CN106385402A - Application identification method and device, application session table sending method and server - Google Patents

Application identification method and device, application session table sending method and server Download PDF

Info

Publication number
CN106385402A
CN106385402A CN201610785121.0A CN201610785121A CN106385402A CN 106385402 A CN106385402 A CN 106385402A CN 201610785121 A CN201610785121 A CN 201610785121A CN 106385402 A CN106385402 A CN 106385402A
Authority
CN
China
Prior art keywords
application
current
tags
confidence level
session information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610785121.0A
Other languages
Chinese (zh)
Other versions
CN106385402B (en
Inventor
谷久宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201610785121.0A priority Critical patent/CN106385402B/en
Publication of CN106385402A publication Critical patent/CN106385402A/en
Application granted granted Critical
Publication of CN106385402B publication Critical patent/CN106385402B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides an application identification method and device, an application session table sending method and a server. The application identification method is applied to the application identification device; the application identification device comprises an initial application session table and an application rule base; the initial application session table comprises session information of data streams and application label groups in one to one correspondence to the session information; and each application label group comprises applications and corresponding confidences. The method comprises that in response to a received present data stream, present session information of the present data stream is obtained; and the initial application session table is searched from the present session information and the corresponding present application label group, and if the present session information and the corresponding present application label group are found, the application to which the present data stream belongs is identified according to corresponding application rules in the application rule base in the sequence from high to low confidence of the present application label group. Thus, the application identification efficiency can be improved.

Description

Application and identification method and equipment, the method sending utility cession table and server
Technical field
The application is related to internet data processing technology field, sets particularly to a kind of application and identification method and application identification Standby, and, a kind of send the method for utility cession table and cloud server.
Background technology
With the continuous development of network technology, occur in that the application more and more providing the user network service, for example, Baidu, Sohu etc..User carries out information exchange using network traffics and these applications, so can get up-to-date knowledge or Message, is that the work of user provides huge facility with life.But, because the species of network application is various, to network Management also brings certain difficulty, and, the quality applied is very different, also brings new threat to the safety of network.
In prior art, in order to more easily manage the application on network, it is supplied to the safer network experience of user, All types of applications accurately would generally be identified, Jin Erke in the network service that user uses each application to provide Effectively intercepted with the data flow that application is sent or the operation such as speed limit.
Content of the invention
But inventor finds in research process, prior art, when carrying out application identification, generally uses and is based on The mode of stream feature identification, and it is only capable of identifying the application with certain category feature based on the method for stream feature identification application, and no Method accurately identifies some application, so the granularity of identification is relatively rough, this may result in subsequently cannot be to the number in network Effectively controlled according to stream.And accurately identify it is necessary to all packet-by-packet parse to each packet in data flow if necessary, And the number of the packet in data flow is magnanimity, the efficiency identifying just again can be led to very low for this it is impossible to meet network real-time The requirement of property.Therefore, how can accurately identify the efficiency that each application can improve application identification again, just become in prior art A kind of problem demanding prompt solution.
Based on this, this application provides method for distinguishing is known in one kind application, in order to, while improving application recognition efficiency, to go back Can guarantee that the accuracy rate to each application identification it is ensured that improving the network service experience of user while networked-induced delay requires.
Present invention also provides a kind of application identification equipment, cloud server and application identification system, above-mentioned in order to ensure Method realization in practice and application.
In order to solve the above problems, this application discloses a kind of application and identification method, the method is applied to apply identification to set Standby upper, described application identification equipment includes:Original application conversational list and application rule base;Described original application conversational list includes: The session information of data flow and apply set of tags correspondingly with described session information, described application set of tags includes:Multiple Application and corresponding confidence level, described confidence level is used for representing the probability that corresponding data flow belongs to an application;Described Application rule base includes:Multiple application identities and corresponding application rule;The method includes:
In response to receiving current data stream, obtain the current sessions information of described current data stream;
Described current sessions information and corresponding current application set of tags is searched in described original application conversational list, if Can find, then according to confidence level order from big to small in described current application set of tags, respectively according to described application rule In storehouse, corresponding application rule identifies which application described current data stream belongs to.
Optionally, the session information of described data flow includes:Service end IP of data flow, service end port and transport layer association View;Described current sessions information and corresponding current application set of tags is searched in described original application conversational list, including:
Current server IP, the current clothes that current sessions information includes are searched respectively in described original application conversational list Business end port and current transmission layer protocol;
Corresponding for the session information finding application set of tags is defined as current application set of tags.
Optionally, described according to confidence level order from big to small in described current application set of tags, respectively according to described In application rule base, corresponding application rule identifies which application described current data stream belongs to, including:
By the application that confidence level in described current application set of tags is maximum, it is defined as current application to be confirmed;
Obtain described current application corresponding current application rule from described application rule base;
Judge whether the content of described current data stream meets described current application rule, if it is, confirming described working as Front data flow belongs to described current application, if it is not, then the order from big to small according to confidence level, by described current application mark Next application identities in label group are defined as described current application to be confirmed, until the institute in described current application set of tags There are application identities all to search to finish.
Optionally, described application set of tags also includes:With the corresponding enumerator of application, described enumerator is used for representing to be applied The number of times being identified;Then after confirming that described current data stream belongs to described current application, also include:
In current application set of tags, the value of corresponding for current application enumerator is added one.
Optionally, if there is not described current sessions information in described original application conversational list, methods described is also wrapped Include:
According to acquiescence recognition sequence, respectively according to each application rule corresponding in described application rule base, identification is described Which application current data stream belongs to.
Optionally, the method also includes:
The session information of current data stream and corresponding current application set of tags are added to described utility cession table, its In, the confidence level in described current application set of tags is default initial value, and the value of described enumerator adds one.
Optionally, the method also includes:
Judge whether to reach the default renewal time cycle, if it is, by described original application conversational list add The session information of data flow and corresponding application set of tags send to cloud server.
Optionally, the method also includes:
Receive cloud server the returns, session information of data flow of described interpolation and the confidence level of renewal, and foundation The confidence level of described renewal updates the confidence level in described original application conversational list;
The value of corresponding for the confidence level of renewal enumerator is updated to default initial value.
The embodiment of the present application also discloses a kind of method sending utility cession table, and the method is applied to know with multiple applications On the cloud server that other equipment is connected, the method includes:
Generate multiple original application conversational lists, described original application conversational list bag for the plurality of application identification equipment respectively Include:The session information of data flow and apply set of tags correspondingly with described session information, described application set of tags includes:Many Individual application and corresponding confidence level, described confidence level is used for representing the probability that corresponding data flow belongs to an application;
By the plurality of original application conversational list, corresponding transmission identifies equipment to the plurality of application respectively.
Optionally, the method also includes:
When arriving the default renewal time cycle, receive the plurality of application and identify data that equipment sends, adding The session information of stream and the application set of tags of interpolation;
The confidence level including according to the application set of tags of described interpolation and enumerator, calculate the corresponding target of target data stream In application set of tags, each applies corresponding confidence level;Wherein, described target data stream is:Initial in original application conversational list Data flow, and, the data flow of described interpolation;
By the session information of the confidence level updating and corresponding data flow, send and identify equipment to corresponding application.
The embodiment of the present application also discloses a kind of application identification equipment, and described application identification equipment includes:Original application meeting Words table and application rule base;Described original application conversational list includes:The session information of data flow and with described session information one by one Corresponding application set of tags, described application set of tags includes:Multiple applications and corresponding confidence level, described confidence level is used for representing Corresponding data flow belongs to the probability of an application;Described application rule base includes:Multiple application identities and corresponding should With rule;Described equipment includes:
Acquiring unit, in response to receiving current data stream, obtaining the current sessions information of described current data stream;
Searching unit, for searching described current sessions information and corresponding currently should in described original application conversational list Use set of tags;
First recognition unit, for according to confidence level order from big to small in described current application set of tags, respectively according to Identify which application described current data stream belongs to according to corresponding application rule in described application rule base.
Optionally, the session information of described data flow includes:Service end IP of data flow, service end port and transport layer association View;Described searching unit includes:
Search subelement, current for search in described original application conversational list that current sessions information includes respectively Server ip, current service end port and current transmission layer protocol;
First determination subelement, for being defined as current application mark by corresponding for the session information finding application set of tags Label group.
Optionally, described first recognition unit includes:
Second determination subelement, for the application that confidence level in described current application set of tags is maximum, is defined as treating really The current application recognized;
Obtain subelement, for obtaining described current application corresponding current application rule from described application rule base;
Judgment sub-unit, whether the content for judging described current data stream meets described current application rule;
Confirm subelement, for the result in described judgment sub-unit for, in the case of being, confirming described current data stream Belong to described current application;
Process subelement, in the case of being no in the result of described judgment sub-unit, according to confidence level from big to small Order, the next application identities in described current application set of tags are defined as described current application to be confirmed, until All application identities in described current application set of tags are all searched and are finished.
Optionally, described application set of tags also includes:With the corresponding enumerator of application, described enumerator is used for representing to be applied The number of times being identified;Then after confirming that described current data stream belongs to described current application, described recognition unit also includes:
Count sub-element, for adding one by the value of corresponding for current application enumerator in current application set of tags.
Optionally, also include:
Second recognition unit, for according to acquiescence recognition sequence, respectively according to described application rule base in corresponding each Application rule, identifies which application described current data stream belongs to.
Optionally, also include:
Adding device, answers to described for adding the session information of current data stream and corresponding current application set of tags With, in conversational list, wherein, the confidence level in described current application set of tags is default initial value, and the value of described enumerator adds One.
Optionally, also include:
Judging unit, is used for judging whether to reach the default renewal time cycle;
First transmitting element, for described judging unit result be in the case of, by described original application session In table, the session information of data flow adding and corresponding application set of tags send to cloud server.
Optionally, also include:
First receiving unit, for receiving cloud server return, the session information of the data flow of described interpolation and more New confidence level, and the confidence level in described original application conversational list is updated according to the confidence level of described renewal;
Updating block, for being updated to default initial value by the value of corresponding for the confidence level of renewal enumerator.
The embodiment of the present application also discloses a kind of cloud server, and described cloud server identifies equipment phase with multiple applications Even, this server includes:
Signal generating unit, for generating multiple original application conversational lists respectively for the plurality of application identification equipment, described first Beginning utility cession table includes:The session information of data flow and apply set of tags correspondingly with described session information, described should Included with set of tags:Multiple applications and corresponding confidence level, described confidence level is used for representing that corresponding data flow belongs to one The probability of application;
Second transmitting element, for by the plurality of original application conversational list, corresponding transmission is known to the plurality of application respectively Other equipment.
Optionally, also include:
Second receiving unit, for when arriving the default renewal time cycle, receiving the plurality of application and identifying equipment The session information of data flow sending, adding and the application set of tags of interpolation;
Computing unit, for the confidence level that includes according to the application set of tags of described interpolation and enumerator, calculates number of targets According to flowing in corresponding intended application set of tags, each applies corresponding confidence level;Wherein, described target data stream is:Original application Initial data stream in conversational list, and, the data flow of described interpolation;
3rd transmitting element, for the session information of the confidence level that will update and corresponding data flow, sends to corresponding Application identification equipment.
The embodiment of the present application also discloses a kind of application identification system, including:Aforesaid any one application identification equipment, With aforesaid any one cloud server.
Compared with prior art, the application includes advantages below:
In the embodiment of the present application, application identification equipment preserves original application conversational list, wherein have recorded every number The confidence level of multiple applications may be belonged to according to stream, the big application possibility of confidence level is just high, therefore, according to confidence level from big to Little order to mate corresponding application rule in application rule base successively, so that preferential of the higher application of confidence level Join, once match certain application can terminate to apply identification process, thus improve the efficiency of application identification.And, carry out During application identification, full packet detection mode can also be adopted, also ensure that the accuracy rate of application identification.
Certainly, the arbitrary product implementing the application it is not absolutely required to reach all the above advantage simultaneously.
Brief description
For the technical scheme being illustrated more clearly that in the embodiment of the present application, will make to required in embodiment description below Accompanying drawing be briefly described it should be apparent that, drawings in the following description are only some embodiments of the present application, for For those of ordinary skill in the art, without having to pay creative labor, it can also be obtained according to these accompanying drawings His accompanying drawing.
Fig. 1 is the application scenarios Organization Chart of the application;
Fig. 2 is the structural representation of the utility cession table of the application;
Fig. 3 is the structural representation of the application rule of the application;
Fig. 4 is the flow chart of the application and identification method embodiment of the application;
Fig. 5 is the schematic diagram of the utility cession record of cloud server preservation of the application;
Fig. 6 is the flow chart of the embodiment of the method for transmission utility cession table of the application;
Fig. 7 is the structured flowchart of the application identification apparatus embodiments of the application;
Fig. 8 is the structured flowchart of the cloud server embodiment of the application;
Fig. 9 is the structured flowchart of the application identification system embodiment of the application.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out clear, complete Site preparation describes it is clear that described embodiment is only some embodiments of the present application, rather than whole embodiments.It is based on Embodiment in the application, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work Embodiment, broadly falls into the scope of the application protection.
With reference to shown in Fig. 1, it is the embodiment of the present application scene framework figure in actual applications.In FIG, application identification sets Standby 102 can individually be deployed in an independent network, or, it is typically found among the borde gateway of each network.Example As, certain company is provided with 3 LANs altogether, then can be respectively this 3 LANs and arrange 3 application identification equipment, and for this 3 Individual application identification equipment arranges a cloud server 101, and this cloud server 101 can divide with this 3 application identification equipment Not connected, can be to this 3 application identification equipment sending datas it is also possible to receive the data that this 3 application identification equipment upload.
In application identification equipment 102, can include:Original application conversational list and application rule base.Wherein, utility cession The concrete structure of table refers to Fig. 2.The session information and with session information one by one of data flow can be included in original application conversational list Corresponding application set of tags.Wherein, on the left of Fig. 2 be data flow session information, can include:Service end IP (IP), service end Port (Port) and transport layer protocol (Protocol), the session information of data flow is used for unique spy representing a data stream Levy, each data flow can be identified.And the application set of tags on the right side of Fig. 2 and session information correspond, application set of tags is permissible Including:Multiple applications (Appid [i]) and each the corresponding confidence level of application (Confidence [i]), confidence level is identical clothes Under business end IP, same services end port and identical transport layer protocol, a data stream belongs to the general of this application (Appid [i]) Rate, represents that corresponding data flow belongs to the probability of an application.Additionally, application set of tags can also include enumerator (Count [i]), enumerator is corresponded with application (Appid [i]), for representing that in a period of time, data flow is identified as this The number of times of application.Wherein, the confidence level summation of each application in Fig. 2 is 1, i.e. Confidence [0]+Confidence [1] + ...+Confidence [i]=1, i is the integer more than zero.
Wherein, application rule base can include:Multiple application identities and corresponding application rule.Wherein, an application is right Answer at least one application rule, with reference to shown in Fig. 3, for the data structure schematic diagram of utility cession table in application rule base, one The corresponding i rule (Rule) of application (Appid), i.e. the content of a data stream needs this i rule simultaneously just can be confirmed to be Belong to this application.Wherein, application rule can be realized using regular expression.
With reference to Fig. 4, show that the application is a kind of and be applied to apply the stream of the application and identification method embodiment on identification equipment Cheng Tu, wherein, the application in the present embodiment identifies that equipment is that any one shown in Fig. 1 applies identification equipment, and the present embodiment can To comprise the following steps:
Step 401:In response to receiving current data stream, obtain the current sessions information of described current data stream.
In actual applications, if application identification deployed with devices on a local area network, is applied identification can obtain access and is somebody's turn to do The packet that all user equipmenies of LAN are sent out, and apply the packet sending to user equipment, and then, obtain To the session information of each data stream, for example, service end IP of current data stream, service end port and transport layer protocol.When So, the session information in the present embodiment can also be the content that other are arbitrarily capable of unique identification data stream.In the present embodiment, Applied by any one and illustrate as a example any one data stream sending to any one user equipment.Wherein, this enforcement Application in example refers to the webserver of network traffics generation, for example, Baidu, Sohu's video, or iqiyi.com etc..
Step 402:Described current sessions information and corresponding current application mark is searched in described original application conversational list Label group, if can find, enters step 203.
The original application conversational list because application identification equipment is stored with, therefore, it can getting working as of current database After front session information, search, in described original application conversational list, the current server that current sessions information includes respectively IP, current service end port and current transmission layer protocol, if can find, illustrate that the session of current data stream is saved In original application conversational list, then the session information corresponding application set of tags finding is defined as current application set of tags.False If having 5 applications in the current application set of tags determining, and this 5 application corresponding 5 confidence levels respectively.Further, The numerical value of this 5 application corresponding enumerators of difference can also be included.
Step 403:According to confidence level order from big to small in described current application set of tags, respectively according to described application In rule base, corresponding application rule identifies which application described current data stream belongs to.
After determining to current application set of tags, 5 application corresponding 5 confidences respectively in this current application set of tags There is size order in degree, for example, size is respectively:(Baidu) 0.43, (Sohu) 0.26, (iqiyi.com) 0.18, (youku.com) 0.11 (QQ) 0.02.Then in this step, by the order from big to small according to confidence level, respectively according to Baidu, Sohu, iqiyi.com, Youku.com and QQ corresponding application rule in application rule base, to identify which in this 5 applications current data stream belong to. Data flow is passed through to search utility cession table, finds corresponding application set of tags (Appid [0], Appid [1] ... Appid [i]), Again by the corresponding application rule set in each application label lookup application identification engine, just to confirm application identification label Really property.Without the rule searching all applications every time.According to the result searched come answering in more new opplication recognition node With the counter information in conversational list.
Specifically, this step can include step A1~step A5:
Step A1:By the application that confidence level in described current application set of tags is maximum, it is defined as current application to be confirmed.
First, by the application that confidence level is maximum, for example, Baidu, is defined as current application to be confirmed.
Step A2:Obtain described current application corresponding current application rule from described application rule base.
Find Baidu's corresponding application rule from application rule base, that is, data flow belongs to needs satisfaction during Baidu Regular expression.
Step A3:Judge whether the content of described current data stream meets described current application rule, if it is, entering Step A4, if it is not, then enter step A5.
And then, judge whether the content of current data stream meets the regular expression finding in step A2, if it is satisfied, Then can confirm that current data stream is exactly the data flow that Baidu sends.
Step A4:Confirm that described current data stream belongs to described current application.
Step A5:According to confidence level order from big to small, by the next application mark in described current application set of tags Know and be defined as described current application to be confirmed, until all application identities in described current application set of tags have all been searched Finish.
And if be unsatisfactory for, then the data flow that explanation current data Liu Bushi Baidu sends, in this case, just again According to confidence level order from big to small, " Sohu " is defined as current application to be confirmed and execution step A2 is confirmed, Until confirming that current data stream belongs to some application, or, all application identities in current application set of tags have all been searched Finish.It is understood that all application identities in current application set of tags are all searched finishes current data stream also unconfirmed When belonging to which application, then need the remaining all application rules that also will be mated in application rule base, according to silent Recognize recognition sequence, all mated with current data stream one by one.
Specifically, the method that this step can have DPI (deep-packet detection, Deep Packet Inspection) with this case is entered Row tables of data is mated.DPI is the application technology of identification on the basis in various networking products at present, and it is by the rule of certain specification Then grammer, the signature character of application is described, and the load data in packet is packet-by-packet parsed simultaneously with rule signature Coupling, thus reach the function of signature character identification.Certainly, partly counting current data stream can also be adopted in this step The mode being parsed and being mated according to bag, no matter using which kind of mode, can make recognition result more accurate.
Include, with the case of the corresponding enumerator of application, after step A4, can also including walking in application set of tags Rapid A6:
Step A6:In current application set of tags, the value of corresponding for current application enumerator is added one.
If it is confirmed that current data stream belongs to the current application in current application set of tags, such as Baidu, then by Baidu pair The value of the enumerator answered adds one, and the value of this enumerator has meant that Baidu, and within a period of time, (time for example, pre-setting is more In the new cycle) identified number of times.For example, the value of enumerator is 3 then it represents that within update cycle time pre-setting, Baidu has identified 3 times altogether it is understood that being, one has 3 data streams is identified as Baidu's transmission.
If there is not current sessions information in step 402 in original application conversational list, after step 402, Methods described can also include:
Step 404:According to acquiescence recognition sequence, respectively according to each application rule corresponding in described application rule base, Identify which application described current data stream belongs to.
In the present embodiment, if being saved in current data stream in the original application conversational list of application identification equipment preservation Session information, then need all to be mated each application corresponding application rule in application rule base, thus identifying current Which application is data flow belong to.Certainly, in identification, can mate one by one according to the acquiescence recognition sequence pre-setting should With each bar application rule in rule base.Acquiescence recognition sequence can identify one by one according to English alphabet order, for example, first know Other initial is the application corresponding application rule of " A ", and then identification initial is the application corresponding application rule of " B ", with This analogizes.It is, of course, also possible to identify according to the order of any other skilled in the art setting.
Assume to have identified in step 404 complete of the application rule with application " Fructus Mangifera Indicae TV " for the content of current data stream Join, then current data stream belongs to application " Fructus Mangifera Indicae TV ", then can also include:
Step 405:The session information of current data stream and corresponding current application set of tags are added and initially should to described With, in conversational list, wherein, the confidence level in described current application set of tags is default initial value, and the value of described enumerator adds One.
By the session information of current data stream, and corresponding application set of tags is added separately in original application conversational list. Confidence level in corresponding current application set of tags can be initial value, and initial value could be arranged to zero, and the value of enumerator can To be set to one.
For application identification equipment, while execution step 401~step 405, can also include:
Step B:Judge whether to reach the default renewal time cycle, if it is, by described original application conversational list The session information of data flow adding and corresponding application set of tags, send to cloud server.
When default renewal period of time T arrives, T could be arranged to 5 seconds etc., and application identification equipment can be by T In section, in original application conversational list, the new session information adding and corresponding application set of tags send to cloud server, by cloud End server is according to the numerical value of each corresponding enumerator of application in application set of tags, and the value of confidence level, to recalculate each The confidence level of individual application.And then, the confidence level of renewal can also be distributed to each and apply identification equipment by cloud server again.Its In, the application identification session sheet format in high in the clouds is as shown in Figure 5.In fig. 5, it is assumed that a total i application, i is whole more than zero Number, then for application Appid [0], before its renewal of counter records, recognized sum is A0, and renewal previous belief is A0/ (A0+ A1+ ...+Ai) it is assumed that the newly-increased identification number of counter records is N0, then the confidence level that cloud server recalculates is:(A0+ N0)/(A0+A1+ ...+Ai+N0+N1 ...+Ni), by that analogy, after being presented in Fig. 5 the renewal of i-th application Appid [i] The calculation of confidence level.
It should be noted that in actual applications, in order to ensure to apply the recognition efficiency of identification identification, each application identification Equipment can be according to the certain applications conversational list selecting reception cloud server, such as such as, the identification of count pick up device record Front some (such as 1000) bar utility cession records of sum (recognized sum and newly-increased identification number sum before renewal), or Person, only receives the utility cession record that confidence level is more than preset value (such as 0.8), etc..
In this step, if not arriving default period of time T, can continue to execute this step in real time and judged.
After original application conversational list is sent to cloud server by execution step B application identification equipment, can also wrap Include:
Step C:Receive cloud server the returns, session information of data flow of described interpolation and the confidence level of renewal, And according to the confidence level in the confidence level described original application conversational list of renewal of described renewal, and, the confidence level pair that will update The value of the enumerator answered is updated to default initial value.
The session information of data flow that application identification equipment receives cloud server return again, adding and the confidence of renewal Degree, and the confidence level being recalculated according to cloud server updates oneself preservation, the confidence level in original application conversational list, And confidence level is had the value of the corresponding enumerator of application of renewal, and also it is updated to default initial value, such as zero.
It can be seen that, in the embodiment of the present application, application identification equipment preserves original application conversational list, wherein have recorded every Data stream may belong to the confidence level of multiple applications, and the big application possibility of confidence level is just high, therefore, according to confidence level from To mate corresponding application rule in application rule base successively to little order greatly, so that the higher application of confidence level is excellent First mate, once match certain application can terminate to apply identification process, thus improve the efficiency of application identification.And, When carrying out application identification, full packet detection mode can also be adopted, also ensure that the accuracy rate of application identification.
With reference to Fig. 6, show a kind of flow chart of the embodiment of the method sending utility cession table of the application, the present embodiment can To be applied to identify that on the cloud server that equipment is connected, the present embodiment may comprise steps of with multiple applications:
Step 601:Generate multiple original application conversational lists for the plurality of application identification equipment respectively.
In the present embodiment, the original application conversational list on application identification equipment is generated by cloud server.This initially should Can be included with conversational list:The session information of data flow and apply set of tags correspondingly with described session information, wherein, should Can be included with set of tags:Multiple applications and corresponding confidence level, described confidence level is used for representing that corresponding data flow belongs to The probability of one application.The introduction of specific utility cession table may be referred to the embodiment shown in Fig. 4, will not be described here.
In addition, in a kind of possible implementation, in original application conversational list, each applies corresponding confidence level and meter The initial value of number device could be arranged to zero.Then in this case, when default update cycle time T arrives, cloud service Device can recalculate confidence level according to the numerical value of enumerator receiving, updating.Or, in alternatively possible reality In existing mode, each in original application conversational list applies the initial value of corresponding enumerator to could be arranged to zero, and confidence level Initial value can be calculated according to historical identification data.For example, cloud server can be according in past the week The identified number of times of each application, is calculated the initial value of each corresponding confidence level of application according to the mode shown in Fig. 5. Certainly, using which kind of implementation, the application can be realized.
Step 602:By the plurality of original application conversational list, corresponding transmission identifies equipment to the plurality of application respectively.
The multiple original application conversational lists generating are respectively sent to connected multiple application identifications and set by cloud server again Standby.
After step 602, can also include:
Step 603:When arriving the default renewal time cycle, receive the plurality of application identify that equipment sends, add Plus the session information of data flow and interpolation application set of tags.
Between cloud server and multiple application identification equipment, can jointly safeguard a renewal period of time T, in T When being carved into, cloud server can receive within this T moment, in each new utility cession table adding of application identification equipment The session information of data flow, and the application set of tags of corresponding interpolation, the numerical value of such as enumerator.
Step 604:The confidence level including according to the application set of tags of described interpolation and enumerator, calculate target data stream pair In the intended application set of tags answered, each applies corresponding confidence level.
With this, cloud server can recalculate the initial data stream in original application conversational list in the way of according to Fig. 5 For each application confidence level, and, calculate within the T moment new data flow added for each application confidence Degree.
Step 605:By the session information of the confidence level updating and corresponding data flow, send and set to corresponding application identification Standby.
Cloud server will recalculate the confidence level of the renewal obtaining again, and the session information of corresponding data flow, Send and apply identification equipment to each, so that each application identifies putting of each application in renewal of the equipment original application conversational list The initial value of reliability.
In the present embodiment, cloud server generates original application conversational list and is then forwarded to apply identification equipment to be protected Deposit, wherein have recorded the confidence level that every data stream may belong to multiple applications, the big application possibility of confidence level is just high, because This, to mate corresponding application rule in application rule base successively according to confidence level order from big to small, so that putting The higher application priority match of reliability, once match certain application can terminate to apply identification process, thus improve application The efficiency of identification.And, when carrying out application identification, full packet detection mode can also be adopted, also ensure that application identification Accuracy rate.
For aforesaid embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but Those skilled in the art should know, the application is not limited by described sequence of movement, because according to the application, some Step can be carried out using other orders or simultaneously.Secondly, those skilled in the art also should know, described in the specification Embodiment belong to preferred embodiment, necessary to involved action and module not necessarily the application.
Corresponding with the method that a kind of above-mentioned the application application and identification method embodiment is provided, referring to Fig. 7, the application is also Provide a kind of application identification apparatus embodiments, in the present embodiment, this application identification can include:Original application conversational list and Application rule base;Described original application conversational list includes:The session information of data flow and one-to-one with described session information Application set of tags, described application set of tags includes:Multiple applications and corresponding confidence level, described confidence level is used for representing corresponding Data flow belongs to the probability of an application;Described application rule base includes:Multiple application identities and corresponding application rule; Described application identification equipment can include:
Acquiring unit 701, in response to receiving current data stream, obtaining the current sessions letter of described current data stream Breath.
Searching unit 702, for search in described original application conversational list described current sessions information and corresponding work as Front application set of tags.
Wherein, the session information of described data flow includes:Service end IP of data flow, service end port and transport layer association View;Described searching unit 702 can include:Search subelement, current for searching respectively in described original application conversational list Current server IP, current service end port and current transmission layer protocol that session information includes;With first determines that son is single Unit, for being defined as current application set of tags by corresponding for the session information finding application set of tags.
First recognition unit 703, for according to confidence level order from big to small in described current application set of tags, difference Identify which application described current data stream belongs to according to corresponding application rule in described application rule base.
Wherein, described first recognition unit 703 can include:
Second determination subelement, for the application that confidence level in described current application set of tags is maximum, is defined as treating really The current application recognized;Obtain subelement, for obtaining the corresponding current application of described current application from described application rule base Rule;Judgment sub-unit, whether the content for judging described current data stream meets described current application rule;Confirm that son is single Unit, for the result in described judgment sub-unit be in the case of, confirm that described current data stream belongs to and described currently should With;With process subelement, in the case of being no in the result of described judgment sub-unit, according to confidence level from big to small Sequentially, the next application identities in described current application set of tags are defined as described current application to be confirmed, until institute State all application identities in current application set of tags and all search and finish.
Wherein, application set of tags can also include:With the corresponding enumerator of application, described enumerator is used for representing applies quilt The number of times confirming;Then after confirming that described current data stream belongs to described current application, described recognition unit can also wrap Include:Count sub-element, for adding one by the value of corresponding for current application enumerator in current application set of tags.
In actual applications, described application identification equipment can also include:
Second recognition unit 704, for according to acquiescence recognition sequence, respectively according to corresponding each in described application rule base Individual application rule, identifies which application described current data stream belongs to.
With, adding device 705, for by the session information of current data stream and corresponding current application set of tags add to In described utility cession table, wherein, the confidence level in described current application set of tags is default initial value, described enumerator Value Jia one.
In actual applications, described application identification equipment can also include:
Judging unit, is used for judging whether to reach the default renewal time cycle;With the first transmitting element, in institute State judging unit result be in the case of, by the session information of data flow adding in described original application conversational list and right The application set of tags answered sends to cloud server.
Or, in actual applications, described application identification equipment can also include:
First receiving unit, for receiving cloud server return, the session information of the data flow of described interpolation and more New confidence level, and the confidence level in described original application conversational list is updated according to the confidence level of described renewal;With renewal is single Unit, for being updated to default initial value by the value of corresponding for the confidence level of renewal enumerator.
Original application conversational list is preserved, wherein have recorded every data stream may on the application identification equipment of the present embodiment Belong to the confidence level of multiple applications, the big application possibility of confidence level is just high, therefore, according to confidence level order from big to small To mate corresponding application rule in application rule base successively, so that the higher application priority match of confidence level, once Match certain application can terminate to apply identification process, thus improve the efficiency of application identification.And, carry out application identification When, full packet detection mode can also be adopted, also ensure that the accuracy rate of application identification.
With reference to shown in Fig. 8, present invention also provides a kind of cloud server embodiment, in the present embodiment, described high in the clouds Server is connected with multiple applications identification equipment, and this server includes:
Signal generating unit 801, for generating multiple original application conversational lists respectively for the plurality of application identification equipment, described Original application conversational list includes:The session information of data flow and apply set of tags correspondingly with described session information, described Application set of tags includes:Multiple applications and corresponding confidence level, described confidence level is used for representing that corresponding data flow belongs to one The probability of individual application.
Second transmitting element 802, for by the plurality of original application conversational list, corresponding transmission is answered to the plurality of respectively With identifying equipment.
Wherein, in actual applications, this cloud server can also include:
Second receiving unit 803, sets for when arriving the default renewal time cycle, receiving the plurality of application identification The session information of data flow that preparation is sent, adding and the application set of tags of interpolation.
Computing unit 804, for the confidence level that includes according to the application set of tags of described interpolation and enumerator, calculates target In data flow corresponding intended application set of tags, each applies corresponding confidence level;Wherein, described target data stream is:Initially should With the initial data stream in conversational list, and, the data flow of described interpolation.
3rd transmitting element 805, for will update confidence level and corresponding data flow session information, send to correspondence Application identification equipment.
Original application conversational list can be sent to each application identification equipment by the cloud server in the present embodiment to be carried out Preserve, wherein have recorded the confidence level that every data stream may belong to multiple applications, the big application possibility of confidence level is just Height, therefore, to mate corresponding application rule in application rule base successively according to confidence level order from big to small, can make Obtain the higher application priority match of confidence level, once match certain application can terminate to apply identification process, thus improve The efficiency of application identification.And, when carrying out application identification, full packet detection mode can also be adopted, also ensure that application is known Other accuracy rate.
Referring to Fig. 9, present invention also provides a kind of application identification system embodiment, in the present embodiment, this system is permissible Identify equipment 90 including shown in Fig. 7, multiple application, and, identify, with the plurality of application, the cloud server 91 that equipment is connected.This Embodiment employs cloud server 91 and identifies that equipment 91 is managed to multiple applications, and carries for multiple application identification equipment 91 For original application conversational list, and after receiving utility cession record that multiple applications identify equipment 91 return, adding, again Calculate the confidence level of each application and be synchronized to the plurality of application identification equipment 91, ensure that each application identification equipment is carried out with this During application identification, accuracy rate is higher.
It should be noted that each embodiment in this specification is all described by the way of going forward one by one, each embodiment weight Point explanation is all difference with other embodiment, between each embodiment identical similar partly mutually referring to. For device class embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, related part ginseng See that the part of embodiment of the method illustrates.
Last in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by One entity or operation are made a distinction with another entity or operation, and not necessarily require or imply these entities or operation Between there is any this actual relation or order.And, term " inclusion ", "comprising" or its any other variant meaning Covering comprising of nonexcludability, so that including a series of process of key elements, method, article or equipment not only include that A little key elements, but also include other key elements being not expressly set out, or also include for this process, method, article or The intrinsic key element of equipment.In the absence of more restrictions, the key element being limited by sentence "including a ...", does not arrange Remove and also there is other identical element in the process including described key element, method, article or equipment.
Above application and identification method provided herein and equipment, the method for transmission utility cession table and server are entered Go and be discussed in detail, specific case used herein has been set forth to the principle of the application and embodiment, above enforcement The explanation of example is only intended to help and understands the present processes and its core concept;General technology people simultaneously for this area Member, according to the thought of the application, all will change in specific embodiments and applications, in sum, this explanation Book content should not be construed as the restriction to the application.

Claims (10)

1. it is characterised in that the method is applied to apply on identification equipment, described application identifies equipment to a kind of application and identification method Including:Original application conversational list and application rule base;Described original application conversational list includes:The session information of data flow and with institute State session information and apply set of tags correspondingly, described application set of tags includes:Multiple applications and corresponding confidence level, described Confidence level is used for representing the probability that corresponding data flow belongs to an application;Described application rule base includes:Multiple applications Mark and corresponding application rule;The method includes:
In response to receiving current data stream, obtain the current sessions information of described current data stream;
Search described current sessions information and corresponding current application set of tags in described original application conversational list, if can look into Find, then according to confidence level order from big to small in described current application set of tags, respectively according in described application rule base Corresponding application rule identifies which application described current data stream belongs to.
2. method according to claim 1 is it is characterised in that the session information of described data flow includes:The clothes of data flow Business end IP, service end port and transport layer protocol;Described current sessions information and right is searched in described original application conversational list The current application set of tags answered, including:
Current server IP, the current service end that current sessions information includes is searched respectively in described original application conversational list Port and current transmission layer protocol;
Corresponding for the session information finding application set of tags is defined as current application set of tags.
3. method according to claim 2 it is characterised in that described according to confidence level in described current application set of tags from Arrive greatly little order, identify which described current data stream belongs to according to corresponding application rule in described application rule base respectively One application, including:
By the application that confidence level in described current application set of tags is maximum, it is defined as current application to be confirmed;
Obtain described current application corresponding current application rule from described application rule base;
Judge whether the content of described current data stream meets described current application rule, if it is, confirming described current number Belong to described current application according to stream, if it is not, then the order from big to small according to confidence level, by described current application set of tags In next application identities be defined as described current application to be confirmed, until described current application set of tags in all should All searched with mark and finish.
4. method according to claim 3 is it is characterised in that described application set of tags also includes:With the corresponding meter of application Number device, described enumerator is used for representing the number of times that application is identified;Then belong to described current in the described current data stream of confirmation After application, also include:
In current application set of tags, the value of corresponding for current application enumerator is added one.
If 5. it is characterised in that there is not institute in described original application conversational list in method according to claims 1 to 4 State current sessions information, then methods described also includes:
According to acquiescence recognition sequence, respectively according to each application rule corresponding in described application rule base, identification is described current Which application is data flow belong to.
6. method according to claim 5 is it is characterised in that also include:
The session information of current data stream and corresponding current application set of tags are added to described utility cession table, wherein, Confidence level in described current application set of tags is default initial value, and the value of described enumerator adds one.
7. method according to claim 6 is it is characterised in that also include:
Judge whether to reach the default renewal time cycle, if it is, the data that will add in described original application conversational list The session information of stream and corresponding application set of tags send to cloud server.
8. a kind of method sending utility cession table is it is characterised in that the method is applied to be connected with multiple applications identification equipment Cloud server on, the method includes:
Generate multiple original application conversational lists for the plurality of application identification equipment respectively, described original application conversational list includes: The session information of data flow and apply set of tags correspondingly with described session information, described application set of tags includes:Multiple Application and corresponding confidence level, described confidence level is used for representing the probability that corresponding data flow belongs to an application;
By the plurality of original application conversational list, corresponding transmission identifies equipment to the plurality of application respectively.
9. a kind of application identification equipment is it is characterised in that described application identification equipment includes:Original application conversational list and application rule Then storehouse;Described original application conversational list includes:The session information of data flow and apply mark correspondingly with described session information Label group, described application set of tags includes:Multiple applications and corresponding confidence level, described confidence level is used for representing corresponding data flow Belong to the probability of an application;Described application rule base includes:Multiple application identities and corresponding application rule;Described set Standby inclusion:
Acquiring unit, in response to receiving current data stream, obtaining the current sessions information of described current data stream;
Searching unit, for searching described current sessions information and corresponding current application mark in described original application conversational list Label group;
First recognition unit, for according to confidence level order from big to small in described current application set of tags, respectively according to institute State corresponding application rule in application rule base and identify which application described current data stream belongs to.
10. a kind of cloud server is it is characterised in that described cloud server and multiple applications identification equipment is connected, this service Device includes:
Signal generating unit, for generating multiple original application conversational lists respectively for the plurality of application identification equipment, described initially should Included with conversational list:The session information of data flow and apply set of tags correspondingly with described session information, described application mark Label group includes:Multiple applications and corresponding confidence level, described confidence level is used for representing that corresponding data flow belongs to an application Probability;
Second transmitting element, for by the plurality of original application conversational list, corresponding transmission sets to the plurality of application identification respectively Standby.
CN201610785121.0A 2016-08-31 2016-08-31 Application identification method and device, method for sending application session table and server Active CN106385402B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610785121.0A CN106385402B (en) 2016-08-31 2016-08-31 Application identification method and device, method for sending application session table and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610785121.0A CN106385402B (en) 2016-08-31 2016-08-31 Application identification method and device, method for sending application session table and server

Publications (2)

Publication Number Publication Date
CN106385402A true CN106385402A (en) 2017-02-08
CN106385402B CN106385402B (en) 2021-07-30

Family

ID=57939385

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610785121.0A Active CN106385402B (en) 2016-08-31 2016-08-31 Application identification method and device, method for sending application session table and server

Country Status (1)

Country Link
CN (1) CN106385402B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110580256A (en) * 2018-05-22 2019-12-17 华为技术有限公司 Method, device and system for identifying application identifier

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645892A (en) * 2009-08-26 2010-02-10 成都市华为赛门铁克科技有限公司 Flow detection method and equipment
CN102222199A (en) * 2011-06-03 2011-10-19 奇智软件(北京)有限公司 Method and system for identifying identification of application program
US20140143875A1 (en) * 2012-11-22 2014-05-22 F-Secure Corporation Detecting Application Behavior
CN104520842A (en) * 2012-09-13 2015-04-15 英特尔公司 Method and apparatus for improving user experience
CN104796406A (en) * 2015-03-20 2015-07-22 杭州华三通信技术有限公司 Method and device for identifying application
CN105591973A (en) * 2015-12-31 2016-05-18 杭州数梦工场科技有限公司 Application recognition method and apparatus

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645892A (en) * 2009-08-26 2010-02-10 成都市华为赛门铁克科技有限公司 Flow detection method and equipment
CN102222199A (en) * 2011-06-03 2011-10-19 奇智软件(北京)有限公司 Method and system for identifying identification of application program
CN104520842A (en) * 2012-09-13 2015-04-15 英特尔公司 Method and apparatus for improving user experience
US20140143875A1 (en) * 2012-11-22 2014-05-22 F-Secure Corporation Detecting Application Behavior
CN104796406A (en) * 2015-03-20 2015-07-22 杭州华三通信技术有限公司 Method and device for identifying application
CN105591973A (en) * 2015-12-31 2016-05-18 杭州数梦工场科技有限公司 Application recognition method and apparatus

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110580256A (en) * 2018-05-22 2019-12-17 华为技术有限公司 Method, device and system for identifying application identifier
CN110580256B (en) * 2018-05-22 2022-06-10 华为技术有限公司 Method, device and system for identifying application identification
US11438425B2 (en) 2018-05-22 2022-09-06 Huawei Technologies Co., Ltd. Method, device and system for identifying application identifier

Also Published As

Publication number Publication date
CN106385402B (en) 2021-07-30

Similar Documents

Publication Publication Date Title
CN100563168C (en) application traffic statistical method and device
CN104243240B (en) SDN (self-defending network) flow measuring method based on Open Flow
CN100413290C (en) Method for setting up notification function for route selection according to border gateway protocol
CN105634956B (en) A kind of message forwarding method, device and system
WO2016095516A1 (en) Complex event processing method, apparatus and system
CN106209775B (en) A kind of application type recognition methods of SSL encryption network flow and device
CN106933989A (en) A kind of method of Web realease information system
CN106921572B (en) A kind of method, apparatus and system for propagating qos policy
CN105556916B (en) The information statistical method and device of network flow
CN109213758B (en) Data access method, device, equipment and computer readable storage medium
CN103354528B (en) Method and device for multi-stream synchronization
CN110472502A (en) Depending on method, apparatus, the equipment, medium of lower dangerous goods image detection of networking
CN109743672A (en) A kind of motion profile display methods and device
CN109299742A (en) Method, apparatus, equipment and the storage medium of automatic discovery unknown network stream
CN103281211B (en) Large-scale network node system for managing in groups and management method
CN105871585A (en) Terminal association method and device
CN104994016A (en) Method and apparatus for packet classification
CN110138652A (en) A kind of session updates method, apparatus and client device
CN105991707A (en) Multimedia interaction method, server and system thereof
CN107622064A (en) A kind of method for reading data and system
CN109617830A (en) A kind of method and apparatus regarding real time demonstration business in networking
CN101355585B (en) System and method for protecting information of distributed architecture data communication equipment
CN105357071A (en) Identification method and identification system for network complex traffic
CN114070800A (en) SECS2 traffic rapid identification method combining deep packet inspection and deep stream inspection
CN106385402A (en) Application identification method and device, application session table sending method and server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant