Method and device for restoring network session
Technical Field
The present invention relates to the field of network traffic data packet transmission technologies, and in particular, to a method and an apparatus for restoring a network session.
Background
Unidirectional Network flow (Netflow) can collect the number and information of packets entering and leaving the Network, and was first developed by cisco and applied to routers and switches. By analyzing the information collected by Netflow, network managers can know the source and destination of the data packet, the type of network service, and the cause of network congestion. Safety analysis researchers use Netflow traffic as a safety class traceability and machine learning study.
The network session is an uninterrupted request response sequence between a network session initiator and a network session responder, and is determined by a network five-tuple attribute. The network five-tuple attributes include a source IP, a destination IP, a source port, a destination port, and a transport layer protocol. NetFlow is a unidirectional network flow, and NetFlow only includes an IP address of a sender and an IP address of a receiver of each packet, and if it is desired to perform deep network session analysis on NetFlow, it is necessary to restore a network session based on NetFlow.
At present, no related technical scheme in the industry can restore the network session based on NetFlow.
Disclosure of Invention
The embodiment of the invention provides a method and a device for restoring a network session, which are used for solving the problem that the network session cannot be restored based on NetFlow in the prior art.
The embodiment of the invention provides a method for restoring a network session, which is applied to electronic equipment and comprises the following steps:
aiming at data packet transmission in unidirectional network flow Netflow within a set time length, grouping according to identification information of a sender and a receiver carried by the data packet in the Netflow, and determining each group of the sender and the receiver in the Netflow;
determining a first network flow statistical table corresponding to each group of the sender and the receiver, wherein the first network flow statistical table comprises identification information of the corresponding group of the sender and the receiver and flow statistical information which is transmitted by the group of the sender and the receiver in the Netflow and is related to a data packet;
for each first network traffic statistical table, searching a second network traffic statistical table mapped by the first network traffic statistical table, and judging whether first traffic statistical information related to a data packet contained in the first network traffic statistical table is greater than second traffic statistical information related to the data packet contained in the second network traffic statistical table, if so, determining that a sender in the first network traffic statistical table is a network session initiator and a receiver is a network session responder, otherwise, determining that the sender in the second network traffic statistical table is the network session initiator and the receiver is the network session responder, wherein the sender and the receiver in the second network traffic statistical table are the same as the receiver and the sender in the first network traffic statistical table;
and restoring the network session according to each pair of the determined network session initiator and the determined network session responder.
Further, the traffic statistic information related to the data packet includes at least one of the following:
the total number of data packets sent by the group of senders, the number of synchronous syn data packets sent, the number of non-repeating source ports and the number of non-repeating destination ports.
Further, if the traffic statistic information related to the data packet includes at least two of the total number of data packets sent by the group of senders, the number of syn data packets sent, the number of unrepeated source ports and the number of unrepeated destination ports, the determining whether the first traffic statistic information related to the data packet included in the first network traffic statistic table is greater than the second traffic statistic information related to the data packet included in the second network traffic statistic table, if so, determining that the sender in the first network traffic statistic table is the network session initiator and the receiver is the network session responder, otherwise, determining that the sender in the second network traffic statistic table is the network session initiator and the receiver is the network session responder includes:
judging whether each kind of first traffic statistical information related to the data packet contained in the first network traffic statistical table is respectively larger than each kind of second traffic statistical information related to the data packet contained in the second network traffic statistical table, if so, determining that a sender in the first network traffic statistical table is a network session initiator and a receiver is a network session responder;
and if each kind of first traffic statistical information related to the data packet contained in the first network traffic statistical table is smaller than each kind of second traffic statistical information related to the data packet contained in the second network traffic statistical table, determining that a sender in the second network traffic statistical table is a network session initiator and a receiver is a network session responder.
Further, for each first network traffic statistic table, the searching for the second network traffic statistic table mapped by the first network traffic statistic table includes:
and aiming at each first network traffic statistical table, according to the identification information of the sender and the receiver in the first network traffic statistical table, searching a network traffic statistical table in which the identification information of the receiver and the sender is respectively corresponding to the same identification information of the sender and the receiver in the first network traffic statistical table, wherein the network traffic statistical table is a second network traffic statistical table mapped by the searched first network traffic statistical table.
In another aspect, an embodiment of the present invention provides an apparatus for restoring a network session, where the apparatus includes:
the first determining module is used for grouping data packet transmission in unidirectional network flow Netflow within a set time length according to identification information of a sender and a receiver carried by the data packet in the Netflow, and determining each group of the sender and the receiver in the Netflow;
a second determining module, configured to determine a first network traffic statistic table corresponding to each group of the sender and the receiver, where the first network traffic statistic table includes identification information of the corresponding group of the sender and the receiver, and traffic statistic information related to a data packet and transmitted by the group of the sender and the receiver in the Netflow;
a third determining module, configured to look up, for each first network traffic statistic table, a second network traffic statistic table mapped by the first network traffic statistic table, and determine whether first traffic statistic information related to a data packet included in the first network traffic statistic table is greater than second traffic statistic information related to the data packet included in the second network traffic statistic table, if so, determine that a sender in the first network traffic statistic table is a network session initiator and a receiver is a network session responder, otherwise, determine that the sender in the second network traffic statistic table is the network session initiator and the receiver is the network session responder, where the sender and the receiver in the second network traffic statistic table are the same as those in the first network traffic statistic table;
and the restoring module is used for restoring the network session according to each pair of the determined network session initiator and the determined network session responder.
Further, the second determining module is specifically configured to determine a first network traffic statistical table corresponding to each group of the sender and the receiver, where the first network traffic statistical table includes identification information of the corresponding group of the sender and the receiver, and traffic statistical information related to a data packet transmitted by the group of the sender and the receiver in the Netflow; the packet-related traffic statistics include at least one of: the total number of data packets sent by the group of senders, the number of synchronous syn data packets sent, the number of non-repeating source ports and the number of non-repeating destination ports.
Further, the third determining module is specifically configured to, if the traffic statistics information related to the data packet includes at least two of the total number of data packets sent by the group of senders, the number of sync data packets sent, the number of non-duplicate source ports, and the number of non-duplicate destination ports, determine whether each type of first traffic statistics information related to the data packet included in the first network traffic statistics table is respectively greater than each type of second traffic statistics information related to the data packet included in the second network traffic statistics table, and if so, determine that the sender in the first network traffic statistics table is a network session initiator and the receiver is a network session responder; and if each kind of first traffic statistical information related to the data packet contained in the first network traffic statistical table is smaller than each kind of second traffic statistical information related to the data packet contained in the second network traffic statistical table, determining that a sender in the second network traffic statistical table is a network session initiator and a receiver is a network session responder.
Further, the third determining module is specifically configured to, for each first network traffic statistical table, search, according to identification information of a sender and a receiver in the first network traffic statistical table, a network traffic statistical table in which identification information of the receiver and identification information of the sender are respectively the same as identification information of the sender and identification information of the receiver in the first network traffic statistical table, where the network traffic statistical table is a second network traffic statistical table mapped by the searched first network traffic statistical table.
The embodiment of the invention provides a method and a device for restoring a network session, which are applied to electronic equipment, wherein the method comprises the following steps: aiming at data packet transmission in unidirectional network flow Netflow within a set time length, grouping according to identification information of a sender and a receiver carried by the data packet in the Netflow, and determining each group of the sender and the receiver in the Netflow; determining a first network flow statistical table corresponding to each group of the sender and the receiver, wherein the first network flow statistical table comprises identification information of the corresponding group of the sender and the receiver and flow statistical information which is transmitted by the group of the sender and the receiver in the Netflow and is related to a data packet; for each first network traffic statistical table, searching a second network traffic statistical table mapped by the first network traffic statistical table, and judging whether first traffic statistical information related to a data packet contained in the first network traffic statistical table is greater than second traffic statistical information related to the data packet contained in the second network traffic statistical table, if so, determining that a sender in the first network traffic statistical table is a network session initiator and a receiver is a network session responder, otherwise, determining that the sender in the second network traffic statistical table is the network session initiator and the receiver is the network session responder, wherein the sender and the receiver in the second network traffic statistical table are the same as the receiver and the sender in the first network traffic statistical table; and restoring the network session according to each pair of the determined network session initiator and the determined network session responder. In the embodiment of the present invention, for each first network traffic statistic table, a second network traffic statistic table mapped by the first network traffic statistic table is searched, and traffic statistic information related to a data packet sent by a network session initiator is greater than traffic statistic information related to a data packet sent by a network session responder, so that according to a magnitude relationship between first traffic statistic information related to a data packet contained in the first network traffic statistic table and second traffic statistic information related to a data packet contained in the second network traffic statistic table, a network session initiator and a network session responder can be determined, and further, a network session is restored according to each pair of determined network session initiator and network session responder. Therefore, the scheme provided by the embodiment of the invention can realize the network session restoration based on the NetFlow flow.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a process of restoring a network session according to embodiment 1 of the present invention;
fig. 2 is a schematic flowchart of restoring a network session according to embodiment 3 of the present invention;
fig. 3 is a schematic structural diagram of a device for restoring a network session according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the attached drawings, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1:
fig. 1 is a schematic diagram of a process of restoring a network session according to an embodiment of the present invention, where the process includes the following steps:
s101: and aiming at the transmission of data packets in unidirectional network flow Netflow within a set time length, grouping according to identification information of a sender and a receiver carried by the data packets in the Netflow, and determining each group of the sender and the receiver in the Netflow.
The method for restoring the network session provided by the embodiment of the invention is applied to the electronic equipment, and the electronic equipment can be gateway equipment, network flow analysis equipment and the like.
The electronic equipment presets time length, transmission of data packets exists between a sender and a receiver in Netflow within the preset time length, the electronic equipment carries out grouping according to identification information of the sender and the receiver carried by the data packets in the Netflow, and each group of the sender and the receiver in the Netflow can be determined.
Specifically, the transmitted data packet carries identification information of the sender and the receiver, and the identification information of the sender and the receiver may be IP address information of the sender and the receiver. According to the data packet transmission, the IP address information of the sender and the receiver carried in the data packet can be determined, and then the sender and the receiver which carry out the data packet transmission in the Netflow within the set time length can be determined. The length of time set by the electronic device may be 5 minutes, 8 minutes, 10 minutes, etc. After determining a sender and a receiver in the Netflow, grouping the sender and the receiver, and grouping data packets in the Netflow according to the sender and the receiver, wherein each data packet carries a predetermined sender and receiver, for each data packet, determining the sender and the receiver corresponding to the data packet, identifying whether the sender and the receiver corresponding to the data packet are the same, and determining the corresponding same sender and receiver as a group of sender and receiver.
For example, according to the packet transmission in Netflow within the set time length, a data packet is transmitted by a receiver whose IP address information is IP1 and whose transmission direction IP address information is IP2, a data packet is transmitted by a receiver whose IP address information is IP3 and whose transmission direction IP address information is IP4, a data packet is transmitted by a receiver whose IP address information is IP2 and whose transmission direction IP address information is IP1, and a data packet is transmitted by a receiver whose IP address information is IP4 and whose transmission direction IP address information is IP 3. Therefore, four groups of senders and receivers can be determined, namely a sender corresponding to IP1 and a receiver corresponding to IP2, a sender corresponding to IP3 and a receiver corresponding to IP4, a sender corresponding to IP2 and a receiver corresponding to IP1, and a sender corresponding to IP4 and a receiver corresponding to IP 3.
S102: and determining a first network flow statistical table corresponding to each group of the sender and the receiver, wherein the first network flow statistical table comprises identification information of the corresponding group of the sender and the receiver and flow statistical information which is transmitted by the group of the sender and the receiver in the Netflow and is related to a data packet.
After determining each group of the sender and the receiver, the electronic device determines a first network traffic statistical table corresponding to the group of the sender and the receiver for each group of the sender and the receiver. Wherein, the first network flow statistical table comprises the identification information of the corresponding group of the sender and the receiver. In addition, according to the data packet transmission in the Netflow within the set time length, the traffic statistical information related to the data packet transmitted in the Netflow by the group of the transmitting side and the receiving side can be determined, and the first network traffic statistical table also includes the traffic statistical information related to the data packet transmitted in the Netflow by the group of the transmitting side and the receiving side. The traffic statistic information related to the data packets may be the number of data packets sent by the group of senders, the number of non-duplicated ports used for sending the data packets, and the like.
S103: and for each first network flow statistic table, searching a second network flow statistic table mapped by the first network flow statistic table, judging whether first flow statistic information related to a data packet contained in the first network flow statistic table is larger than second flow statistic information related to the data packet contained in the second network flow statistic table, if so, determining that a sender in the first network flow statistic table is a network session initiator and a receiver is a network session responder, otherwise, determining that the sender in the second network flow statistic table is the network session initiator and the receiver is the network session responder, wherein the sender and the receiver in the second network flow statistic table correspond to the receiver and the sender in the first network flow statistic table.
The electronic device may look up, for each first network traffic statistical table, a second network traffic statistical table mapped by the first network traffic statistical table, where a sender and a receiver in the first network traffic statistical table are respectively the same as a receiver and a sender in the second network traffic statistical table. In the data packet transmission process, the flow statistic information related to the data packet sent by the network session initiator is greater than the flow statistic information related to the data packet sent by the network session responder, so that whether the first flow statistic information related to the data packet contained in the first network flow statistic table is greater than the second flow statistic information related to the data packet contained in the second network flow statistic table is judged for the first network flow statistic table and the mapped second network flow statistic table, if so, the sender in the first network flow statistic table is determined as the network session initiator, the receiver is determined as the network session responder, otherwise, the sender in the second network flow statistic table is determined as the network session initiator, and the receiver is determined as the network session responder.
For example, for a first network traffic statistical table corresponding to a sender corresponding to IP1 and a receiver corresponding to IP2, a second network traffic statistical table mapped by the first network traffic statistical table includes a sender corresponding to IP2 and a receiver corresponding to IP 1. And judging whether the first traffic statistical information related to the data packets contained in the first network traffic statistical table is greater than the second traffic statistical information related to the data packets contained in the second network traffic statistical table, if so, determining a sender corresponding to the IP1 as a network session initiator and a receiver corresponding to the IP2 as a network session responder, otherwise, determining a receiver corresponding to the IP1 as a network session responder and determining a sender corresponding to the IP2 as a network session initiator.
S104: and restoring the network session according to each pair of the determined network session initiator and the determined network session responder.
After determining each pair of the network session initiator and the network session responder, the electronic device can restore the network session according to each pair of the network session initiator and the network session responder.
In the embodiment of the present invention, for each first network traffic statistic table, the second network traffic statistic table mapped by the first network traffic statistic table is searched, and the traffic statistic information related to the data packet sent by the network session initiator is greater than the traffic statistic information related to the data packet sent by the network session responder, so that according to the magnitude relationship between the first traffic statistic information related to the data packet contained in the first network traffic statistic table and the second traffic statistic information related to the data packet contained in the second network traffic statistic table, the network session initiator and the network session responder can be determined, and further, according to each pair of determined network session initiator and network session responder, the network session is restored. Therefore, the scheme provided by the embodiment of the invention can realize the network session restoration based on the NetFlow flow.
Example 2:
in order to make the network session restoration more accurate, on the basis of the above embodiment, in an embodiment of the present invention, the traffic statistic information related to the data packet includes at least one of:
the total number of data packets sent by the group of senders, the number of synchronous syn data packets sent, the number of non-repeating source ports and the number of non-repeating destination ports.
The electronic device can determine the total number of data packets sent by each group of sender and receiver, the number of syn data packets sent, the number of non-repeating source ports used for sending the data packets and the number of non-repeating destination ports used for receiving the data packets according to the data packet transmission in the Netflow within the set time length.
When the electronic device determines the network session initiator and the network session responder, the electronic device may determine the network session initiator and the network session responder according to one of traffic statistics information of the total number of data packets sent by the group of senders, the number of syn data packets sent, the number of unrepeated source ports and the number of unrepeated destination ports, for example, the determination is performed according to the size relationship of the total number of data packets sent by the sender in the first network traffic statistical table and the mapped second network traffic statistical table, or the determination of the network session initiator and the network session responder may be performed according to two or three kinds of traffic statistical information, for example, the number of the sent syn packets and the number of non-repeated source ports are determined according to the total number of the data packets sent by the sender in the first network traffic statistical table and the mapped second network traffic statistical table. Preferably, in order to make the determination of the network session initiator and the network session responder more accurate and further make the restoration of the network session more accurate, the determination of the network session initiator and the network session responder may be performed according to four kinds of traffic statistical information, i.e., the total number of data packets sent by the sender, the number of syn data packets sent, the number of unrepeated source ports, and the number of unrepeated destination ports.
In this embodiment of the present invention, if the traffic statistics information related to the data packet includes at least two of the total number of data packets sent by the group of senders, the number of syn data packets sent, the number of unrepeated source ports, and the number of unrepeated destination ports, the determining whether the first traffic statistics information related to the data packet included in the first network traffic statistics table is greater than the second traffic statistics information related to the data packet included in the second network traffic statistics table, if so, determining that the sender in the first network traffic statistics table is a network session initiator and the receiver is a network session responder, otherwise, determining that the sender in the second network traffic statistics table is a network session initiator and the receiver is a network session responder includes:
judging whether each kind of first traffic statistical information related to the data packet contained in the first network traffic statistical table is respectively larger than each kind of second traffic statistical information related to the data packet contained in the second network traffic statistical table, if so, determining that a sender in the first network traffic statistical table is a network session initiator and a receiver is a network session responder;
and if each kind of first traffic statistical information related to the data packet contained in the first network traffic statistical table is smaller than each kind of second traffic statistical information related to the data packet contained in the second network traffic statistical table, determining that a sender in the second network traffic statistical table is a network session initiator and a receiver is a network session responder.
When determining a network session initiator and a network session responder according to at least two kinds of traffic statistical information, it is necessary to determine whether each kind of first traffic statistical information related to a data packet contained in a first network traffic statistical table is respectively greater than each kind of corresponding second traffic statistical information related to the data packet contained in a second network traffic statistical table, and if so, it is determined that a sender in the first network traffic statistical table is the network session initiator and a receiver is the network session responder. And if each kind of first traffic statistical information related to the data packet contained in the first network traffic statistical table is respectively smaller than each kind of corresponding second traffic statistical information related to the data packet contained in the second network traffic statistical table, determining that a sender in the second network traffic statistical table is a network session initiator and a receiver is a network session responder.
The following describes a process of restoring a network session according to four kinds of quantity information, i.e., the total quantity of data packets sent by a sender, the quantity of transmitted syn data packets, the quantity of non-repeated source ports, and the quantity of non-repeated destination ports.
The electronic equipment searches a second network flow statistic table mapped by each first network flow statistic table, judges whether the total data packet quantity sent by the group of sending parties, the sent syn data packet quantity, the unrepeated source port quantity and the unrepeated destination port quantity contained in the first network flow statistic table are respectively greater than the total data packet quantity sent by the group of sending parties, the sent syn data packet quantity, the unrepeated source port quantity and the unrepeated destination port quantity contained in the second network flow statistic table, and if so, determines that the sending party in the first network flow statistic table is a network session initiator and the receiving party is a network session responder. If the total number of data packets sent by the group of senders, the number of sent syn data packets, the number of unrepeated source ports and the number of unrepeated destination ports, which are contained in the first network flow statistical table, are respectively smaller than the total number of data packets sent by the group of senders, the number of sent syn data packets, the number of unrepeated source ports and the number of unrepeated destination ports, which are contained in the second network flow statistical table, the sender in the second network flow statistical table is determined to be a network session initiator, and the receiver is determined to be a network session responder.
If the total number of data packets sent by the group of senders, the number of sent syn data packets, the number of unrepeated source ports and the number of unrepeated destination ports contained in the first network flow statistical table are only partially greater than the total number of data packets sent by the group of senders, the number of sent syn data packets, the number of unrepeated source ports and the number of unrepeated destination ports contained in the second network flow statistical table, the network session initiator and the network session responder cannot be determined according to the senders and receivers in the first network flow statistical table and the second network flow statistical table.
For example, the electronic device determines, according to data packet transmission in Netflow within a set time length, that the total number of data packets sent by the group of sending parties included in the first network traffic statistic table is 200, the number of syn data packets sent is 120, and the number of unrepeated source ports is 10 and the number of unrepeated destination ports is 8; and if the total number of data packets sent by the group of sending parties included in the second network traffic statistical table mapped by the determined first network traffic statistical table is 150, the number of sent syn data packets is 60, and the number of non-repeating source ports is 6 and the number of non-repeating destination ports is 3, it may be determined that the total number of data packets sent by the group of sending parties included in the first network traffic statistical table, the number of sent syn data packets, the number of non-repeating source ports and the number of non-repeating destination ports are respectively greater than the total number of data packets sent by the group of sending parties included in the second network traffic statistical table, the number of sent syn data packets, the number of non-repeating source ports and the number of non-repeating destination ports, and it is determined that the sending party in the first network traffic statistical table is the network session initiator and the receiving party is the network session responder.
In the embodiment of the present invention, the traffic statistic information related to the data packet includes at least one of the following: the total number of data packets sent by the group of senders, the number of syn data packets sent, the number of non-repeating source ports and the number of non-repeating destination ports. The network session initiator and the network session responder are determined according to the four kinds of flow statistical information, namely the total data packet quantity sent by the sender, the sent syn data packet quantity, the unrepeated source port quantity and the unrepeated destination port quantity, so that the network session initiator and the network session responder are determined more accurately, and the network session is restored more accurately.
Example 3:
on the basis of the foregoing embodiments, in an embodiment of the present invention, for each first network traffic statistic table, searching for the second network traffic statistic table mapped by the first network traffic statistic table includes:
and aiming at each first network traffic statistical table, according to the identification information of the sender and the receiver in the first network traffic statistical table, searching a network traffic statistical table in which the identification information of the receiver and the sender is respectively corresponding to the same identification information of the sender and the receiver in the first network traffic statistical table, wherein the network traffic statistical table is a second network traffic statistical table mapped by the searched first network traffic statistical table.
When searching for the second network traffic statistical table mapped by the first network traffic statistical table, the electronic device searches for the second network traffic statistical table according to the identification information of the sender and the receiver in the first network traffic statistical table. Firstly, identifying identification information of a sender and a receiver in a first network traffic statistical table, and then searching a network traffic statistical table in which the identification information of the receiver and the sender is respectively corresponding to the same identification information of the sender and the receiver in the first network traffic statistical table, wherein the network traffic statistical table is a second network traffic statistical table mapped by the first network traffic statistical table.
For example, if the identification information of the sender in the first network traffic statistic table is IP1, and the identification information of the receiver is IP2, the identification information of the receiver is IP1, and the network traffic statistic table whose identification information of the sender is IP2 is the second network traffic statistic table mapped by the first network traffic statistic table.
In addition, before searching for the second network traffic statistics table mapped by the first network traffic statistics table, the electronic device may copy each first network traffic statistics table to obtain each second network traffic statistics table, for example, each first network traffic statistics table is T1_ a, and each second network traffic statistics table is T1_ B. For each first network traffic statistical table, the condition for searching the second network traffic statistical table mapped by the first network traffic statistical table is as follows: the identification information of the sender in T1_ a is the same as that of the receiver in T1_ B, and the identification information of the receiver in T1_ a is the same as that of the sender in T1_ B. According to the condition, a second network traffic statistic table mapped by the first network traffic statistic table can be searched.
The process of restoring a web session is described below with a specific example.
Fig. 2 is a schematic flow diagram of restoring a network session, and as shown in fig. 2, a first network traffic statistical table and a second network traffic statistical table respectively include identification information srcip of a sender, identification information disip of a receiver, a non-duplicate source port number count _ distinct _ src, a total packet number count _ request, a syn packet number count _ syn, and a non-duplicate destination port number count _ positive _ dstport, where the identification information srcip of the sender in the first network traffic statistical table is the same as the identification information disip of the receiver in the second network traffic statistical table, and the identification information srcip of the receiver in the first network traffic statistical table is the same as the identification information disip of the sender in the second network traffic statistical table.
And judging whether the total number of the data packets sent by the group of the sending parties, the number of the sent syn data packets, the number of the unrepeated source ports and the number of the unrepeated destination ports, which are contained in the first network flow statistical table, are respectively greater than the total number of the data packets sent by the group of the sending parties, the number of the sent syn data packets, the number of the unrepeated source ports and the number of the unrepeated destination ports, which are contained in the second network flow statistical table, if so, determining that the sending party in the first network flow statistical table is a network session initiator and the receiving party is a network session responder. If the total number of data packets sent by the group of senders, the number of sent syn data packets, the number of unrepeated source ports and the number of unrepeated destination ports, which are contained in the first network flow statistical table, are respectively smaller than the total number of data packets sent by the group of senders, the number of sent syn data packets, the number of unrepeated source ports and the number of unrepeated destination ports, which are contained in the second network flow statistical table, it is determined that the sender in the first network flow statistical table is a network session initiator and the receiver is a network session responder. Fig. 2 illustrates that it is determined that the sender in the first network traffic statistics table is a network session initiator and the receiver is a network session responder. And then restoring the network session according to the determined network session initiator and the determined network session responder.
The method for restoring the session network provided by the embodiment of the invention can splice the non-directional Netflow into the network session with the network session initiator and the network session responder, solves the problem that deep network session can not be carried out based on the Netflow, and is the basis of Netflow-based network session analysis research. In addition, in the DFI technology, for Netflow with a large range and a long period, the flow statistic information characteristics of Netflow are not changed by adopting a stable sampling rate, and the flow statistic information includes the total number of data packets sent by a sender, the number of syn data packets sent, the number of unrepeated source ports and the number of unrepeated destination ports. Therefore, the method for restoring the session network provided by the embodiment of the invention is also applicable to the adopted Netflow.
Fig. 3 is a schematic structural diagram of an apparatus for restoring a network session according to an embodiment of the present invention, where the apparatus includes:
the first determining module 31 is configured to, for data packet transmission in unidirectional network flow Netflow within a set time length, perform grouping according to identification information of a sender and a receiver carried by a data packet in the Netflow, and determine each group of the sender and the receiver in the Netflow;
a second determining module 32, configured to determine a first network traffic statistic table corresponding to each group of the sender and the receiver, where the first network traffic statistic table includes identification information of the corresponding group of the sender and the receiver, and traffic statistic information related to data packets transmitted by the group of the sender and the receiver in the Netflow;
a third determining module 33, configured to look up, for each first network traffic statistic table, a second network traffic statistic table mapped by the first network traffic statistic table, and determine whether first traffic statistic information related to a data packet included in the first network traffic statistic table is greater than second traffic statistic information related to the data packet included in the second network traffic statistic table, if so, determine that a sender in the first network traffic statistic table is a network session initiator and a receiver is a network session responder, otherwise, determine that the sender in the second network traffic statistic table is the network session initiator and the receiver is the network session responder, where the sender and the receiver in the second network traffic statistic table are the same as those in the first network traffic statistic table;
and the restoring module 34 is configured to restore the network session according to each pair of the determined network session initiator and the determined network session responder.
The second determining module 32 is specifically configured to determine a first network traffic statistical table corresponding to each group of the sender and the receiver, where the first network traffic statistical table includes identification information of the corresponding group of the sender and the receiver, and traffic statistical information related to a data packet transmitted by the group of the sender and the receiver in the Netflow; the packet-related traffic statistics include at least one of: the total number of data packets sent by the group of senders, the number of synchronous syn data packets sent, the number of non-repeating source ports and the number of non-repeating destination ports.
The third determining module 33 is specifically configured to, if the traffic statistics information related to the data packet includes at least two of the total number of data packets sent by the group of senders, the number of sync data packets sent, the number of non-duplicate source ports, and the number of non-duplicate destination ports, determine whether each type of first traffic statistics information related to the data packet included in the first network traffic statistics table is respectively greater than each type of second traffic statistics information related to the data packet included in the second network traffic statistics table, and if so, determine that the sender in the first network traffic statistics table is a network session initiator and the receiver is a network session responder; and if each kind of first traffic statistical information related to the data packet contained in the first network traffic statistical table is smaller than each kind of second traffic statistical information related to the data packet contained in the second network traffic statistical table, determining that a sender in the second network traffic statistical table is a network session initiator and a receiver is a network session responder.
The third determining module 33 is specifically configured to, for each first network traffic statistical table, search a network traffic statistical table in which identification information of a receiver and identification information of the transmitter are respectively the same as identification information of the transmitter and the receiver in the first network traffic statistical table according to the identification information of the transmitter and the receiver in the first network traffic statistical table, where the network traffic statistical table is a second network traffic statistical table mapped by the searched first network traffic statistical table.
The embodiment of the invention provides a method and a device for restoring a network session, which are applied to electronic equipment, wherein the method comprises the following steps: aiming at data packet transmission in unidirectional network flow Netflow within a set time length, grouping according to identification information of a sender and a receiver carried by the data packet in the Netflow, and determining each group of the sender and the receiver in the Netflow; determining a first network flow statistical table corresponding to each group of the sender and the receiver, wherein the first network flow statistical table comprises identification information of the corresponding group of the sender and the receiver and flow statistical information which is transmitted by the group of the sender and the receiver in the Netflow and is related to a data packet; for each first network traffic statistical table, searching a second network traffic statistical table mapped by the first network traffic statistical table, and judging whether first traffic statistical information related to a data packet contained in the first network traffic statistical table is greater than second traffic statistical information related to the data packet contained in the second network traffic statistical table, if so, determining that a sender in the first network traffic statistical table is a network session initiator and a receiver is a network session responder, otherwise, determining that the sender in the second network traffic statistical table is the network session initiator and the receiver is the network session responder, wherein the sender and the receiver in the second network traffic statistical table are the same as the receiver and the sender in the first network traffic statistical table; and restoring the network session according to each pair of the determined network session initiator and the determined network session responder. In the embodiment of the present invention, for each first network traffic statistic table, a second network traffic statistic table mapped by the first network traffic statistic table is searched, and traffic statistic information related to a data packet sent by a network session initiator is greater than traffic statistic information related to a data packet sent by a network session responder, so that according to a magnitude relationship between first traffic statistic information related to a data packet contained in the first network traffic statistic table and second traffic statistic information related to a data packet contained in the second network traffic statistic table, a network session initiator and a network session responder can be determined, and further, a network session is restored according to each pair of determined network session initiator and network session responder. Therefore, the scheme provided by the embodiment of the invention can realize the network session restoration based on the NetFlow flow.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.