CN117221242A - Network flow direction identification method, device and medium - Google Patents
Network flow direction identification method, device and medium Download PDFInfo
- Publication number
- CN117221242A CN117221242A CN202311129589.0A CN202311129589A CN117221242A CN 117221242 A CN117221242 A CN 117221242A CN 202311129589 A CN202311129589 A CN 202311129589A CN 117221242 A CN117221242 A CN 117221242A
- Authority
- CN
- China
- Prior art keywords
- mac address
- flow
- bipartite graph
- flow direction
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000004891 communication Methods 0.000 claims abstract description 24
- 238000012216 screening Methods 0.000 claims abstract description 8
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012423 maintenance Methods 0.000 abstract description 10
- 238000005206 flow analysis Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network flow direction identification method, equipment and medium. The method comprises the following steps: acquiring MAC addresses of all access flows, and acquiring a communication relationship between the MAC addresses; based on the MAC address and the communication relation, establishing at least one MAC address bipartite graph; screening first flow with deterministic flow direction from the access flow corresponding to each MAC address bipartite graph; and identifying the flow directions of all access flows based on all the MAC address bipartite graphs and the first flows corresponding to all the MAC address bipartite graphs. By the scheme of the invention, the flow direction of the global network flow can be effectively identified, the maintenance cost of the global network flow direction identification is reduced, and the accuracy and the efficiency of the global network flow direction identification are improved.
Description
Technical Field
The present invention relates to the field of computer network security, and in particular, to a network flow direction identification method, device, and medium.
Background
With the explosive development of network unknown application, the quantity of unknown traffic is increased greatly, and meanwhile, hidden trouble caused by mass unknown traffic cannot be ignored. In various network traffic analysis scenes of the import and export boundaries of the large-scale regional network, the analysis system is required to solve the network security problems such as network threat or data leakage through effective traffic direction judgment.
In the related art, the direction of network traffic is mainly determined by three modes of a local area network internet protocol (Internet Protocol, IP) address, a physical (Media Access Control (media access control) MAC) address or IP address of an internal network asset, and a traffic direction learned by the MAC. However, the above three judging methods have higher standards for the applied network environment, and when the two sides of the network boundary both contain public network addresses and internal asset addresses, or the learnable traffic is less, the direction of the network traffic cannot be effectively judged. Therefore, how to efficiently and accurately judge the network boundary and identify the network traffic direction is a technical problem commonly faced by various current traffic analysis systems.
Disclosure of Invention
In view of the above, the invention provides a network flow direction identification method, device and medium, which solve the problem that the network flow direction cannot be effectively judged in the network flow analysis process, realize better network environment strain capacity, reduce maintenance cost and improve the accuracy and efficiency of network flow direction identification.
Based on the above objects, an aspect of the embodiments of the present invention provides a network flow direction identification method, which specifically includes the following steps:
acquiring MAC addresses of all access flows, and acquiring a communication relationship between the MAC addresses;
establishing at least one MAC address bipartite graph based on the MAC address and the communication relation;
screening first flow with deterministic flow direction from the access flow corresponding to each MAC address bipartite graph;
and identifying the flow directions of all access flows based on all the MAC address bipartite graphs and the first flows corresponding to all the MAC address bipartite graphs.
In some embodiments, the step of establishing at least one MAC address bipartite graph based on the MAC address and the communication relationship includes:
and taking the MAC address as a node, taking the communication relationship as a connecting line, and establishing at least one MAC address bipartite graph.
In some embodiments, the step of screening the first traffic with deterministic traffic direction from the access traffic corresponding to each MAC address bipartite graph includes:
according to the application scene, establishing a local flow direction judging library containing at least one identification strategy;
and based on the identification strategy in the local flow direction judging library, respectively screening first flow with deterministic flow direction from the access flow corresponding to each MAC address bipartite graph.
In some embodiments, the step of identifying traffic directions of all access traffic based on all MAC address bipartite graphs and the first traffic corresponding to each MAC address bipartite graph includes:
dividing all MAC addresses contained in each MAC address bipartite graph into a first MAC address set and a second MAC address set which are positioned in two different network areas, and determining a first traffic direction of corresponding first traffic;
based on a first flow direction, a first MAC address set and a second MAC address set of each MAC address bipartite graph, identifying the flow direction of access flow corresponding to each MAC address bipartite graph respectively;
and obtaining the flow direction of all the access flows based on the flow directions of the access flows respectively corresponding to all the MAC address bipartite graphs.
In some embodiments, the step of identifying the traffic direction of the access traffic corresponding to each MAC address bipartite respectively based on the first traffic direction, the first MAC address set and the second MAC address set of each MAC address bipartite includes:
for each MAC address bipartite graph, establishing a first MAC address and checking set of a first MAC address set and establishing a second MAC address and checking set of a second MAC address set based on a checking set algorithm;
acquiring an external network MAC address and an internal network MAC address corresponding to a first flow in each MAC address bipartite graph, and based on the first MAC address and the second MAC address, determining the matching relation between the external network MAC address and the internal network MAC address and the first MAC address set and the second MAC address set in the corresponding MAC address bipartite graph respectively, and determining the first flow direction as an inline direction or an inline direction;
and identifying the flow direction of the access flow corresponding to each MAC address bipartite graph based on the matching relationship and the fact that the first flow direction is an inline direction or an externally connected direction.
In some embodiments, the step of identifying the traffic direction of the access traffic corresponding to each MAC address bipartite graph based on the matching relationship and the first traffic direction being an inline direction or an inline direction includes:
and for each MAC address bipartite graph, if the first flow direction is the external connection direction, and the external network MAC address is positioned in the first MAC address set and/or the internal network MAC address is positioned in the second MAC address set, marking the flow direction of the access flow corresponding to the MAC address bipartite graph as the flow direction from the second MAC address set to the first MAC address set.
In some embodiments, the step of identifying the traffic direction of the access traffic corresponding to each MAC address bipartite graph based on the matching relationship and the first traffic direction being an inline direction or an inline direction includes:
and for each MAC address bipartite graph, if the first flow direction is the external connection direction, and the internal network MAC address is positioned in the first MAC address set and/or the external network MAC address is positioned in the second MAC address set, marking the flow direction of the access flow corresponding to the MAC address bipartite graph as the flow direction from the first MAC address set to the second MAC address set.
In some embodiments, the step of identifying the traffic direction of the access traffic corresponding to each MAC address bipartite graph based on the matching relationship and the first traffic direction being an inline direction or an inline direction includes:
and for each MAC address bipartite graph, if the first flow direction is an inline direction, and the external network MAC address is positioned in the first MAC address set and/or the internal network MAC address is positioned in the second MAC address set, marking the flow direction of the access flow corresponding to the MAC address bipartite graph as the flow direction from the first MAC address set to the second MAC address set.
In some embodiments, the step of identifying the traffic direction of the access traffic corresponding to each MAC address bipartite graph based on the matching relationship and the first traffic direction being an inline direction or an inline direction includes:
and for each MAC address bipartite graph, if the first flow direction is an inline direction, and the intranet MAC address is positioned in the first MAC address set and/or the extranet MAC address is positioned in the second MAC address set, marking the flow direction of the access flow corresponding to the MAC address bipartite graph as the flow direction from the second MAC address set to the first MAC address set.
In yet another aspect of the embodiment of the present invention, there is also provided a computer apparatus, including: at least one processor; and a memory storing a computer program executable on the processor, which when executed by the processor, performs the steps of the method as above.
In yet another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium storing a computer program which, when executed by a processor, implements the method steps as described above.
The invention has at least the following beneficial technical effects: the MAC addresses and the communication relation of all the accessed flows are analyzed in advance to form at least one MAC address bipartite graph, the MAC addresses of all the flows can be rapidly assembled or divided, meanwhile, the first flow which can identify the flow direction is screened out from the access flows corresponding to each MAC address bipartite graph, the purpose of rapidly identifying the flow direction of the global network flow is achieved based on the first flow of each MAC address bipartite graph and all the MAC address bipartite graphs, the flow direction judging capability aiming at the global flow is formed, the maintenance cost of the global network flow direction identification is reduced, and meanwhile, the accuracy and the efficiency of the global network flow direction identification are improved.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention and that other embodiments may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a network flow identification method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating an embodiment of a network flow direction identification method according to the present invention;
FIG. 3 is a schematic diagram illustrating a computer device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an embodiment of a computer readable storage medium according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention will be described in further detail with reference to the accompanying drawings.
It should be noted that, in the embodiments of the present invention, all the expressions "first" and "second" are used to distinguish two entities with the same name but different entities or different parameters, and it is noted that the "first" and "second" are only used for convenience of expression, and should not be construed as limiting the embodiments of the present invention, and the following embodiments are not described one by one.
Based on the above object, in a first aspect of the embodiments of the present invention, an embodiment of a network flow direction identification method is provided. As shown in fig. 1, it includes the steps of:
s100, acquiring MAC addresses of all access flows, and acquiring a communication relation between the MAC addresses.
S200, establishing at least one MAC address bipartite graph based on the MAC addresses and the communication relation.
S300, the first traffic with deterministic traffic direction is screened from the access traffic corresponding to each MAC address bipartite graph.
S400, based on all MAC address bipartite graphs and first traffic corresponding to each MAC address bipartite graph, identifying traffic directions of all access traffic.
According to the network flow direction identification method, the MAC addresses of all accessed flows and the communication relation thereof are analyzed in advance to form at least one MAC address bipartite graph, the MAC addresses of all flows can be quickly assembled or divided, meanwhile, the first flow which can identify the flow direction is screened out from the access flows corresponding to each MAC address bipartite graph, the purpose of quickly identifying the flow direction of the global network flow is achieved based on the first flow of each MAC address bipartite graph and all the MAC address bipartite graphs, the flow direction judging capability aiming at the global flow is formed, the maintenance cost of the global network flow direction identification is reduced, and meanwhile, the accuracy and the efficiency of the global network flow direction identification are improved.
The step 200 specifically includes:
s210, using the MAC address as a node and the communication relationship as a connecting line, and establishing at least one MAC address bipartite graph.
At network boundaries, MAC addresses can stably represent a large number of network assets, with greater coverage. In the flow analysis process, the MAC addresses in all the access flows can be extracted, the communication relation corresponding to the MAC addresses is extracted, the MAC addresses are taken as nodes, the communication relation is taken as a connecting line, at least one undirected graph can be established, the undirected graph is further drawn into the MAC address bipartite graph, and at least one MAC address bipartite graph is obtained. Wherein all MAC addresses included in the MAC address bipartite graph can be clearly divided into sets of two network areas based on connection lines.
According to the network flow direction identification method, in the network flow analysis process, the global MAC address bipartite graph can be formed only through short-time MAC address analysis, so that the identification capability aiming at the global network flow direction can be quickly formed, the maintenance cost of global network flow direction identification is reduced, and meanwhile, the accuracy and the efficiency of global network flow direction identification are improved.
The step 300 specifically includes:
s310, establishing a local flow direction judging library containing at least one identification strategy according to the application scene.
S320, based on the identification strategy in the local flow direction judging library, the first flow with deterministic flow direction is screened out from the access flows corresponding to the MAC address bipartite graphs.
Based on the application scene, one or more identification strategies capable of locally identifying the flow direction are set, the identification strategies do not need to have the flow direction identification coverage capability of global flow, but need to have higher flow matching probability and accurate flow identification capability, and for different network boundary environments, the optimal identification strategies are not always completely consistent and can be flexibly configured based on the application scene.
The flow direction comprises an internal connection direction and an external connection direction. The inline direction may include communication behavior initiated by the external network asset to the internal network asset in the internal and external network environment. The direction of the extranet may include communication behavior initiated by the intranet network asset to the extranet network asset in the intranet-extranet environment.
In some embodiments, the identification policy may include, but is not limited to, one or more of the following:
1. based on the intranet environment, configuring the external network domain name system (Domain Name System, DNS) access with higher probability to be the traffic in the external connection direction, or configuring the traffic initiated by the local area network IP address to be the traffic in the external connection direction.
2. For an environment having a fixed network asset in a certain direction, for example, a fixed network asset such as a server, an interface, or a network device, a traffic direction is identified based on the direction in which the fixed network asset is located.
3. For an environment having a network service interface for determining an access direction, a traffic direction is identified based on the access direction of the interface.
4. For the environment that a certain direction is determined to be a certain area network, traffic directions are identified based on communication behaviors of the IP outside the area, for example, when traffic directions initiated by the IP in a non-Sichuan province are regarded as inline direction traffic when the traffic directions are directed to areas in the Sichuan province.
After one or more identification strategies are set, the preparation of a local flow direction judgment library can be finished, the access flow is analyzed, the flow meeting the identification strategies in the local flow direction judgment library is screened out, the screened flow is used as the first flow, and meanwhile, the flow direction identification result corresponding to the first flow is obtained and the flow direction of the first flow is marked.
By putting all the flow direction identification results into the MAC address bipartite graph, once the situation that the individual flow direction identification results are inconsistent with the majority of flow direction identification results occurs, namely, a few flow direction identification results conflict with other flow direction identification results in the MAC address bipartite graph, the method can automatically screen and warn the error identification strategy obtained by screening the error flow direction identification results in the local flow direction judgment library, and related technicians can timely find the error identification strategy and correct the error identification strategy.
According to the network flow direction identification method, the local flow direction judgment library is established through the arrangement of the identification strategy, the access flow is analyzed, the flow capable of identifying the flow direction is obtained, the situation that the global network flow can be related to the local flow direction judgment library only by a small amount or local network flow direction can be achieved, in most application scenes, the local flow direction judgment library is simpler, more definite and stable to achieve, a large number of network flow direction judgment methods or network asset area judgment methods are not required to be maintained, the maintenance cost of global network flow direction identification is greatly reduced, and meanwhile, the wrong identification strategy can be found out and eliminated in time based on the MAC address bipartite graph, so that the accuracy of global flow direction identification is guaranteed.
The specific step 400 specifically includes:
s410, for each MAC address bipartite graph, dividing all MAC addresses included therein into a first MAC address set and a second MAC address set located in two different network areas, and determining a first traffic direction of a corresponding first traffic.
S420, based on the first flow direction, the first MAC address set and the second MAC address set of each MAC address bipartite graph, the flow direction of the access flow corresponding to each MAC address bipartite graph is identified.
S430, obtaining the flow direction of all the access flows based on the flow directions of the access flows respectively corresponding to all the MAC address bipartite graphs.
And pre-analyzing the MAC addresses and the communication relation of all the access flows to obtain at least one MAC address bipartite graph, and dividing the MAC address corresponding to each MAC address bipartite graph into MAC address sets of two different network areas. The network area may include an external network area and an internal network area, the set of MAC addresses corresponding to the internal network area includes an internal network MAC address, and the set of MAC addresses corresponding to the external network area includes an external network MAC address. The MAC address sets of the two network regions may represent network asset sets of regions on both sides of the network boundary, respectively. Dividing all MAC addresses respectively included by each MAC address bipartite graph into sets of two network areas, determining the flow direction of first flow corresponding to each MAC address bipartite graph, and further determining the flow direction of access flow corresponding to each MAC address bipartite graph. And when the flow directions of the access flows corresponding to all the MAC address bipartite graphs are determined, the flow direction identification of the global flow can be completed.
According to the network flow direction identification method, in the flow analysis process, the MAC address sets of different network areas are formed aiming at the MAC address bipartite graph, and the flow direction of the first flow corresponding to the MAC address bipartite graph is determined, so that the identification capability aiming at the global network flow direction can be rapidly formed, the maintenance cost of the global network flow direction identification is reduced, and meanwhile, the accuracy and the efficiency of the global network flow direction identification are improved.
The step 420 specifically includes:
s421, for each MAC address bipartite graph, based on a union checking algorithm, a first MAC address union of a first MAC address set is established, and a second MAC address union of a second MAC address set is established.
S422, obtaining an external network MAC address and an internal network MAC address corresponding to a first flow in each MAC address bipartite graph, determining the matching relation between the external network MAC address and the internal network MAC address and a first MAC address set and a second MAC address set in the corresponding MAC address bipartite graph based on the first MAC address and the second MAC address and the first MAC address and the second MAC address, and determining the direction of the first flow as an inline direction or an inline direction.
S423, based on the matching relation and the first traffic direction being the inline direction or the externally connected direction, identifying the traffic direction of the access traffic corresponding to each MAC address bipartite graph.
And respectively establishing and checking a tree for the MAC address sets of the two areas corresponding to each MAC address bipartite graph based on a union checking algorithm to obtain union sets respectively corresponding to the MAC address sets of the two areas, namely, completing the establishment of the first MAC address union set of the first MAC address set and the second MAC address union set of the second MAC address set.
And simultaneously acquiring an external network MAC address and an internal network MAC address which respectively correspond to the respective first flows in each MAC address bipartite graph. And respectively inquiring which MAC address set comprises the external network MAC address and which MAC address set comprises the internal network MAC address through the first MAC address and checking set and the second MAC address and checking set, so as to obtain the matching relation between the external network MAC address and the internal network MAC address and the first MAC address set and the second MAC address set in the corresponding MAC address bipartite graph. And further identifying the flow direction of each access flow of each MAC address bipartite graph through the matching relation and the flow direction of the first flow.
According to the network flow direction identification method, the matching relation between the external network MAC address and the internal network MAC address of the first flow and the first MAC address set and the second MAC address set is determined, so that the first flow which can identify the flow direction is learned by the first MAC address set and the second MAC address set, the flow direction of the access flow corresponding to each MAC address bipartite graph is identified, the flow direction identification capability aiming at the global flow is rapidly formed, the maintenance cost of the global network flow direction identification is reduced, and meanwhile, the accuracy and the efficiency of the global network flow direction identification are improved.
The step 423 specifically includes:
s4231, for each MAC address bipartite graph, if the first traffic direction is the external connection direction, and the external network MAC address is located in the first MAC address set and/or the internal network MAC address is located in the second MAC address set, marking the traffic direction of the access traffic corresponding to the MAC address bipartite graph as the traffic direction flowing from the second MAC address set to the first MAC address set.
S4232, for each MAC address bipartite graph, if the first traffic direction is the external connection direction, and the internal network MAC address is located in the first MAC address set and/or the external network MAC address is located in the second MAC address set, marking the traffic direction of the access traffic corresponding to the MAC address bipartite graph as the traffic direction flowing from the first MAC address set to the second MAC address set.
S4233, for each MAC address bipartite graph, if the first traffic direction is the inline direction, and the external network MAC address is located in the first MAC address set and/or the internal network MAC address is located in the second MAC address set, marking the traffic direction of the access traffic corresponding to the MAC address bipartite graph as flowing from the first MAC address set to the second MAC address set.
S4234, for each MAC address bipartite graph, if the first flow direction is the inline direction, and the intranet MAC address is located in the first MAC address set and/or the extranet MAC address is located in the second MAC address set, marking the flow direction of the access flow corresponding to the MAC address bipartite graph as the flow direction from the second MAC address set to the first MAC address set.
And respectively matching the external network MAC address and the internal network MAC address corresponding to the first flow with the deterministic flow direction with the MAC address sets in different network areas. When the MAC address set is determined to include the external network MAC address corresponding to the first flow, the MAC address set and the external network MAC address are determined to have a matching relationship. When the MAC address set is determined to comprise the intranet MAC address corresponding to the first flow, the matching relationship between the MAC address set and the intranet MAC address is determined. And further marking the flow direction of the access flow corresponding to the corresponding MAC address bipartite graph according to the situation between the matching relation and the first flow direction, and determining the flow direction situation of the global flow when marking the flow directions of the access flows corresponding to all the MAC address bipartite graphs is completed.
Based on the pre-analysis of the communication relevance of all the access flows, an MAC address bipartite graph is established, the MAC addresses in the network are divided into two different MAC address sets, and then the area where the MAC addresses of all the access flows corresponding to the MAC address bipartite graph are located can be judged only by judging the area of any MAC address in any one MAC address set. That is, when only the external network MAC address of the first traffic is confirmed to be located in the first MAC address set, it can be determined that all MAC addresses included in the first MAC address set are external network MAC addresses and all MAC addresses included in the second MAC address set are internal network MAC addresses.
When the first flow direction is the external connection direction, and the external network MAC address is confirmed to be positioned in the first MAC address set, or the internal network MAC address is confirmed to be positioned in the second MAC address set, or the external network MAC address is confirmed to be positioned in the first MAC address set and the internal network MAC address is confirmed to be positioned in the second MAC address set, the flow direction of the access flow corresponding to the MAC address bipartite graph is marked as the flow direction from the second MAC address set to the first MAC address set.
When the first flow direction is the external connection direction, and the external network MAC address is confirmed to be positioned in the second MAC address set, or the internal network MAC address is confirmed to be positioned in the first MAC address set, or the external network MAC address is confirmed to be positioned in the second MAC address set and the internal network MAC address is confirmed to be positioned in the first MAC address set, the flow direction of the access flow corresponding to the MAC address bipartite graph is marked as the flow direction from the first MAC address set to the second MAC address set.
When the first flow direction is an inline direction, and the external network MAC address is confirmed to be positioned in the first MAC address set, or the internal network MAC address is confirmed to be positioned in the second MAC address set, or the external network MAC address is confirmed to be positioned in the first MAC address set and the internal network MAC address is confirmed to be positioned in the second MAC address set, the flow direction of the access flow corresponding to the MAC address bipartite graph is marked as the flow direction from the first MAC address set to the second MAC address set.
When the first flow direction is an inline direction, and the external network MAC address is confirmed to be positioned in the second MAC address set, or the internal network MAC address is confirmed to be positioned in the first MAC address set, or the external network MAC address is confirmed to be positioned in the second MAC address set and the internal network MAC address is confirmed to be positioned in the first MAC address set, the flow direction of the access flow corresponding to the MAC address bipartite graph is marked as the flow direction from the second MAC address set to the first MAC address set.
After the flow directions of the access flows corresponding to all the MAC address bipartite graphs are marked, determining which MAC address bipartite graph the subsequent access flow is divided into by analyzing the MAC address and the communication relation of the subsequent access flow, determining the matching relation between the two MAC addresses corresponding to the subsequent access flow and the first MAC address set or the second MAC address set of the MAC address bipartite graph respectively, and finally marking the flow directions of the subsequent access flows as the flow directions of the access flows corresponding to the MAC address bipartite graph according to the matching relation.
According to the network flow direction identification method, the matching relation between the external network MAC address and the internal network MAC address corresponding to the first flow and the first MAC address set and the second MAC address set is determined, so that the first MAC address set and the second MAC address set learn the network flow which can be in the determined direction, and the flows corresponding to all MAC addresses in the first MAC address set and the second MAC address set are identified through the flow direction learning result, so that the subsequent flow direction identification can be performed, the flow direction identification capability aiming at the global flow is formed rapidly, the maintenance cost of the global network flow direction identification is reduced, and meanwhile, the accuracy and the efficiency of the global network flow direction identification are improved.
In some embodiments, a schematic diagram of a network flow direction identification method is shown in fig. 2. The network flow direction identification method in this embodiment includes preparation of a local traffic direction judgment library, a traffic learning step, and a direction confirmation step of a MAC address. The flow learning step and the direction confirmation step of the MAC address are continuously performed based on continuous flow analysis, once the network environment changes, such as the change of the MAC address, the change of the network environment can be timely exposed in the MAC address bipartite graph of the flow analysis, the MAC address bipartite graph can be continuously maintained, and the flow direction identification method is ensured to be synchronous with the flow direction identification capability of the actual network environment.
According to the network flow direction identification method, the MAC addresses of all accessed flows and the communication relation thereof are analyzed in advance to form at least one MAC address bipartite graph, the MAC addresses of all flows can be quickly assembled or divided, meanwhile, the first flow which can identify the flow direction is screened out from the access flows corresponding to each MAC address bipartite graph, the purpose of quickly identifying the flow direction of the global network flow is achieved based on the first flow of each MAC address bipartite graph and all the MAC address bipartite graphs, the flow direction judging capability aiming at the global flow is formed, the maintenance cost of the global network flow direction identification is reduced, and meanwhile, the accuracy and the efficiency of the global network flow direction identification are improved.
According to another aspect of the present invention, as shown in fig. 3, according to the same inventive concept, an embodiment of the present invention further provides a computer device 30, in which the computer device 30 includes a processor 310 and a memory 320, the memory 320 storing a computer program 321 executable on the processor, and the processor 310 executing the steps of the method as above.
According to another aspect of the present invention, as shown in fig. 4, based on the same inventive concept, an embodiment of the present invention further provides a computer-readable storage medium 40, the computer-readable storage medium 40 storing a computer program 410 which when executed by a processor performs the above method.
Finally, it should be noted that, as will be appreciated by those skilled in the art, all or part of the procedures in implementing the methods of the embodiments described above may be implemented by a computer program for instructing relevant hardware, and the program may be stored in a computer readable storage medium, and the program may include the procedures of the embodiments of the methods described above when executed. The storage medium of the program may be a magnetic disk, an optical disk, a read-only memory (ROM), a random-access memory (RAM), or the like. The computer program embodiments described above may achieve the same or similar effects as any of the method embodiments described above.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. The foregoing embodiment of the present invention has been disclosed with reference to the number of embodiments for the purpose of description only, and does not represent the advantages or disadvantages of the embodiments. Furthermore, although elements of the disclosed embodiments may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that as used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
Those of ordinary skill in the art will appreciate that: the above discussion of any embodiment is merely exemplary and is not intended to imply that the scope of the disclosure of embodiments of the invention, including the claims, is limited to such examples; combinations of features of the above embodiments or in different embodiments are also possible within the idea of an embodiment of the invention, and many other variations of the different aspects of the embodiments of the invention as described above exist, which are not provided in detail for the sake of brevity. Therefore, any omission, modification, equivalent replacement, improvement, etc. of the embodiments should be included in the protection scope of the embodiments of the present invention.
Claims (11)
1. A method for identifying a network flow direction, comprising:
acquiring MAC addresses of all access flows, and acquiring a communication relationship between the MAC addresses;
establishing at least one MAC address bipartite graph based on the MAC address and the communication relation;
screening first flow with deterministic flow direction from the access flow corresponding to each MAC address bipartite graph;
and identifying the flow directions of all access flows based on all the MAC address bipartite graphs and the first flows corresponding to all the MAC address bipartite graphs.
2. The method of claim 1, wherein the step of establishing at least one MAC address bipartite graph based on the MAC addresses and the communication relationship comprises:
and taking the MAC address as a node, taking the communication relationship as a connecting line, and establishing at least one MAC address bipartite graph.
3. The method according to claim 2, wherein the step of screening the first traffic having the deterministic traffic direction from the access traffic corresponding to each MAC address bipartite graph, respectively, comprises:
according to the application scene, establishing a local flow direction judging library containing at least one identification strategy;
and based on the identification strategy in the local flow direction judging library, respectively screening first flow with deterministic flow direction from the access flow corresponding to each MAC address bipartite graph.
4. The method of claim 3, wherein the step of identifying traffic directions of all access traffic based on all MAC address bipartite graphs and the first traffic corresponding to each MAC address bipartite graph comprises:
dividing all MAC addresses contained in each MAC address bipartite graph into a first MAC address set and a second MAC address set which are positioned in two different network areas, and determining a first traffic direction of corresponding first traffic;
based on a first flow direction, a first MAC address set and a second MAC address set of each MAC address bipartite graph, identifying the flow direction of access flow corresponding to each MAC address bipartite graph respectively;
and obtaining the flow direction of all the access flows based on the flow directions of the access flows respectively corresponding to all the MAC address bipartite graphs.
5. The method of claim 4, wherein the step of identifying the traffic direction of the access traffic for each MAC address bipartite based on the first traffic direction, the first set of MAC addresses, and the second set of MAC addresses for each MAC address bipartite comprises:
for each MAC address bipartite graph, establishing a first MAC address and checking set of a first MAC address set and establishing a second MAC address and checking set of a second MAC address set based on a checking set algorithm;
acquiring an external network MAC address and an internal network MAC address corresponding to a first flow in each MAC address bipartite graph, and based on the first MAC address and the second MAC address, determining the matching relation between the external network MAC address and the internal network MAC address and the first MAC address set and the second MAC address set in the corresponding MAC address bipartite graph respectively, and determining the first flow direction as an inline direction or an inline direction;
and identifying the flow direction of the access flow corresponding to each MAC address bipartite graph based on the matching relationship and the fact that the first flow direction is an inline direction or an externally connected direction.
6. The method of claim 5, wherein the step of identifying the traffic direction of the access traffic corresponding to each MAC address bipartite graph based on the matching relationship and whether the first traffic direction is an inline direction or an inline direction comprises:
and for each MAC address bipartite graph, if the first flow direction is the external connection direction, and the external network MAC address is positioned in the first MAC address set and/or the internal network MAC address is positioned in the second MAC address set, marking the flow direction of the access flow corresponding to the MAC address bipartite graph as the flow direction from the second MAC address set to the first MAC address set.
7. The method of claim 5, wherein the step of identifying the traffic direction of the access traffic corresponding to each MAC address bipartite graph based on the matching relationship and whether the first traffic direction is an inline direction or an inline direction comprises:
and for each MAC address bipartite graph, if the first flow direction is the external connection direction, and the internal network MAC address is positioned in the first MAC address set and/or the external network MAC address is positioned in the second MAC address set, marking the flow direction of the access flow corresponding to the MAC address bipartite graph as the flow direction from the first MAC address set to the second MAC address set.
8. The method of claim 5, wherein the step of identifying the traffic direction of the access traffic corresponding to each MAC address bipartite graph based on the matching relationship and whether the first traffic direction is an inline direction or an inline direction comprises:
and for each MAC address bipartite graph, if the first flow direction is an inline direction, and the external network MAC address is positioned in the first MAC address set and/or the internal network MAC address is positioned in the second MAC address set, marking the flow direction of the access flow corresponding to the MAC address bipartite graph as the flow direction from the first MAC address set to the second MAC address set.
9. The method of claim 5, wherein the step of identifying the traffic direction of the access traffic corresponding to each MAC address bipartite graph based on the matching relationship and whether the first traffic direction is an inline direction or an inline direction comprises:
and for each MAC address bipartite graph, if the first flow direction is an inline direction, and the intranet MAC address is positioned in the first MAC address set and/or the extranet MAC address is positioned in the second MAC address set, marking the flow direction of the access flow corresponding to the MAC address bipartite graph as the flow direction from the second MAC address set to the first MAC address set.
10. A computer device, comprising:
at least one processor; and
a memory storing a computer program executable on the processor, wherein the processor performs the steps of the method of any one of claims 1 to 9 when the program is executed.
11. A computer-readable storage medium storing a computer program, characterized in that the computer program, when executed by a processor, performs the steps of the method according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311129589.0A CN117221242A (en) | 2023-09-01 | 2023-09-01 | Network flow direction identification method, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311129589.0A CN117221242A (en) | 2023-09-01 | 2023-09-01 | Network flow direction identification method, device and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117221242A true CN117221242A (en) | 2023-12-12 |
Family
ID=89043517
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311129589.0A Pending CN117221242A (en) | 2023-09-01 | 2023-09-01 | Network flow direction identification method, device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117221242A (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
| CN103036733A (en) * | 2011-10-09 | 2013-04-10 | 上海城际互通通信有限公司 | Unconventional network access behavior monitoring system and monitoring method |
| CN105591765A (en) * | 2014-10-20 | 2016-05-18 | 中国电信股份有限公司 | Flow positioning method, device and system |
| CN105790960A (en) * | 2014-12-24 | 2016-07-20 | 中国电信股份有限公司 | Traffic identification method and system and traffic gateway |
| CN105871847A (en) * | 2016-04-01 | 2016-08-17 | 国网江苏省电力公司电力科学研究院 | Intelligent substation network abnormal flow detection method |
| CN106452940A (en) * | 2016-08-22 | 2017-02-22 | 中国联合网络通信有限公司重庆市分公司 | Method and device for identifying Internet business flow ownership |
| CN106686630A (en) * | 2016-12-30 | 2017-05-17 | 南京理工大学 | Mobile cellular network flow recognizing method based on network delay feature |
| CN110572325A (en) * | 2019-09-06 | 2019-12-13 | 成都深思科技有限公司 | NAT router flow identification method |
| WO2020062390A1 (en) * | 2018-09-25 | 2020-04-02 | 深圳先进技术研究院 | Network traffic classification method and system, and electronic device |
| CN111683162A (en) * | 2020-06-09 | 2020-09-18 | 福建健康之路信息技术有限公司 | IP address management method and device based on flow identification |
| US20210344589A1 (en) * | 2017-12-29 | 2021-11-04 | Wangsu Science & Technology Co., Ltd. | Method, server, and system for data stream redirecting |
| CN113904804A (en) * | 2021-09-06 | 2022-01-07 | 河南信大网御科技有限公司 | Intranet safety protection method, system and medium based on behavior strategy |
| CN114143049A (en) * | 2021-11-18 | 2022-03-04 | 北京明略软件***有限公司 | Abnormal flow detection method, abnormal flow detection device, storage medium and electronic equipment |
| CN116210209A (en) * | 2020-09-21 | 2023-06-02 | Vm维尔股份有限公司 | Allocating additional bandwidth to resources in a data center through deployment of dedicated gateways |
-
2023
- 2023-09-01 CN CN202311129589.0A patent/CN117221242A/en active Pending
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
| CN103036733A (en) * | 2011-10-09 | 2013-04-10 | 上海城际互通通信有限公司 | Unconventional network access behavior monitoring system and monitoring method |
| CN105591765A (en) * | 2014-10-20 | 2016-05-18 | 中国电信股份有限公司 | Flow positioning method, device and system |
| CN105790960A (en) * | 2014-12-24 | 2016-07-20 | 中国电信股份有限公司 | Traffic identification method and system and traffic gateway |
| CN105871847A (en) * | 2016-04-01 | 2016-08-17 | 国网江苏省电力公司电力科学研究院 | Intelligent substation network abnormal flow detection method |
| CN106452940A (en) * | 2016-08-22 | 2017-02-22 | 中国联合网络通信有限公司重庆市分公司 | Method and device for identifying Internet business flow ownership |
| CN106686630A (en) * | 2016-12-30 | 2017-05-17 | 南京理工大学 | Mobile cellular network flow recognizing method based on network delay feature |
| US20210344589A1 (en) * | 2017-12-29 | 2021-11-04 | Wangsu Science & Technology Co., Ltd. | Method, server, and system for data stream redirecting |
| WO2020062390A1 (en) * | 2018-09-25 | 2020-04-02 | 深圳先进技术研究院 | Network traffic classification method and system, and electronic device |
| CN110572325A (en) * | 2019-09-06 | 2019-12-13 | 成都深思科技有限公司 | NAT router flow identification method |
| CN111683162A (en) * | 2020-06-09 | 2020-09-18 | 福建健康之路信息技术有限公司 | IP address management method and device based on flow identification |
| CN116210209A (en) * | 2020-09-21 | 2023-06-02 | Vm维尔股份有限公司 | Allocating additional bandwidth to resources in a data center through deployment of dedicated gateways |
| CN113904804A (en) * | 2021-09-06 | 2022-01-07 | 河南信大网御科技有限公司 | Intranet safety protection method, system and medium based on behavior strategy |
| CN114143049A (en) * | 2021-11-18 | 2022-03-04 | 北京明略软件***有限公司 | Abnormal flow detection method, abnormal flow detection device, storage medium and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 徐玉华 等: "软件定义网络中的异常流量检测研究进展", 《软件学报》, vol. 31, no. 1, 31 January 2019 (2019-01-31), pages 183 - 205 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111191767B (en) | Vectorization-based malicious traffic attack type judging method | |
| CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
| CN113259168B (en) | Fault root cause analysis method and device | |
| CN110324327B (en) | User and server IP address calibration device and method based on specific enterprise domain name data | |
| CN113676484A (en) | Attack tracing method and device and electronic equipment | |
| CN112867006A (en) | Network communication system, network communication safety monitoring method and server | |
| CN111935167A (en) | Illegal external connection detection method, device, equipment and storage medium for industrial control | |
| CN110096013A (en) | A kind of intrusion detection method and device of industrial control system | |
| CN115550049A (en) | Vulnerability detection method and system for Internet of things equipment | |
| CN114615066A (en) | Target path determination method and device | |
| CN111565124B (en) | Topology analysis method and device | |
| CN111625448B (en) | Protocol packet generation method, device, equipment and storage medium | |
| CN112448963A (en) | Method, device, equipment and storage medium for analyzing automatic attack industrial assets | |
| CN117221242A (en) | Network flow direction identification method, device and medium | |
| CN116015983B (en) | Network security vulnerability analysis method and system based on digital twin | |
| CN110611591B (en) | Network topology establishing method and device | |
| CN107547282B (en) | Information and communication service influence analysis model establishing method and system | |
| CN111698168A (en) | Message processing method, device, storage medium and processor | |
| CN112860558B (en) | Multi-interface automatic testing method and device based on topology discovery | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log | |
| CN115834231A (en) | Honeypot system identification method and device, terminal equipment and storage medium | |
| CN116346434A (en) | Method and system for improving monitoring accuracy of network attack behavior of power system | |
| CN112039696B (en) | Method, device, equipment and medium for generating network topology structure | |
| CN114880637A (en) | Account risk verification method and device, computer equipment and storage medium | |
| CN111935069A (en) | Traffic attack visualization characterization method based on time sequence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |