19 | 奇智软件(北京)有限公司 | Method and system for identifying identification of application program |
US20140143875A1 (en) * | 2012-11-22 | 2014-05-22 | F-Secure Corporation | Detecting Application Behavior |
CN104520842A (en) * | 2012-09-13 | 2015-04-15 | 英特尔公司 | Method and apparatus for improving user experience |
CN104796406A (en) * | 2015-03-20 | 2015-07-22 | 杭州华三通信技术有限公司 | Method and device for identifying application |
CN105591973A (en) * | 2015-12-31 | 2016-05-18 | 杭州数梦工场科技有限公司 | Application recognition method and apparatus |
-
2016
- 2016-08-31 CN CN201610785121.0A patent/CN106385402B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101645892A (en) * | 2009-08-26 | 2010-02-10 | 成都市华为赛门铁克科技有限公司 | Flow detection method and equipment |
CN102222199A (en) * | 2011-06-03 | 2011-10-19 | 奇智软件(北京)有限公司 | Method and system for identifying identification of application program |
CN104520842A (en) * | 2012-09-13 | 2015-04-15 | 英特尔公司 | Method and apparatus for improving user experience |
US20140143875A1 (en) * | 2012-11-22 | 2014-05-22 | F-Secure Corporation | Detecting Application Behavior |
CN104796406A (en) * | 2015-03-20 | 2015-07-22 | 杭州华三通信技术有限公司 | Method and device for identifying application |
CN105591973A (en) * | 2015-12-31 | 2016-05-18 | 杭州数梦工场科技有限公司 | Application recognition method and apparatus |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110580256A (en) * | 2018-05-22 | 2019-12-17 | 华为技术有限公司 | Method, device and system for identifying application identifier |
CN110580256B (en) * | 2018-05-22 | 2022-06-10 | 华为技术有限公司 | Method, device and system for identifying application identification |
US11438425B2 (en) | 2018-05-22 | 2022-09-06 | Huawei Technologies Co., Ltd. | Method, device and system for identifying application identifier |
Also Published As
Publication number | Publication date |
---|---|
CN106385402B (en) | 2021-07-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100563168C (en) | application traffic statistical method and device | |
CN104243240B (en) | SDN (self-defending network) flow measuring method based on Open Flow | |
CN100413290C (en) | Method for setting up notification function for route selection according to border gateway protocol | |
CN105634956B (en) | A kind of message forwarding method, device and system | |
WO2016095516A1 (en) | Complex event processing method, apparatus and system | |
CN106209775B (en) | A kind of application type recognition methods of SSL encryption network flow and device | |
CN106933989A (en) | A kind of method of Web realease information system | |
CN106921572B (en) | A kind of method, apparatus and system for propagating qos policy | |
CN105556916B (en) | The information statistical method and device of network flow | |
CN109213758B (en) | Data access method, device, equipment and computer readable storage medium | |
CN103354528B (en) | Method and device for multi-stream synchronization | |
CN110472502A (en) | Depending on method, apparatus, the equipment, medium of lower dangerous goods image detection of networking | |
CN109743672A (en) | A kind of motion profile display methods and device | |
CN109299742A (en) | Method, apparatus, equipment and the storage medium of automatic discovery unknown network stream | |
CN103281211B (en) | Large-scale network node system for managing in groups and management method | |
CN105871585A (en) | Terminal association method and device | |
CN104994016A (en) | Method and apparatus for packet classification | |
CN110138652A (en) | A kind of session updates method, apparatus and client device | |
CN105991707A (en) | Multimedia interaction method, server and system thereof | |
CN107622064A (en) | A kind of method for reading data and system | |
CN109617830A (en) | A kind of method and apparatus regarding real time demonstration business in networking | |
CN101355585B (en) | System and method for protecting information of distributed architecture data communication equipment | |
CN105357071A (en) | Identification method and identification system for network complex traffic | |
CN114070800A (en) | SECS2 traffic rapid identification method combining deep packet inspection and deep stream inspection | |
CN106385402A (en) | Application identification method and device, application session table sending method and server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |