WO2023284809A1 - Device identification method, apparatus and system - Google Patents

Device identification method, apparatus and system Download PDF

Info

Publication number
WO2023284809A1
WO2023284809A1 PCT/CN2022/105623 CN2022105623W WO2023284809A1 WO 2023284809 A1 WO2023284809 A1 WO 2023284809A1 CN 2022105623 W CN2022105623 W CN 2022105623W WO 2023284809 A1 WO2023284809 A1 WO 2023284809A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
data flow
terminal
type
analyzer
Prior art date
Application number
PCT/CN2022/105623
Other languages
French (fr)
Chinese (zh)
Inventor
徐威旺
薛莉
刘文倩
吴俊�
张亮
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN202111024391.7A external-priority patent/CN115701028A/en
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023284809A1 publication Critical patent/WO2023284809A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks

Definitions

  • the present application relates to the field of communication technologies, and in particular to a method, device and system for device identification.
  • IoT Internet of Things
  • DDoS distributed denial-of-service attacks
  • the present application provides a method, device and system for device identification, which help to identify the device type of a terminal device and reduce the consumption of network resources for device identification.
  • a device identification method is provided, which is executed by a network device that forwards packets for a terminal device.
  • the network device acquires the data flow statistics information of the terminal device, and when a condition is satisfied, sends the data flow statistics information of the terminal device to the analyzer, so that the analyzer can identify the device type of the terminal device.
  • the condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
  • the network device sends the data flow statistics information of the terminal device to the analyzer, so that the analyzer can identify the device type of the terminal device, and then A corresponding security protection policy can be implemented for the device type of the terminal device.
  • the probability of the device type of the terminal device changing is very small. If the terminal device is a terminal device that has come online again, the device type of the terminal device may have changed.
  • the network device only sends the data flow statistics information of the terminal device whose device type is unknown or has come back online to the analyzer. This avoids bandwidth consumption by traffic statistics for end devices whose device types are known and are always online. The consumption of network resources by device identification is reduced.
  • the analyzer can obtain data flow statistical information of a large number of terminal devices of unknown device types, and obtain a high-precision device identification model based on the data flow statistical information of a large number of terminal devices of unknown device types. This method does not reduce the accuracy of device identification.
  • the network device determines whether the device type of the terminal device is unknown according to the identifier of the terminal device corresponding to the known device type.
  • an identifier of a terminal device corresponding to a known device type may be stored in the network device. If the identifier of the terminal device corresponding to the known device type does not include the identifier of the terminal device, the network device determines that the device type of the terminal device is unknown.
  • the network device determines whether the device type of the terminal device is unknown according to the asset library.
  • the asset library is used to record the device type and the identifier of the terminal device corresponding to the device type.
  • the network device determines that the device type of the terminal device is unknown.
  • the network device judges whether the terminal device is a re-online terminal device according to the historical traffic volume of the terminal device.
  • the terminal device is a terminal device that has come online again.
  • the network device receives a message from the analyzer, and updates the identifier of the terminal device corresponding to the known device type based on the message.
  • the message includes the identifier of the terminal device.
  • the analyzer After identifying the device type of the terminal device, the analyzer sends a message to inform the network device that the device type of the terminal device is known, and the network device stores the device identifier of the terminal device. If the terminal device does not go offline, the network device will no longer send the data flow statistics information of the terminal device to the analyzer. That is, as more and more types of terminal devices are identified, network resources consumed by device identification will become less and less.
  • the network device receives a message from the analyzer, and updates the asset library based on the message.
  • the message includes the device type of the terminal device and the identifier of the terminal device.
  • the analyzer After identifying the device type of the terminal device, the analyzer sends a message to inform the network device of the device type of the terminal device.
  • the network device adds the device type and identification of the terminal device to the asset library. If the terminal device does not go offline, the network device will no longer send the data flow statistics information sent to the terminal device to the analyzer. That is, as more and more types of terminal devices are identified, network resources consumed by device identification will become less and less.
  • the data flow statistics information of the terminal device includes a source Internet Protocol (Internet Protocol, IP) address or a destination IP address of at least one data flow of the terminal device.
  • IP Internet Protocol
  • the data flow statistical information of the terminal device further includes one or more of the following information: the traffic size of at least one data flow of the terminal device within the second time window, at least one data flow of the terminal device The number of data packets of the flow within the second time window, and the size of each data packet of at least one data flow of the terminal device within the second time window.
  • the identifier of the terminal device includes an IP address of the terminal device.
  • the terminal device includes an IoT device of the Internet of Things.
  • a device identification device in a second aspect, includes a plurality of functional modules, all of which may be software modules or hardware modules, or a combination of software modules and hardware modules, and the plurality of functional modules may be divided according to different implementations, so as to realize the above-mentioned
  • the methods of the first aspect and its various embodiments are the norm.
  • a device identification device in a third aspect, includes a processor and memory.
  • a program is stored in the memory, and the processor is configured to execute the program stored in the memory to implement the device identification method provided in the first aspect or any possible implementation manner of the first aspect.
  • a device identification system in a fourth aspect, includes a device identification device and an analyzer.
  • the device identification apparatus is configured to implement the device identification method provided in the first aspect or any possible implementation manner of the first aspect.
  • the analyzer is configured to receive the data flow statistical information of the terminal device sent by the device identification device, and identify the device type of the terminal device according to the data flow statistical information of the terminal device.
  • the analyzer is further configured to send a message to the device identification device, where the message includes the identifier of the terminal device.
  • the analyzer is further configured to send a message to the device identification apparatus, where the message includes the identifier of the terminal device and the device type of the terminal device.
  • a computer-readable storage medium includes instructions, which, when run on a computer, cause the computer to execute the device identification method provided in the first aspect or any possible implementation manner of the first aspect.
  • a computer program product including instructions is provided. When it runs on a computer, the computer is made to execute the device identification method provided by the first aspect or any possible implementation manner of the first aspect.
  • FIG. 1 is a schematic diagram of an implementation environment involved in an embodiment of the present application
  • FIG. 2 is a flow chart of a device identification method provided in an embodiment of the present application.
  • Fig. 3 is a schematic diagram of an asset library provided by an embodiment of the present application.
  • Fig. 4 is a schematic diagram of a logic structure of an apparatus identification device provided by an embodiment of the present application.
  • Fig. 5 is a schematic diagram of the hardware structure of a device identification device provided by an embodiment of the present application.
  • Fig. 6 is a schematic diagram of a device identification system provided by an embodiment of the present application.
  • FIG. 1 shows a schematic diagram of an implementation environment involved in an embodiment of the present application.
  • the implementation environment includes a communication network 100 .
  • the communication network 100 includes a plurality of terminal devices and a plurality of network devices, and the plurality of terminal devices access the Internet (internet) or intranet (intranet) through corresponding network devices to access services provided by the service server.
  • the terminal devices 101 - 102 are connected to the network device 111
  • the terminal devices 103 - 104 are connected to the network device 112
  • the terminal device 105 is connected to the network device 113 .
  • the network device 111 connects the terminal devices 101 - 102 to the Internet or intranet through the network device 121 , so that the terminal devices 101 - 102 can access related services, for example, services provided by the service server 131 .
  • the network device 112 connects the terminal devices 103 - 104 to the Internet/Intranet through the network device 121 , so that the terminal devices 103 - 104 can access related services, for example, services provided by the service server 131 .
  • the network device 113 connects the terminal device 105 to the Internet/Intranet, so that the terminal device 105 can access related services, for example, services provided by the service server 131 .
  • the terminal device is an IoT device.
  • End devices can be of various types.
  • a terminal device may be an automated teller machine (automated teller machine, ATM), a self-service inquiry terminal, a card issuer, an intelligent counter, or a camera.
  • the terminal device 101 and the terminal device 103 may be ATMs
  • the terminal device 102 and the terminal device 104 may be cameras
  • the terminal device 105 may be a card issuer.
  • the network device may be various types of devices.
  • a network device may be a switch, router, wireless access point, base station, etc.
  • the network device 111 may be a wireless access point, and the terminal devices 101-102 access the network device 111 through a wireless local area network.
  • the network device 112 may be a switch, and the terminal devices 103 - 104 access the network device 112 through a wired access manner.
  • the network device 113 may be a base station, and the terminal device 105 accesses the network device 113 through a cellular network.
  • the network device 121 may be a router.
  • the network devices 111-113 are directly connected to the terminal devices, so the network devices 111-113 may also be called access devices.
  • the network device 121 is not directly connected to the terminal device, but forwards the message of the terminal device sent by the access device, and the network device 121 may also be called an aggregation device.
  • the service server 131 may be various types of devices.
  • the service server 131 may be a physical server, a physical server cluster, a virtual machine or a virtual machine cluster, and the like.
  • the service server 131 can be deployed in a public cloud, a private cloud, or an enterprise data center.
  • the service server can provide various services, for example, video service, deposit and withdrawal service, and so on.
  • the communication network 100 needs to identify the device type of the terminal device, so as to implement corresponding security protection policies for different types of terminal devices according to the device type. Identifying the device type of an end device is also known as asset inventory. That is, by identifying the device type of the terminal device to take stock of the types of device assets.
  • the communication network 100 may further include an analyzer 141 .
  • the analyzer 141 may receive the data flow statistical information of the terminal device sent by the network device, and identify the device type of the terminal device according to the data flow statistical information.
  • the network device may be an access device or an aggregation device.
  • the analyzer 141 may be deployed in a public cloud, a private cloud, an enterprise data center, or an enterprise headquarters campus network.
  • the analyzer 141 may be a server, a server cluster, a virtual machine or a virtual machine cluster, and the like.
  • the analyzer 141 may also be a network device with computing capabilities.
  • the network device with computing capability is deployed in the data center of the enterprise or the headquarters campus network of the enterprise.
  • An embodiment of the present application provides a method for device identification.
  • the network device close to the terminal device obtains the data flow statistics information of the terminal device, and when the type of the terminal device is unknown or the terminal device is a terminal device that has come online again, the network device sends the data flow statistics information of the terminal device to An analyzer.
  • the analyzer identifies the device type of the terminal device based on the data flow statistics information of the terminal device. After identifying the device type of the terminal device, the analyzer sends the identifier of the terminal device, or the identifier and device type of the terminal device to the network device.
  • the network device close to the terminal device may be an access device or a convergence device.
  • the data flow statistical information of the terminal device is acquired by a network device close to the terminal device, so the data flow statistical information can reflect all access behaviors of the terminal device.
  • the network device will send the data flow statistics information of the terminal device to the analyzer. That is, the analyzer can obtain data flow statistical information of a large number of unknown types of terminal devices, and the data flow statistical information can reflect all access behaviors of the terminal devices. Therefore, the analyzer can also train or update the device recognition model based on this to improve the accuracy of device recognition.
  • the network device will not send the data flow statistics of terminal devices of known device types that are not offline to the analyzer.
  • FIG. 2 shows a flow chart of a device identification method provided by an embodiment of the present application. Including the following steps:
  • Step 201 the network device acquires data flow statistics information of the terminal device.
  • Network equipment includes access equipment or aggregation equipment.
  • An access device is a network device connected to a terminal device.
  • the aggregation device is a network device that is not directly connected to the terminal equipment, but the data flow of the terminal equipment must pass through.
  • the terminal device may be the terminal device 101
  • the access device may be the network device 111
  • the aggregation device may be the network device 121 .
  • the terminal device 101 accesses the network through the network device 111 , so the network device 111 must be able to obtain the data flow statistics information of the terminal device 101 .
  • the network device 121 is not directly connected to the terminal device 101, the packets of the terminal device 101 must be forwarded through the network device 121, so the network device 121 must also be able to obtain the data flow statistics information of the terminal device 101.
  • the data streams of different types of terminal equipment have different characteristics. For example, there is almost no downlink traffic of the camera, but the uplink traffic exists continuously and the traffic is relatively large, but the data flow of the ATM occurs irregularly, and the traffic is very small.
  • the analyzer distinguishes different end devices based on the data flow statistics of the end devices. Therefore, the data flow statistical information includes statistical information that can reflect the service characteristics of the terminal equipment.
  • the data flow statistics information includes one or more of the following information: the number of data flows of the terminal device in a time window, the size of the data flow of the terminal device in the time window, the number of data flows of the terminal device in the time window.
  • the number of data packets, the size of each data packet of the terminal device within the time window, the header information of each data flow of the terminal device within the time window, and the header information of each data flow of the terminal device within the time window The traffic size of the terminal device, the number of packets of each data flow of the terminal device within the time window, and the size of each packet of each data flow of the terminal device within the time window.
  • the header information of the data stream includes tuples of the data stream.
  • a tuple of data streams may be a quintuple of data streams.
  • the five-tuple of the data stream includes the source IP address, destination IP address, source port, destination port, and protocol type of the data stream.
  • the data flow statistical information may also include directional information of the data flow, for example, uplink or downlink.
  • the data flow received by the network device from the port close to the terminal device is an uplink data flow, otherwise, it is a downlink data flow.
  • the network device obtains the data flow statistics information of the terminal device. For example, the network device collects the data flow transmitted through the network device, and obtains statistical information of the data flow within the time window.
  • the network device can distinguish the data flows of different terminal devices within the time window based on the identifier of the terminal device.
  • the identifier of the terminal device includes the IP address of the terminal device.
  • the network device may distinguish data flows of different terminal devices within a time window based on the source IP address of the uplink data flow or the destination IP address of the downlink data flow. Uplink data flows with the same source IP address or downlink data flows with the same destination IP address are data flows belonging to the same terminal device.
  • the time window may be 5 minutes.
  • the network device calculates the data flow statistics information of each terminal device within each 5 minutes to obtain the data flow statistics information of each terminal device within the time window.
  • the network device can always obtain the data flow statistics information of the terminal device. For example, the network device acquires data flow statistics information of each terminal device in each time window starting from a specified time (for example, when the network device starts running, or a time configured by an administrator). For example, the network device acquires data flow statistics information every 5 minutes from the start of operation, and the data flow statistics information includes data flow statistics information of each terminal device that has data flows within the 5 minutes.
  • the network device can also obtain the data flow statistics information of the terminal device according to predetermined requirements. For example, according to the configuration of the administrator, the network device obtains data flow statistics information every half hour, and the data flow statistics information obtained each time includes each terminal device with data flow within a time window (for example, 5 minutes) data flow statistics.
  • the data flow statistics information of the terminal device can also be obtained by other devices.
  • the data flow statistics of the terminal device are obtained by a network probe attached to the side of the network device.
  • the access device 111 in FIG. 1 may bypass a network probe, and the network probe has computing capability.
  • the access device 111 can mirror the data flow to the network probe, and the network probe calculates the data flow statistical information of each terminal device within the time window according to the mirrored data flow.
  • Step 202 when the condition is met, the network device sends the data flow statistics information of the terminal device to the analyzer.
  • the condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
  • the network device sends the data flow statistics information of the terminal device to the analyzer.
  • the conditions include: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
  • the network device sends the data flow statistics information of the terminal device to the analyzer, so as to trigger the analyzer to identify the device type of the terminal device.
  • the network device may determine whether the terminal device is a terminal device of a known device type based on various methods. For example, the identification of a terminal device of a known device type is recorded on the network device (for example, the identification includes the IP address of the terminal device, and the network device records multiple IP addresses, indicating the device type of the terminal device associated with the multiple IP addresses.
  • the network device determines the terminal device associated with the data flow An end device that is a known device type.
  • the network device may also store an asset library, which records device types and IP addresses of one or more terminal devices corresponding to each device type. The network device extracts the IP address in the data flow statistics information, and queries the asset library according to the IP address. If the IP address exists in the asset library, the network device judges that the terminal device associated with the data flow is a terminal of a known device type equipment.
  • the identifier or asset library of the terminal device corresponding to the known device type can be configured by the administrator, or, after the analyzer identifies the device type of the terminal device, it sends the device type and/or the device identifier corresponding to the device type to the network device .
  • the network device may also use the IP address of the terminal device of known device type as a filter condition, so as not to collect the data stream of the terminal device of the known device type. In this way, the overhead of network equipment can be further reduced.
  • the network device When the terminal device is a re-online terminal device, its device type may have changed, so the network device also sends its data flow statistics to the analyzer to trigger the analyzer to re-identify the device type of the terminal device. For example, the IP address of a query machine is IP A, but one day the query machine is damaged, and IP A may be used by other devices. At this time, if the network device uses IP addresses to distinguish terminal devices, it is necessary to send The data flow statistical information of the analyzer is given to the analyzer to trigger the analyzer to re-identify the device type of the terminal device bound to the IP A.
  • the network device can determine whether the terminal device is a terminal device that has come online again through various methods. For example, if the network device 111 is a wireless access point device, when it is found that the terminal device 101 is disconnected, the network device 111 judges that the terminal device 101 has gone offline; when the terminal device 101 associates with the network device 111 again, the network device judges that the The terminal 101 is a terminal device that goes online again. For another example, if the network device 112 is a switch, when it is detected that the port connected to the terminal device 104 is disconnected, the network device 112 judges that the terminal device 104 has gone offline, and when it detects that the port is connected again, the network device 112 judges that the terminal Device 104 is a terminal device that has come online again.
  • the network device may also determine whether the terminal device is a terminal device that has come online again according to the historical traffic volume of the terminal device. For example, if the network device does not detect the data flow of a terminal device within the specified time window, it is judged that the terminal device has gone offline; On-line terminal equipment.
  • the designated time window may be multiplied with the window in which the network device obtains the data flow statistics information in step 201 . For example, if the network device obtains the data flow statistics information of the terminal device every 5 minutes, when the network device does not detect the data flow of a terminal device within one or more 5 minutes, the network device judges that the terminal device has gone offline .
  • the specified time window can also be other values. For example, when the time window for obtaining the data flow statistics information of the terminal device is 5 minutes, the time window for judging whether the terminal device is online again may also be 18 minutes. When the network device does not detect the data stream of the terminal device within 18 minutes, it is judged that the terminal device has gone offline, and when the data stream of the terminal device is detected again, the network device judges that the terminal device is a terminal device that has come back online.
  • Step 203 the analyzer identifies the device type of the terminal device.
  • the analyzer identifies the device type of the terminal device based on the data flow statistics information of the terminal device sent by the network device. For example, the analyzer takes the data flow statistics information of the terminal device as an input of the device identification model, so as to obtain the device type of the terminal device from the output of the device identification model.
  • the device identification model can be configured by an administrator.
  • the device recognition model can also be obtained by analyzer training.
  • the analyzer can train and obtain the device identification model based on the data flow statistics information of a plurality of terminal devices of unknown device types sent by each network device and the data flow statistics information of a plurality of terminal devices of known device types.
  • the device recognition model can be various machine learning models, for example, random forest or convolutional neural network.
  • the device types of the terminal devices of the plurality of known device types may be marked by the administrator. For example, a network device sends data flow statistics information of 1000 terminal devices, and the administrator randomly marks the correct device type for 100 terminal devices.
  • the administrator enters 20 IP addresses and the device types associated with the 20 IP addresses on the input interface of the analyzer, and the data flow statistics information associated with the 20 IP addresses received by the analyzer is the known device Data flow statistics for the type of terminal device.
  • the administrator can also input an instruction on the input interface of the analyzer to instruct the analyzer to start training the device recognition model.
  • the analyzer can send the collection instruction to each network device.
  • the collection instruction instructs the network device to obtain the data flow statistics information of the terminal device, so that the analyzer obtains a data set for training a device recognition model.
  • the collection instruction may include collection duration, collection frequency, collection information type and other information. For example, the collection duration may be 1 day, the collection frequency may be 5 minutes, and the type of collected information may be one or more types of information included in the data stream statistical information described in step 201 .
  • the network device calculates data flow statistics every 5 minutes within 1 day.
  • the data flow statistical information within every 5 minutes includes the data flow statistical information of each terminal device that has data traffic on the network device within the 5 minutes.
  • the network device can periodically obtain data flow statistics. For example, the network device collects data flow every 5 minutes and calculates the data flow statistics within the 5 minutes.
  • the network device can regularly send data flow statistics, for example, the network device obtains data flow statistics every 5 minutes and immediately sends the data flow statistics to the analyzer.
  • the network device can also send data flow statistics in multiple time windows at one time. For example, after the network device obtains 288 data flow statistics every 5 minutes in a day, it sends the data flow to 288 time windows at one time. Statistics to the analyzer.
  • the analyzer When the analyzer identifies the device type of the terminal device based on the data flow statistics information of the terminal device, the analyzer associates the identifier of the terminal device with the device type, and adds the identifier of the terminal device to the asset library for the device type corresponding asset information entry.
  • the asset library can be as shown in FIG. 3 .
  • the asset library shown in FIG. 3 records multiple asset information entries, and each asset information entry includes a device type and one or more identifiers of terminal devices corresponding to the device type.
  • the device identification includes the IP address of the terminal device.
  • the ATM includes terminal devices associated with IP addresses 192.168.7.2 and 192.168.8.2
  • the camera includes terminal devices associated with IP addresses 192.168.11.11 and 192.168.22.22
  • the card issuer includes Terminal Equipment.
  • the asset library may also record the identification of equipment that is not of interest.
  • the analyzer can mark terminal devices with strong protection capabilities, such as personal computers (PCs), as non-concerned devices, and the analyzer or other management devices do not need to set special protection policies for these non-concerned devices . If these non-concerned devices do not come online again, the network device does not need to collect the data streams of these non-concerned devices.
  • PCs personal computers
  • the analyzer may send the identifier of the terminal device or the identifier of the terminal device and the device type of the terminal device to the network device. For example, during initial training, if the analyzer identifies a large number of terminal devices of unknown device types, the analyzer may send the identifiers of one or more terminal devices corresponding to each device type to the network device. For another example, after the training is completed, each time the analyzer receives the data flow statistical information sent by the network device, it can obtain the device type of the terminal device associated with the data flow statistical information based on the data flow statistical information.
  • the analyzer may send the identifier of the terminal device associated with the data flow statistics information or the identifier of the terminal device and the device type of the terminal device to the network device.
  • the network device records the device identification of the known device type based on the analyzer's message, or updates the asset library to record the known device type and the device identification associated with the known device type. As more and more types of terminal devices are identified, the network devices need to send less and less data flow statistics, and the network resources consumed by device identification will become less and less.
  • the analyzer can also update the device identification model based on the data flow statistics information of the unknown device type terminal device sent by the network device subsequently.
  • the network device sends the data flow statistical information of the terminal device whose device type is unknown or whose device type may change to the analyzer, and the data flow statistical information is obtained by the network device close to the terminal device, It can reflect all access behaviors of terminal equipment. Therefore, the method enables the analyzer to identify the device type of the terminal device whose device type is unknown or the device type may change, and update the device identification model based on the data flow statistics of a large number of terminal devices whose device type is unknown or the device type may change to Improve the accuracy of device identification.
  • the network device only sends the data flow statistics information of terminal devices of unknown device types or re-online terminal devices to the analyzer, avoiding the consumption of bandwidth by the data flow statistics information of terminal devices of known device types and always online. This reduces the consumption of network resources for device identification.
  • Fig. 4 is a schematic diagram of a logical structure of an apparatus for identifying equipment provided by an embodiment of the present application.
  • the device identification apparatus 400 includes an acquisition module 410 and a sending module 420 .
  • the acquiring module 410 is configured to execute step 201 in the embodiment shown in FIG. 2
  • the sending module 420 is configured to execute step 202 in the embodiment shown in FIG. 2 .
  • the acquiring module 410 is configured to acquire data flow statistical information of the terminal device.
  • the device identification apparatus 400 is an access device connected to the terminal device or a converging device through which the data flow of the terminal device must pass.
  • the data stream of the terminal device is forwarded through the device identification device 400 .
  • the sending module 420 is configured to send the data flow statistics information of the terminal device to the analyzer when a condition is met, so that the analyzer can identify the device type of the terminal device.
  • the condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
  • the sending module is configured to determine whether the device type of the terminal device is known or unknown according to the identifier of the terminal device of known device type. When the identifier of the terminal device exists in the identifiers of terminal devices of a known device type, the sending module determines that the device type of the terminal device is known, otherwise it is unknown.
  • the sending module is configured to determine whether the device type of the terminal device is known or unknown according to the asset library.
  • the asset library is used to record the device type and the identifier of the terminal device corresponding to the device type. When the identifier of the terminal device exists in the asset library, the sending module determines that the device type of the terminal device is known, otherwise it is unknown.
  • the sending module is configured to judge whether the terminal device is a re-online terminal device according to the historical traffic volume of the terminal device. If the traffic volume of the terminal device in the first time window is zero, the sending module judges that the terminal device is a terminal device that has come online again.
  • the device identification device further includes a receiving module and an updating module.
  • the receiving module is used for receiving messages.
  • the message includes the identifier of the terminal device, and the updating module is configured to update the identifier of the terminal device of the known device type based on the message.
  • the message further includes the device type of the terminal device, and the update module is configured to update the asset library based on the message.
  • the device identification apparatus 400 provided in this embodiment is used to execute the technical solution of the method embodiment shown in FIG. 2 , and its implementation principle and technical effect are similar.
  • Each device identification apparatus 400 sends the data flow statistics information of terminal devices whose device types are unknown or re-online to the analyzer, so that the analyzer can identify the device types of these terminal devices.
  • the analyzer can also train or update the device identification model based on the data flow statistics of a large number of unknown or re-online terminal devices to improve the accuracy of device identification.
  • the device identification apparatus 400 selectively sends the data flow statistical information of the terminal device to the analyzer: only the data flow statistical information of the terminal device whose device type is unknown or whose device type may change is sent to the analyzer. This avoids the consumption of bandwidth by the data flow statistics information of terminal devices whose device types are known and is always online, and reduces the network resources consumed by device identification.
  • the device identification device when the device identification device provided by the embodiment shown in FIG. 4 executes the device identification method, it only uses the division of the above-mentioned functional modules as an example. In practical applications, the above-mentioned functions can be assigned to different function modules according to needs. Module completion means that the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.
  • the device identification device and the device identification method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiments, and will not be repeated here.
  • FIG. 5 is a schematic diagram of a hardware structure of a device identification device 500 provided by an embodiment of the present application.
  • the device identification apparatus 500 includes a processor 520 , a memory 540 , a communication interface 560 and a bus 580 , and the processor 520 , the memory 540 and the communication interface 560 are connected to each other through the bus 580 .
  • the processor 520 , the memory 540 and the communication interface 560 may also be connected in other connection ways than the bus 580 .
  • the memory 540 can be various types of storage media, such as random access memory (random access memory, RAM), read-only memory (read-only memory, ROM), non-volatile RAM (non-volatile RAM, NVRAM ), programmable ROM (programmable ROM, PROM), erasable PROM (erasable PROM, EPROM), electrically erasable PROM (electrically erasable PROM, EEPROM), flash memory, optical memory, hard disk, etc.
  • RAM random access memory
  • read-only memory read-only memory
  • NVRAM non-volatile RAM
  • PROM programmable ROM
  • PROM erasable PROM
  • EPROM erasable PROM
  • electrically erasable PROM electrically erasable PROM
  • flash memory optical memory, hard disk, etc.
  • the processor 520 may be a general-purpose processor, and the general-purpose processor may be a processor that performs specific steps and/or operations by reading and executing contents stored in a memory (such as the memory 540 ).
  • the general processor may be a central processing unit (CPU).
  • the processor 520 may include at least one circuit to execute all or part of the steps of the device identification method provided by the embodiment shown in FIG. 2 .
  • the communication interface 560 includes an input/output (input/output, I/O) interface, a physical interface and a logical interface, etc., which are used to realize the interconnection of devices inside the device identification device 500, and are used to realize the connection between the device identification device 500 and The interface through which other devices, such as analyzers or end devices, are interconnected.
  • the physical interface can be Ethernet interface, optical fiber interface, ATM interface, etc.
  • the bus 580 may be any type of communication bus for interconnecting the processor 520, the memory 540 and the communication interface 560, such as a system bus.
  • the above-mentioned devices may be respectively arranged on independent chips, or at least partly or all of them may be arranged on the same chip. Whether each device is independently arranged on different chips or integrated and arranged on one or more chips often depends on the needs of product design.
  • the embodiments of the present application do not limit the specific implementation forms of the foregoing devices.
  • the device identifying apparatus 500 shown in FIG. 5 is only exemplary. During implementation, the device identifying apparatus 500 may also include other components, which will not be listed here. In addition, the device identification device 500 provided in the above embodiment is based on the same idea as the device identification method embodiment, and its specific implementation process is detailed in the method embodiment, and will not be repeated here.
  • Fig. 6 is a schematic diagram of a device identification system provided by an embodiment of the present application.
  • the device identification system 600 includes an analyzer 610 and one or more device identification devices.
  • the one or more device identifying means includes device identifying means 620 and/or device identifying means 630 .
  • the equipment identification device includes the access equipment connected to the terminal equipment or the converging equipment through which the data flow of the terminal equipment must pass.
  • the device identification device and the analyzer are connected via the Internet or an intranet.
  • the analyzer 610 is configured to execute step 203 in the embodiment of the device identification method shown in FIG. 2 .
  • the device identification device 620 or the device identification device 630 is used to execute step 201 and step 202 in the embodiment of the device identification method shown in FIG.
  • the device identifying device 620 or the device identifying device 630 includes the device identifying device 400 shown in FIG. 4 .
  • the device identifying device 620 or the device identifying device 630 includes the device identifying device 500 shown in FIG. 5 .
  • all or part of them may be implemented by software, hardware, firmware or any combination thereof.
  • software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present invention will be generated in whole or in part.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media.
  • the available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, DVD), or a semiconductor medium (for example, a solid state disk (solid state disk, SSD)), etc.
  • a magnetic medium for example, a floppy disk, a hard disk, or a magnetic tape
  • an optical medium for example, DVD
  • a semiconductor medium for example, a solid state disk (solid state disk, SSD)

Abstract

The present application relates to the technical field of communications, and discloses a device identification method, apparatus and system, which are beneficial to the identification of the device type of a terminal device and the reduction of the consumption of network resources for device identification. A network device acquires data stream statistical information of a terminal device, and sends the data stream statistical information of the terminal device to an analyzer when a condition is satisfied, such that the analyzer identifies the device type of the terminal device, the condition comprising: the device type of the terminal device is unknown, or the terminal device is a terminal device that is online again; and the network device selectively sends the data stream statistical information to the analyzer, such that the consumption of network resources in a device identification process is reduced.

Description

设备识别的方法、装置和***Method, device and system for equipment identification
本申请要求于2021年07月15日提交的申请号为202110798343.7、发明名称为“设备识别的方法、装置和***”的中国专利申请的优先权,以及于2021年09月02日提交的申请号为202111024391.7、发明名称为“设备识别的方法、装置和***”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202110798343.7 and the title of the invention "Method, device and system for equipment identification" submitted on July 15, 2021, and the application number submitted on September 02, 2021 The priority of the Chinese patent application 202111024391.7, titled "Method, Device and System for Equipment Identification", the entire contents of which are incorporated in this application by reference.
技术领域technical field
本申请涉及通信技术领域,特别涉及设备识别的方法、装置和***。The present application relates to the field of communication technologies, and in particular to a method, device and system for device identification.
背景技术Background technique
智慧园区、教育、制造、金融和医疗等行业存在大量的物联网(Internet of Things,IoT)设备。这些IoT设备由于自身防护能力差,容易成为攻击者发动大规模分布式拒绝服务攻击(distributed denial-of-service attack,DDoS)的目标,也存在被恶意仿冒以实现非法目的的风险。对网络中的IoT设备进行设备识别以确定IoT设备的设备类型,有助于根据设备类型为不同类型的IoT设备部署相应的安全防护策略,从而提升网络中IoT设备的安全性。There are a large number of Internet of Things (IoT) devices in industries such as smart parks, education, manufacturing, finance, and medical care. Due to their poor defense capabilities, these IoT devices are easy targets for attackers to launch large-scale distributed denial-of-service attacks (DDoS), and there is also the risk of being maliciously counterfeited to achieve illegal purposes. Identifying IoT devices in the network to determine the device type of the IoT device helps to deploy corresponding security protection policies for different types of IoT devices according to the device type, thereby improving the security of IoT devices in the network.
发明内容Contents of the invention
本申请提供了一种设备识别的方法、设备和***,有助于识别终端设备的设备类型,并降低设备识别对网络资源的消耗。The present application provides a method, device and system for device identification, which help to identify the device type of a terminal device and reduce the consumption of network resources for device identification.
第一方面,提供了一种设备识别方法,由为终端设备转发报文的网络设备执行。该网络设备获取终端设备的数据流统计信息,并且当满足条件时,发送所述终端设备的数据流统计信息给分析器,以使得所述分析器识别所述终端设备的设备类型。In the first aspect, a device identification method is provided, which is executed by a network device that forwards packets for a terminal device. The network device acquires the data flow statistics information of the terminal device, and when a condition is satisfied, sends the data flow statistics information of the terminal device to the analyzer, so that the analyzer can identify the device type of the terminal device.
其中,所述条件包括:所述终端设备的设备类型未知,或者,所述终端设备是重新上线的终端设备。Wherein, the condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
本申请中,网络设备在终端设备的设备类型未知或终端设备为重新上线的终端设备时,向分析器发送该终端设备的数据流统计信息,使得分析器识别所述终端设备的设备类型,进而能够针对该终端设备的设备类型执行相应的安全防护策略。In this application, when the device type of the terminal device is unknown or the terminal device is a re-online terminal device, the network device sends the data flow statistics information of the terminal device to the analyzer, so that the analyzer can identify the device type of the terminal device, and then A corresponding security protection policy can be implemented for the device type of the terminal device.
进一步地,若终端设备的设备类型已知且终端设备一直在线,则该终端设备的设备类型发生变化的概率很小。若终端设备是重新上线的终端设备,则该终端设备的设备类型有可能发生了变化。本申请中,网络设备仅发送设备类型未知或重新上线的终端设备的数据流统计信息给分析器。这避免了那些设备类型已知且一直在线的终端设备的数据流统计信息对带宽的消耗。降低了设备识别对网络资源的消耗。Further, if the device type of the terminal device is known and the terminal device is always online, the probability of the device type of the terminal device changing is very small. If the terminal device is a terminal device that has come online again, the device type of the terminal device may have changed. In this application, the network device only sends the data flow statistics information of the terminal device whose device type is unknown or has come back online to the analyzer. This avoids bandwidth consumption by traffic statistics for end devices whose device types are known and are always online. The consumption of network resources by device identification is reduced.
另外,分析器可以获取大量未知设备类型的终端设备的数据流统计信息,并基于该大量未知设备类型的终端设备的数据流统计信息获取高精度的设备识别模型。该方法不会降低设备识别的精度。In addition, the analyzer can obtain data flow statistical information of a large number of terminal devices of unknown device types, and obtain a high-precision device identification model based on the data flow statistical information of a large number of terminal devices of unknown device types. This method does not reduce the accuracy of device identification.
可选地,所述网络设备根据已知设备类型对应的终端设备的标识确定所述终端设备的设备类型是否为未知。Optionally, the network device determines whether the device type of the terminal device is unknown according to the identifier of the terminal device corresponding to the known device type.
例如,网络设备中可以存储已知设备类型对应的终端设备的标识。若已知设备类型对应的终端设备的标识不包括该终端设备的标识,则网络设备确定该终端设备的设备类型为未知。For example, an identifier of a terminal device corresponding to a known device type may be stored in the network device. If the identifier of the terminal device corresponding to the known device type does not include the identifier of the terminal device, the network device determines that the device type of the terminal device is unknown.
可选地,所述网络设备根据资产库确定所述终端设备的设备类型是否为未知。Optionally, the network device determines whether the device type of the terminal device is unknown according to the asset library.
其中,所述资产库用于记录设备类型和所述设备类型对应的终端设备的标识。Wherein, the asset library is used to record the device type and the identifier of the terminal device corresponding to the device type.
若该终端设备的标识不存在于该资产库,则网络设备判断该终端设备的设备类型为未知。If the identifier of the terminal device does not exist in the asset library, the network device determines that the device type of the terminal device is unknown.
可选地,所述网络设备根据所述终端设备的历史流量大小判断所述终端设备是否为重新上线的终端设备。Optionally, the network device judges whether the terminal device is a re-online terminal device according to the historical traffic volume of the terminal device.
可选地,若所述终端设备在第一时间窗口内的流量大小为零,所述终端设备为重新上线的终端设备。Optionally, if the traffic volume of the terminal device within the first time window is zero, the terminal device is a terminal device that has come online again.
可选地,所述网络设备从所述分析器接收消息,并基于所述消息更新所述已知设备类型对应的终端设备的标识。其中,所述消息包括所述终端设备的标识。Optionally, the network device receives a message from the analyzer, and updates the identifier of the terminal device corresponding to the known device type based on the message. Wherein, the message includes the identifier of the terminal device.
分析器识别出该终端设备的设备类型后,发送消息以告知网络设备该终端设备的设备类型已知,网络设备存储该终端设备的设备标识。若该终端设备不下线,则网络设备将不再发送该终端设备的数据流统计信息给分析器。即,伴随着越来越多的终端设备的类型被识别,设备识别消耗的网络资源将越来越少。After identifying the device type of the terminal device, the analyzer sends a message to inform the network device that the device type of the terminal device is known, and the network device stores the device identifier of the terminal device. If the terminal device does not go offline, the network device will no longer send the data flow statistics information of the terminal device to the analyzer. That is, as more and more types of terminal devices are identified, network resources consumed by device identification will become less and less.
可选地,所述网络设备从所述分析器接收消息,并基于所述消息更新所述资产库。其中,所述消息包括所述终端设备的设备类型和所述终端设备的标识。Optionally, the network device receives a message from the analyzer, and updates the asset library based on the message. Wherein, the message includes the device type of the terminal device and the identifier of the terminal device.
分析器识别出该终端设备的设备类型后,发送消息以告知网络设备该终端设备的设备类型。网络设备将该终端设备的设备类型和标识添加到资产库。若该终端设备不下线,则网络设备将不再发送给终端设备的数据流统计信息给分析器。即,伴随着越来越多的终端设备的类型被识别,设备识别消耗的网络资源将越来越少。After identifying the device type of the terminal device, the analyzer sends a message to inform the network device of the device type of the terminal device. The network device adds the device type and identification of the terminal device to the asset library. If the terminal device does not go offline, the network device will no longer send the data flow statistics information sent to the terminal device to the analyzer. That is, as more and more types of terminal devices are identified, network resources consumed by device identification will become less and less.
可选地,所述终端设备的数据流统计信息包括所述终端设备的至少一个数据流的源互联网协议(Internet Protocol,IP)地址或者目的IP地址。Optionally, the data flow statistics information of the terminal device includes a source Internet Protocol (Internet Protocol, IP) address or a destination IP address of at least one data flow of the terminal device.
可选地,所述终端设备的数据流统计信息还包括以下一种或多种信息:所述终端设备的至少一个数据流在第二时间窗口内的流量大小、所述终端设备的至少一个数据流在所述第二时间窗口内的数据包数量、所述终端设备的至少一个数据流在所述第二时间窗口内的每个数据包的大小。Optionally, the data flow statistical information of the terminal device further includes one or more of the following information: the traffic size of at least one data flow of the terminal device within the second time window, at least one data flow of the terminal device The number of data packets of the flow within the second time window, and the size of each data packet of at least one data flow of the terminal device within the second time window.
可选地,所述终端设备的标识包括所述终端设备的IP地址。Optionally, the identifier of the terminal device includes an IP address of the terminal device.
可选地,所述终端设备包括物联网IoT设备。Optionally, the terminal device includes an IoT device of the Internet of Things.
本申请第一方面的上述各实施方式可以在不产生冲突的情况下互相组合,其组合均属于本申请的保护范围。The above implementations of the first aspect of the present application can be combined with each other without conflicts, and the combinations all belong to the protection scope of the present application.
第二方面,提供一种设备识别装置。所述装置包括多个功能模块,该多个功能模块可以全部是软件模块或硬件模块,还可以是软件模块和硬件模块的组合,该多个功能模块可以根据实现做不同划分,以能实现上述第一方面及其各实施方式中的方法为准则。In a second aspect, a device identification device is provided. The device includes a plurality of functional modules, all of which may be software modules or hardware modules, or a combination of software modules and hardware modules, and the plurality of functional modules may be divided according to different implementations, so as to realize the above-mentioned The methods of the first aspect and its various embodiments are the norm.
第三方面,提供一种设备识别装置。所述装置包括处理器和存储器。所述存储器中存储有程序,所述处理器用于执行所述存储器中存储的程序以实现上述第一方面或第一方面的任意一种可能的实现方式所提供的设备识别方法。In a third aspect, a device identification device is provided. The apparatus includes a processor and memory. A program is stored in the memory, and the processor is configured to execute the program stored in the memory to implement the device identification method provided in the first aspect or any possible implementation manner of the first aspect.
第四方面,提供一种设备识别***。所述***包括设备识别装置和分析器。所述设备识别装置用于实现上述第一方面或第一方面的任意一种可能的实现方式所提供的设备识别方法。所述分析器用于接收所述设备识别装置发送的终端设备的数据流统计信息,根据所述终端设备的数据流统计信息识别所述终端设备的设备类型。In a fourth aspect, a device identification system is provided. The system includes a device identification device and an analyzer. The device identification apparatus is configured to implement the device identification method provided in the first aspect or any possible implementation manner of the first aspect. The analyzer is configured to receive the data flow statistical information of the terminal device sent by the device identification device, and identify the device type of the terminal device according to the data flow statistical information of the terminal device.
可选地,所述分析器还用于发送消息给所述设备识别装置,所述消息包括所述终端设备的标识。Optionally, the analyzer is further configured to send a message to the device identification device, where the message includes the identifier of the terminal device.
可选地,所述分析器还用于发送消息给所述设备识别装置,所述消息包括所述终端设备的标识和所述终端设备的设备类型。Optionally, the analyzer is further configured to send a message to the device identification apparatus, where the message includes the identifier of the terminal device and the device type of the terminal device.
第五方面,提供一种计算机可读存储介质。所述计算机可读存储介质包括指令,当其在计算机上运行时,使得计算机执行如上述第一方面或第一方面的任意一种可能的实现方式所提供的设备识别方法。In a fifth aspect, a computer-readable storage medium is provided. The computer-readable storage medium includes instructions, which, when run on a computer, cause the computer to execute the device identification method provided in the first aspect or any possible implementation manner of the first aspect.
第六方面,提供一种包含指令的计算机程序产品。当其在计算机上运行时,使得计算机执行如上述第一方面或第一方面的任意一种可能的实现方式所提供的设备识别方法。In a sixth aspect, a computer program product including instructions is provided. When it runs on a computer, the computer is made to execute the device identification method provided by the first aspect or any possible implementation manner of the first aspect.
附图说明Description of drawings
图1是本申请实施例涉及的一种实施环境示意图;FIG. 1 is a schematic diagram of an implementation environment involved in an embodiment of the present application;
图2是本申请实施例提供的一种设备识别方法的流程图;FIG. 2 is a flow chart of a device identification method provided in an embodiment of the present application;
图3是本申请实施例提供的一种资产库的示意图;Fig. 3 is a schematic diagram of an asset library provided by an embodiment of the present application;
图4是本申请实施例提供的一种设备识别装置的逻辑结构示意图;Fig. 4 is a schematic diagram of a logic structure of an apparatus identification device provided by an embodiment of the present application;
图5是本申请实施例提供的一种设备识别装置的硬件结构示意图;Fig. 5 is a schematic diagram of the hardware structure of a device identification device provided by an embodiment of the present application;
图6是本申请实施例提供的一种设备识别***示意图。Fig. 6 is a schematic diagram of a device identification system provided by an embodiment of the present application.
具体实施方式detailed description
为使本申请的原理、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the principles, technical solutions and advantages of the present application clearer, the implementation manners of the present application will be further described in detail below in conjunction with the accompanying drawings.
请参考图1,其示出了本申请实施例涉及的一种实施环境的示意图。如图1所示,该实施环境包括通信网络100。该通信网络100包括多个终端设备和多个网络设备,多个终端设备通过相应的网络设备接入互联网(internet)或内联网(intranet)以访问业务服务器提供的业务。例如,终端设备101~102连接网络设备111,终端设备103~104连接网络设备112,终端设备105连接网络设备113。其中,网络设备111通过网络设备121将终端设备101~102接入互联网或内联网,以使得终端设备101~102能够访问相关的业务, 例如,由业务服务器131提供的业务。其中,网络设备112通过网络设备121将终端设备103~104接入互联网/内联网,以使得终端设备103~104能够访问相关的业务,例如,由业务服务器131提供的业务。其中,网络设备113将终端设备105接入互联网/内联网,以使得终端设备105能够访问相关的业务,例如,由业务服务器131提供的业务。Please refer to FIG. 1 , which shows a schematic diagram of an implementation environment involved in an embodiment of the present application. As shown in FIG. 1 , the implementation environment includes a communication network 100 . The communication network 100 includes a plurality of terminal devices and a plurality of network devices, and the plurality of terminal devices access the Internet (internet) or intranet (intranet) through corresponding network devices to access services provided by the service server. For example, the terminal devices 101 - 102 are connected to the network device 111 , the terminal devices 103 - 104 are connected to the network device 112 , and the terminal device 105 is connected to the network device 113 . The network device 111 connects the terminal devices 101 - 102 to the Internet or intranet through the network device 121 , so that the terminal devices 101 - 102 can access related services, for example, services provided by the service server 131 . Wherein, the network device 112 connects the terminal devices 103 - 104 to the Internet/Intranet through the network device 121 , so that the terminal devices 103 - 104 can access related services, for example, services provided by the service server 131 . Wherein, the network device 113 connects the terminal device 105 to the Internet/Intranet, so that the terminal device 105 can access related services, for example, services provided by the service server 131 .
其中,可选地,终端设备为IoT设备。终端设备可以是多种类型的设备。例如,在金融***中,终端设备可以是自动柜员机(automated teller machine,ATM)、自助查询终端、发卡机、智能柜台或摄像头等。例如,终端设备101和终端设备103可以是ATM,终端设备102和终端设备104可以是摄像头,终端设备105可以是发卡机。Wherein, optionally, the terminal device is an IoT device. End devices can be of various types. For example, in a financial system, a terminal device may be an automated teller machine (automated teller machine, ATM), a self-service inquiry terminal, a card issuer, an intelligent counter, or a camera. For example, the terminal device 101 and the terminal device 103 may be ATMs, the terminal device 102 and the terminal device 104 may be cameras, and the terminal device 105 may be a card issuer.
其中,网络设备可以是多种类型的设备。例如,网络设备可以是交换机、路由器、无线接入点、基站等。例如,网络设备111可以是无线接入点,终端设备101~102通过无线局域网接入网络设备111。又例如,网络设备112可以是交换机,终端设备103~104通过有线接入方式接入网络设备112。又例如,网络设备113可以是基站,终端设备105通过蜂窝网络接入网络设备113。又例如,网络设备121可以是路由器。其中,网络设备111~113直接连接终端设备,因此网络设备111~113又可以称为接入设备。其中,网络设备121不直接连接终端设备,而是转发接入设备发送的终端设备的报文,网络设备121又可以称为汇聚设备。Wherein, the network device may be various types of devices. For example, a network device may be a switch, router, wireless access point, base station, etc. For example, the network device 111 may be a wireless access point, and the terminal devices 101-102 access the network device 111 through a wireless local area network. For another example, the network device 112 may be a switch, and the terminal devices 103 - 104 access the network device 112 through a wired access manner. For another example, the network device 113 may be a base station, and the terminal device 105 accesses the network device 113 through a cellular network. For another example, the network device 121 may be a router. Wherein, the network devices 111-113 are directly connected to the terminal devices, so the network devices 111-113 may also be called access devices. Wherein, the network device 121 is not directly connected to the terminal device, but forwards the message of the terminal device sent by the access device, and the network device 121 may also be called an aggregation device.
其中,业务服务器131可以是多种类型的设备。例如,业务服务器131可以是一台物理服务器、物理服务器集群、虚拟机或虚拟机集群等。业务服务器131可以部署于公有云、私有云,或企业的数据中心。业务服务器可以提供多种业务,例如,视频业务、存取款业务等。Wherein, the service server 131 may be various types of devices. For example, the service server 131 may be a physical server, a physical server cluster, a virtual machine or a virtual machine cluster, and the like. The service server 131 can be deployed in a public cloud, a private cloud, or an enterprise data center. The service server can provide various services, for example, video service, deposit and withdrawal service, and so on.
为了防止终端设备被攻击或者被恶意仿冒,通信网络100需要识别终端设备的设备类型,以根据设备类型为不同类型的终端设备执行相应的安全防护策略。识别终端设备的设备类型也称为资产盘点。即,通过识别终端设备的设备类型以盘点设备资产的种类。In order to prevent the terminal device from being attacked or maliciously counterfeited, the communication network 100 needs to identify the device type of the terminal device, so as to implement corresponding security protection policies for different types of terminal devices according to the device type. Identifying the device type of an end device is also known as asset inventory. That is, by identifying the device type of the terminal device to take stock of the types of device assets.
鉴于此,通信网络100还可以包括分析器141。分析器141可以接收网络设备发送的终端设备的数据流统计信息,并根据数据流统计信息识别终端设备的设备类型。该网络设备可以是接入设备或汇聚设备。该分析器141可以部署于公有云、私有云、企业的数据中心或企业的总部园区网。该分析器141可以是服务器、服务器集群、虚拟机或虚拟机集群等。该分析器141还可以是具有计算能力的网络设备。该具有计算能力的网络设备部署于企业的数据中心或企业的总部园区网。In view of this, the communication network 100 may further include an analyzer 141 . The analyzer 141 may receive the data flow statistical information of the terminal device sent by the network device, and identify the device type of the terminal device according to the data flow statistical information. The network device may be an access device or an aggregation device. The analyzer 141 may be deployed in a public cloud, a private cloud, an enterprise data center, or an enterprise headquarters campus network. The analyzer 141 may be a server, a server cluster, a virtual machine or a virtual machine cluster, and the like. The analyzer 141 may also be a network device with computing capabilities. The network device with computing capability is deployed in the data center of the enterprise or the headquarters campus network of the enterprise.
本申请实施例提供一种设备识别的方法。在该方法中,靠近终端设备的网络设备获取终端设备的数据流统计信息,当终端设备的类型未知或者终端设备是重新上线的终端设备时,该网络设备发送该终端设备的数据流统计信息给分析器,分析器基于该终端设备的数据流统计信息识别该终端设备的设备类型。识别出终端设备的设备类型后,分析器发送该终端设备的标识,或终端设备的标识和设备类型给网络设备。该靠近终端设备的网络设备可以是接入设备或汇聚设备。终端设备的数据流统计信息由靠近终端设备的网络设备获取,所以该数据流统计信息能够反映该终端设备的所有访问行为。当终端设备的设备类型未知时或终端设备的设备类型可能发生了变化时,网络设备会发送该终端设备的数据流统计信息给分析器。即,分析器可以获取到大量未知类型的终端设备的数据流统计信息,且这些数据流统计信息能够反映终端设备的所有访问行为。因此,分析器还可以据此训练或更新 设备识别模型以提升设备识别的精度。网络设备不会发送未下线的已知设备类型的终端设备的数据流统计信息给分析器。这避免了大量的已知设备类型且一直在线的终端设备的数据流统计信息对网络资源的消耗。所以,该方法还可以降低设备识别对网络资源的消耗。本申请实施例的详细方案请参考下述描述。An embodiment of the present application provides a method for device identification. In this method, the network device close to the terminal device obtains the data flow statistics information of the terminal device, and when the type of the terminal device is unknown or the terminal device is a terminal device that has come online again, the network device sends the data flow statistics information of the terminal device to An analyzer. The analyzer identifies the device type of the terminal device based on the data flow statistics information of the terminal device. After identifying the device type of the terminal device, the analyzer sends the identifier of the terminal device, or the identifier and device type of the terminal device to the network device. The network device close to the terminal device may be an access device or a convergence device. The data flow statistical information of the terminal device is acquired by a network device close to the terminal device, so the data flow statistical information can reflect all access behaviors of the terminal device. When the device type of the terminal device is unknown or the device type of the terminal device may have changed, the network device will send the data flow statistics information of the terminal device to the analyzer. That is, the analyzer can obtain data flow statistical information of a large number of unknown types of terminal devices, and the data flow statistical information can reflect all access behaviors of the terminal devices. Therefore, the analyzer can also train or update the device recognition model based on this to improve the accuracy of device recognition. The network device will not send the data flow statistics of terminal devices of known device types that are not offline to the analyzer. This avoids the consumption of network resources by the data flow statistics information of a large number of known device types and always-on terminal devices. Therefore, this method can also reduce the consumption of network resources for device identification. Please refer to the following description for the detailed solutions of the embodiments of the present application.
请参考图2,其示出了本申请实施例提供的一种设备识别方法的流程图。包括如下步骤:Please refer to FIG. 2 , which shows a flow chart of a device identification method provided by an embodiment of the present application. Including the following steps:
步骤201、网络设备获取终端设备的数据流统计信息。Step 201, the network device acquires data flow statistics information of the terminal device.
网络设备包括接入设备或汇聚设备。接入设备为连接终端设备的网络设备。汇聚设备为不与终端设备直接相连,但终端设备的数据流必经的网络设备。例如,以图1所示的网络100为例,终端设备可以是终端设备101,接入设备可以是网络设备111,汇聚设备可以是网络设备121。终端设备101通过网络设备111接入网络,所以网络设备111必然可以获取到终端设备101的数据流统计信息。网络设备121虽然不与终端设备101直接相连,但终端设备101的报文必然经由网络设备121转发,所以网络设备121也必然可以获取到终端设备101的数据流统计信息。Network equipment includes access equipment or aggregation equipment. An access device is a network device connected to a terminal device. The aggregation device is a network device that is not directly connected to the terminal equipment, but the data flow of the terminal equipment must pass through. For example, taking the network 100 shown in FIG. 1 as an example, the terminal device may be the terminal device 101 , the access device may be the network device 111 , and the aggregation device may be the network device 121 . The terminal device 101 accesses the network through the network device 111 , so the network device 111 must be able to obtain the data flow statistics information of the terminal device 101 . Although the network device 121 is not directly connected to the terminal device 101, the packets of the terminal device 101 must be forwarded through the network device 121, so the network device 121 must also be able to obtain the data flow statistics information of the terminal device 101.
不同类型的终端设备的数据流具有不同的特征。例如,摄像头几乎没有下行流量,但上行流量持续存在且流量较大,但ATM的数据流不定时的发生,且流量非常小。分析器根据终端设备的数据流统计信息区分不同的终端设备。因此,数据流统计信息包括能反映终端设备的业务特征的统计信息。例如,数据流统计信息包括以下一种或多种信息:终端设备在一个时间窗口内的数据流的个数、终端设备在该时间窗口内的数据流量的大小、终端设备在该时间窗口内的数据报文的数量、终端设备在该时间窗口内的每个数据报文的大小、终端设备在该时间窗口内的每个数据流的报头信息、终端设备在该时间窗口内的每个数据流的流量大小、终端设备在该时间窗口内的每个数据流的报文数量、终端设备在该时间窗口内的每个数据流的每个报文的大小。其中,数据流的报头信息包括数据流的元组。数据流的元组可以是数据流的五元组。数据流的五元组包括数据流的源IP地址、目的IP地址、源端口、目的端口、协议类型。数据流统计信息还可以包括数据流的方向性信息,例如,上行或下行。网络设备从靠近终端设备侧的端口接收到的数据流为上行数据流,反之,为下行数据流。The data streams of different types of terminal equipment have different characteristics. For example, there is almost no downlink traffic of the camera, but the uplink traffic exists continuously and the traffic is relatively large, but the data flow of the ATM occurs irregularly, and the traffic is very small. The analyzer distinguishes different end devices based on the data flow statistics of the end devices. Therefore, the data flow statistical information includes statistical information that can reflect the service characteristics of the terminal equipment. For example, the data flow statistics information includes one or more of the following information: the number of data flows of the terminal device in a time window, the size of the data flow of the terminal device in the time window, the number of data flows of the terminal device in the time window The number of data packets, the size of each data packet of the terminal device within the time window, the header information of each data flow of the terminal device within the time window, and the header information of each data flow of the terminal device within the time window The traffic size of the terminal device, the number of packets of each data flow of the terminal device within the time window, and the size of each packet of each data flow of the terminal device within the time window. Wherein, the header information of the data stream includes tuples of the data stream. A tuple of data streams may be a quintuple of data streams. The five-tuple of the data stream includes the source IP address, destination IP address, source port, destination port, and protocol type of the data stream. The data flow statistical information may also include directional information of the data flow, for example, uplink or downlink. The data flow received by the network device from the port close to the terminal device is an uplink data flow, otherwise, it is a downlink data flow.
网络设备获取终端设备的数据流统计信息。例如,网络设备采集经由该网络设备传输的数据流,并获取在时间窗口内的数据流统计信息。网络设备可以基于终端设备的标识区分在该时间窗口内的不同终端设备的数据流。终端设备的标识包括终端设备的IP地址。网络设备可以基于上行数据流的源IP地址或下行数据流的目的IP地址区分一个时间窗口内的不同终端设备的数据流。拥有相同的源IP地址的上行数据流或拥有相同的目的IP地址的下行数据流是属于同一个终端设备的数据流。例如,该时间窗口可以是5分钟。网络设备计算各个终端设备在每个5分钟内的数据流统计信息以获取各个终端设备在时间窗口内的数据流统计信息。网络设备可以一直获取终端设备的数据流统计信息。例如,网络设备从指定时刻(例如,网络设备开始运行时,或者,管理员配置的一个时刻)开始,获取每个时间窗口内的各个终端设备的数据流统计信息。例如,网络设备从开始运行时,每5分钟获取一次数据流统计信息,该数据流统计信息包括在该5分钟内存在数据流的各个终端设备的数据流统计信息。网络设备也可以按照预定要求获取终端设备的数据流统计信息。 例如,网络设备按照管理员的配置,每隔半小时获取1次数据流统计信息,每次获取的数据流统计信息包括在一个时间窗口(例如,5分钟)内的存在数据流的各个终端设备的数据流统计信息。The network device obtains the data flow statistics information of the terminal device. For example, the network device collects the data flow transmitted through the network device, and obtains statistical information of the data flow within the time window. The network device can distinguish the data flows of different terminal devices within the time window based on the identifier of the terminal device. The identifier of the terminal device includes the IP address of the terminal device. The network device may distinguish data flows of different terminal devices within a time window based on the source IP address of the uplink data flow or the destination IP address of the downlink data flow. Uplink data flows with the same source IP address or downlink data flows with the same destination IP address are data flows belonging to the same terminal device. For example, the time window may be 5 minutes. The network device calculates the data flow statistics information of each terminal device within each 5 minutes to obtain the data flow statistics information of each terminal device within the time window. The network device can always obtain the data flow statistics information of the terminal device. For example, the network device acquires data flow statistics information of each terminal device in each time window starting from a specified time (for example, when the network device starts running, or a time configured by an administrator). For example, the network device acquires data flow statistics information every 5 minutes from the start of operation, and the data flow statistics information includes data flow statistics information of each terminal device that has data flows within the 5 minutes. The network device can also obtain the data flow statistics information of the terminal device according to predetermined requirements. For example, according to the configuration of the administrator, the network device obtains data flow statistics information every half hour, and the data flow statistics information obtained each time includes each terminal device with data flow within a time window (for example, 5 minutes) data flow statistics.
终端设备的数据流统计信息也可以由其他设备获取。例如,由旁挂在网络设备侧的网络探针获取终端设备的数据流统计。例如,图1中的接入设备111可以旁挂一个网络探针,该网络探针具备计算能力。接入设备111可以将数据流镜像到该网络探针,该网络探针根据镜像的数据流计算各个终端设备在时间窗口内的数据流统计信息。The data flow statistics information of the terminal device can also be obtained by other devices. For example, the data flow statistics of the terminal device are obtained by a network probe attached to the side of the network device. For example, the access device 111 in FIG. 1 may bypass a network probe, and the network probe has computing capability. The access device 111 can mirror the data flow to the network probe, and the network probe calculates the data flow statistical information of each terminal device within the time window according to the mirrored data flow.
步骤202、当满足条件时,网络设备发送所述终端设备的数据流统计信息给分析器。所述条件包括:所述终端设备的设备类型未知,或者,所述终端设备是重新上线的终端设备。Step 202, when the condition is met, the network device sends the data flow statistics information of the terminal device to the analyzer. The condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
当终端设备满足条件时,网络设备发送该终端设备的数据流统计信息给分析器。所述条件包括:终端设备的设备类型未知,或者,终端设备是重新上线的终端设备。When the terminal device meets the conditions, the network device sends the data flow statistics information of the terminal device to the analyzer. The conditions include: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
当终端设备的设备类型未知时,网络设备发送该终端设备的数据流统计信息给分析器,以触发分析器识别该终端设备的设备类型。网络设备可以基于多种方式判断终端设备是否为已知设备类型的终端设备。例如,网络设备上记录了已知设备类型的终端设备的标识(例如,该标识包括终端设备的IP地址,网络设备记录了多个IP地址,表示该多个IP地址关联的终端设备的设备类型已知),若该多个IP地址中存在该终端设备的数据流统计信息关联的IP地址(例如,数据流的源IP地址或目的IP地址),则网络设备判断该数据流关联的终端设备为已知设备类型的终端设备。又例如,网络设备还可以存储资产库,该资产库中记录了设备类型和每个设备类型对应的一个或多个终端设备的IP地址。网络设备提取数据流统计信息中的IP地址,并根据该IP地址查询该资产库,若该IP地址存在于该资产库,则网络设备判断该数据流关联的终端设备为已知设备类型的终端设备。该已知设备类型对应的终端设备的标识或资产库可以由管理员配置,或者,分析器识别出终端设备的设备类型后,发送该设备类型和/或该设备类型对应的设备标识给网络设备。相应地,网络设备在采集终端设备的数据流时,还可以将已知设备类型的终端设备的IP地址作为过滤条件,以不采集已知设备类型的终端设备的数据流。如此,可进一步的减少网络设备的开销。When the device type of the terminal device is unknown, the network device sends the data flow statistics information of the terminal device to the analyzer, so as to trigger the analyzer to identify the device type of the terminal device. The network device may determine whether the terminal device is a terminal device of a known device type based on various methods. For example, the identification of a terminal device of a known device type is recorded on the network device (for example, the identification includes the IP address of the terminal device, and the network device records multiple IP addresses, indicating the device type of the terminal device associated with the multiple IP addresses. Known), if there is an IP address associated with the data flow statistics information of the terminal device in the multiple IP addresses (for example, the source IP address or destination IP address of the data flow), the network device determines the terminal device associated with the data flow An end device that is a known device type. For another example, the network device may also store an asset library, which records device types and IP addresses of one or more terminal devices corresponding to each device type. The network device extracts the IP address in the data flow statistics information, and queries the asset library according to the IP address. If the IP address exists in the asset library, the network device judges that the terminal device associated with the data flow is a terminal of a known device type equipment. The identifier or asset library of the terminal device corresponding to the known device type can be configured by the administrator, or, after the analyzer identifies the device type of the terminal device, it sends the device type and/or the device identifier corresponding to the device type to the network device . Correspondingly, when the network device collects the data stream of the terminal device, it may also use the IP address of the terminal device of known device type as a filter condition, so as not to collect the data stream of the terminal device of the known device type. In this way, the overhead of network equipment can be further reduced.
当终端设备是重新上线的终端设备时,其设备类型可能已经发生变化,因此网络设备也发送其数据流统计信息给分析器,以触发分析器重新识别该终端设备的设备类型。例如,一台查询机的IP地址为IP A,但某天该查询机损坏了,则IP A有可能被其他设备使用,此时若网络设备使用IP地址区分终端设备,则需要发送包含IP A的数据流统计信息给分析器以触发分析器重新识别该IP A绑定的终端设备的设备类型。When the terminal device is a re-online terminal device, its device type may have changed, so the network device also sends its data flow statistics to the analyzer to trigger the analyzer to re-identify the device type of the terminal device. For example, the IP address of a query machine is IP A, but one day the query machine is damaged, and IP A may be used by other devices. At this time, if the network device uses IP addresses to distinguish terminal devices, it is necessary to send The data flow statistical information of the analyzer is given to the analyzer to trigger the analyzer to re-identify the device type of the terminal device bound to the IP A.
网络设备可以通过多种方法判断终端设备是否是重新上线的终端设备。例如,若网络设备111为无线接入点设备,当发现终端设备101断联时,网络设备111判断该终端设备101已下线,当终端设备101再次关联到网络设备111时,网络设备判断该终端101为重新上线的终端设备。又例如,若网络设备112为交换机,当检测到连接终端设备104的端口断开时,网络设备112判断该终端设备104已下线,当检测到该端口再次连接时,网络设备112判断该终端设备104为重新上线的终端设备。又例如,网络设备还可以根据终端设备的历史流量大小判断终端设备是否为重新上线的终端设备。例如,若网络设备在指定 的时间窗口内未检测到一个终端设备的数据流,则判断该终端设备已下线,当网络设备再次检测到该终端设备的数据流时,判断该终端设备为重新上线的终端设备。该指定的时间窗口可以与网络设备在步骤201中获取数据流统计信息的窗口成倍数关系。例如,若网络设备每5分钟获取一次终端设备的数据流统计信息,则当网络设备在一个或多个5分钟内没有检测到一个终端设备的数据流时,网络设备判断该终端设备已下线。当网络设备再次检测到该终端设备的数据流时,网络设备判断该终端设备为重新上线的终端设备。该指定的时间窗口也可以是其他值。例如,当获取终端设备数据流统计信息的时间窗口为5分钟时,该判断终端设备是否是重新上线的时间窗口也可以是18分钟。当网络设备在18分钟内未检测到终端设备的数据流时,判断该终端设备已下线,当再次检测到终端设备的数据流时,网络设备判断该终端设备为重新上线的终端设备。The network device can determine whether the terminal device is a terminal device that has come online again through various methods. For example, if the network device 111 is a wireless access point device, when it is found that the terminal device 101 is disconnected, the network device 111 judges that the terminal device 101 has gone offline; when the terminal device 101 associates with the network device 111 again, the network device judges that the The terminal 101 is a terminal device that goes online again. For another example, if the network device 112 is a switch, when it is detected that the port connected to the terminal device 104 is disconnected, the network device 112 judges that the terminal device 104 has gone offline, and when it detects that the port is connected again, the network device 112 judges that the terminal Device 104 is a terminal device that has come online again. For another example, the network device may also determine whether the terminal device is a terminal device that has come online again according to the historical traffic volume of the terminal device. For example, if the network device does not detect the data flow of a terminal device within the specified time window, it is judged that the terminal device has gone offline; On-line terminal equipment. The designated time window may be multiplied with the window in which the network device obtains the data flow statistics information in step 201 . For example, if the network device obtains the data flow statistics information of the terminal device every 5 minutes, when the network device does not detect the data flow of a terminal device within one or more 5 minutes, the network device judges that the terminal device has gone offline . When the network device detects the data flow of the terminal device again, the network device judges that the terminal device is a terminal device that has come online again. The specified time window can also be other values. For example, when the time window for obtaining the data flow statistics information of the terminal device is 5 minutes, the time window for judging whether the terminal device is online again may also be 18 minutes. When the network device does not detect the data stream of the terminal device within 18 minutes, it is judged that the terminal device has gone offline, and when the data stream of the terminal device is detected again, the network device judges that the terminal device is a terminal device that has come back online.
步骤203、分析器识别所述终端设备的设备类型。Step 203, the analyzer identifies the device type of the terminal device.
分析器基于网络设备发送的终端设备的数据流统计信息识别该终端设备的设备类型。例如,分析器将终端设备的数据流统计信息作为设备识别模型的输入,以从该设备识别模型的输出获取该终端设备的设备类型。The analyzer identifies the device type of the terminal device based on the data flow statistics information of the terminal device sent by the network device. For example, the analyzer takes the data flow statistics information of the terminal device as an input of the device identification model, so as to obtain the device type of the terminal device from the output of the device identification model.
该设备识别模型可以由管理员配置。该设备识别模型也可以由分析器训练获得。分析器可以基于各个网络设备发送的多个未知设备类型的终端设备的数据流统计信息和多个已知设备类型的终端设备的数据流统计信息训练获得该设备识别模型。该设备识别模型可以是多种机器学习模型,例如,随机森林或卷积神经网络。初始时,该多个已知设备类型的终端设备的设备类型可以由管理员标注。例如,网络设备发送1000个终端设备的数据流统计信息,管理员随机地为100个终端设备标注正确的设备类型。又例如,管理员在分析器的输入界面输入20个IP地址及与该20个IP地址关联的设备类型,分析器接收到的与该20个IP地址关联的数据流统计信息即为已知设备类型的终端设备的数据流统计信息。The device identification model can be configured by an administrator. The device recognition model can also be obtained by analyzer training. The analyzer can train and obtain the device identification model based on the data flow statistics information of a plurality of terminal devices of unknown device types sent by each network device and the data flow statistics information of a plurality of terminal devices of known device types. The device recognition model can be various machine learning models, for example, random forest or convolutional neural network. Initially, the device types of the terminal devices of the plurality of known device types may be marked by the administrator. For example, a network device sends data flow statistics information of 1000 terminal devices, and the administrator randomly marks the correct device type for 100 terminal devices. For another example, the administrator enters 20 IP addresses and the device types associated with the 20 IP addresses on the input interface of the analyzer, and the data flow statistics information associated with the 20 IP addresses received by the analyzer is the known device Data flow statistics for the type of terminal device.
管理员还可以在分析器的输入界面上输入指令以指示分析器开始训练设备识别模型。接收到管理员的输入指令后,分析器可以发送采集指令给各个网络设备。该采集指令指示网络设备获取终端设备的数据流统计信息,以使得分析器获得训练设备识别模型的数据集。该采集指令可以包括采集时长、采集频率、采集信息种类等信息。例如,采集时长可以是1天,采集频率可以是5分钟,采集信息种类可以是步骤201中所述的数据流统计信息包括的一种或多种信息。接收到采集指令后,网络设备在1天内每5分钟计算一次数据流统计信息。每5分钟内的数据流统计信息包括网络设备在该5分钟内存在数据流量的各个终端设备的数据流统计信息。网络设备可以定时获取数据流统计信息,例如,网络设备每5分钟采集一次数据流并计算该5分钟内的数据流统计信息。网络设备也可以一次获取多个时间窗口内的数据流统计信息。例如,网络设备保存一天的数据流文件,然后一次性的获取该一天内的288(24小时*60/5分钟=288)个每5分钟内的数据流统计信息。网络设备可以定时发送数据流统计信息,例如,网络设备每5分钟获取一次数据流统计信息并立即发送数据流统计信息给分析器。网络设备也可以一次发送多个时间窗口内的数据流统计信息,例如,网络设备获取到一天内的288个每5分钟的数据流统计信息后,一次性的发送给288个时间窗口的数据流统计信息给分析器。The administrator can also input an instruction on the input interface of the analyzer to instruct the analyzer to start training the device recognition model. After receiving the input instruction from the administrator, the analyzer can send the collection instruction to each network device. The collection instruction instructs the network device to obtain the data flow statistics information of the terminal device, so that the analyzer obtains a data set for training a device recognition model. The collection instruction may include collection duration, collection frequency, collection information type and other information. For example, the collection duration may be 1 day, the collection frequency may be 5 minutes, and the type of collected information may be one or more types of information included in the data stream statistical information described in step 201 . After receiving the collection instruction, the network device calculates data flow statistics every 5 minutes within 1 day. The data flow statistical information within every 5 minutes includes the data flow statistical information of each terminal device that has data traffic on the network device within the 5 minutes. The network device can periodically obtain data flow statistics. For example, the network device collects data flow every 5 minutes and calculates the data flow statistics within the 5 minutes. A network device can also acquire data flow statistics in multiple time windows at one time. For example, the network device saves a data flow file for one day, and then obtains 288 (24 hours*60/5 minutes=288) pieces of data flow statistics information within 5 minutes in one day at one time. The network device can regularly send data flow statistics, for example, the network device obtains data flow statistics every 5 minutes and immediately sends the data flow statistics to the analyzer. The network device can also send data flow statistics in multiple time windows at one time. For example, after the network device obtains 288 data flow statistics every 5 minutes in a day, it sends the data flow to 288 time windows at one time. Statistics to the analyzer.
当分析器根据终端设备的数据流统计信息识别出该终端设备的设备类型后,分析器将该终端设备的标识关联到该设备类型,并将该终端设备的标识添加到资产库中该设备类型 对应的资产信息条目中。例如,该资产库可以如图3所示。图3所示的资产库记录了多个资产信息条目,每个资产信息条目包括一个设备类型以及该设备类型对应的一个或多个终端设备的标识。设备的标识包括终端设备的IP地址。例如,如图3所示,ATM包括IP地址192.168.7.2和192.168.8.2关联的终端设备,摄像头包括IP地址192.168.11.11和192.168.22.22关联的终端设备,发卡机包括IP地址192.168.33.55关联的终端设备。资产库还可以记录非关注设备的标识。例如,分析器可以将具备较强防护能力的终端设备,例如,个人电脑(personal computer,PC),标注为非关注设备,分析器或其他管理设备不需要为这些非关注设备设置特殊的防护策略。若这些非关注设备未重新上线,网络设备无需采集这些非关注设备的数据流。When the analyzer identifies the device type of the terminal device based on the data flow statistics information of the terminal device, the analyzer associates the identifier of the terminal device with the device type, and adds the identifier of the terminal device to the asset library for the device type corresponding asset information entry. For example, the asset library can be as shown in FIG. 3 . The asset library shown in FIG. 3 records multiple asset information entries, and each asset information entry includes a device type and one or more identifiers of terminal devices corresponding to the device type. The device identification includes the IP address of the terminal device. For example, as shown in Figure 3, the ATM includes terminal devices associated with IP addresses 192.168.7.2 and 192.168.8.2, the camera includes terminal devices associated with IP addresses 192.168.11.11 and 192.168.22.22, and the card issuer includes Terminal Equipment. The asset library may also record the identification of equipment that is not of interest. For example, the analyzer can mark terminal devices with strong protection capabilities, such as personal computers (PCs), as non-concerned devices, and the analyzer or other management devices do not need to set special protection policies for these non-concerned devices . If these non-concerned devices do not come online again, the network device does not need to collect the data streams of these non-concerned devices.
分析器识别出终端设备的设备类型后,可以发送终端设备的标识或终端设备的标识和该终端设备的设备类型给网络设备。例如,初始训练时,分析器识别出大量未知设备类型的终端设备,则分析器可以发送每个设备类型对应的一个或多个终端设备的标识给网络设备。又例如,训练完成后,分析器每次收到网络设备发送的数据流统计信息后,均可基于该数据流统计信息获取该数据流统计信息关联的终端设备的设备类型。分析器可将该数据流统计信息关联的终端设备的标识或终端设备的标识和该终端设备的设备类型发送给网络设备。网络设备基于分析器的消息记录已知设备类型的设备标识,或更新资产库以记录已知设备类型和已知设备类型关联的设备标识。随着越来越多的终端设备的类型被识别,网络设备需要发送的数据流统计信息会越来越少,设备识别消耗的网络资源将越来越少。After identifying the device type of the terminal device, the analyzer may send the identifier of the terminal device or the identifier of the terminal device and the device type of the terminal device to the network device. For example, during initial training, if the analyzer identifies a large number of terminal devices of unknown device types, the analyzer may send the identifiers of one or more terminal devices corresponding to each device type to the network device. For another example, after the training is completed, each time the analyzer receives the data flow statistical information sent by the network device, it can obtain the device type of the terminal device associated with the data flow statistical information based on the data flow statistical information. The analyzer may send the identifier of the terminal device associated with the data flow statistics information or the identifier of the terminal device and the device type of the terminal device to the network device. The network device records the device identification of the known device type based on the analyzer's message, or updates the asset library to record the known device type and the device identification associated with the known device type. As more and more types of terminal devices are identified, the network devices need to send less and less data flow statistics, and the network resources consumed by device identification will become less and less.
模型训练完成后,分析器还可以基于网络设备后续发送的未知设备类型的终端设备的数据流统计信息更新设备识别模型。After the model training is completed, the analyzer can also update the device identification model based on the data flow statistics information of the unknown device type terminal device sent by the network device subsequently.
本申请实施例提供的设备识别方法,网络设备发送的设备类型未知或设备类型可能发生变化的终端设备的数据流统计信息给分析器,且这些数据流统计信息由靠近终端设备的网络设备获取,能够反映终端设备的所有访问行为。因此,该方法使得分析器能够识别未知设备类型或设备类型可能发生变化的终端设备的设备类型,并根据大量设备类型未知或设备类型可能发生变化的终端设备的数据流统计信息更新设备识别模型以提升设备识别的精度。另外,网络设备仅向分析器发送未知设备类型的终端设备或者重新上线的终端设备的数据流统计信息,避免了设备类型已知且一直在线的终端设备的数据流统计信息对带宽的消耗。这降低了设备识别对网络资源的消耗。In the device identification method provided in the embodiment of the present application, the network device sends the data flow statistical information of the terminal device whose device type is unknown or whose device type may change to the analyzer, and the data flow statistical information is obtained by the network device close to the terminal device, It can reflect all access behaviors of terminal equipment. Therefore, the method enables the analyzer to identify the device type of the terminal device whose device type is unknown or the device type may change, and update the device identification model based on the data flow statistics of a large number of terminal devices whose device type is unknown or the device type may change to Improve the accuracy of device identification. In addition, the network device only sends the data flow statistics information of terminal devices of unknown device types or re-online terminal devices to the analyzer, avoiding the consumption of bandwidth by the data flow statistics information of terminal devices of known device types and always online. This reduces the consumption of network resources for device identification.
图4是本申请实施例提供的设备识别装置的逻辑结构示意图。请参考图4,设备识别装置400包括获取模块410和发送模块420。其中,获取模块410用于执行图2所示实施例中的步骤201,发送模块420用于执行图2所示实施例中的步骤202。Fig. 4 is a schematic diagram of a logical structure of an apparatus for identifying equipment provided by an embodiment of the present application. Please refer to FIG. 4 , the device identification apparatus 400 includes an acquisition module 410 and a sending module 420 . Wherein, the acquiring module 410 is configured to execute step 201 in the embodiment shown in FIG. 2 , and the sending module 420 is configured to execute step 202 in the embodiment shown in FIG. 2 .
其中,所述获取模块410用于获取终端设备的数据流统计信息。该设备识别装置400是连接该终端设备的接入设备或者该终端设备的数据流必经的汇聚设备。该终端设备的数据流经由该设备识别装置400转发。Wherein, the acquiring module 410 is configured to acquire data flow statistical information of the terminal device. The device identification apparatus 400 is an access device connected to the terminal device or a converging device through which the data flow of the terminal device must pass. The data stream of the terminal device is forwarded through the device identification device 400 .
其中,所述发送模块420用于当满足条件时,发送所述终端设备的数据流统计信息给分析器,以使得所述分析器识别所述终端设备的设备类型。Wherein, the sending module 420 is configured to send the data flow statistics information of the terminal device to the analyzer when a condition is met, so that the analyzer can identify the device type of the terminal device.
其中,所述条件包括:所述终端设备的设备类型未知,或者,所述终端设备是重新上线的终端设备。Wherein, the condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
可选地,所述发送模块用于根据已知设备类型的终端设备的标识确定所述终端设备的 设备类型已知或未知。当所述终端设备的标识存在于已知设备类型的终端设备的标识中,所述发送模块判断所述终端设备的设备类型已知,否则为未知。Optionally, the sending module is configured to determine whether the device type of the terminal device is known or unknown according to the identifier of the terminal device of known device type. When the identifier of the terminal device exists in the identifiers of terminal devices of a known device type, the sending module determines that the device type of the terminal device is known, otherwise it is unknown.
可选地,所述发送模块用于根据资产库确定所述终端设备的设备类型为已知或未知。所述资产库用于记录设备类型和所述设备类型对应的终端设备的标识。当所述终端设备的标识存在于所述资产库中,所述发送模块判断所述终端设备的设备类型已知,否则为未知。Optionally, the sending module is configured to determine whether the device type of the terminal device is known or unknown according to the asset library. The asset library is used to record the device type and the identifier of the terminal device corresponding to the device type. When the identifier of the terminal device exists in the asset library, the sending module determines that the device type of the terminal device is known, otherwise it is unknown.
可选地,所述发送模块用于根据所述终端设备的历史流量大小判断所述终端设备是否为重新上线的终端设备。若所述终端设备在第一时间窗口内的流量大小为零,所述发送模块判断所述终端设备为重新上线的终端设备。Optionally, the sending module is configured to judge whether the terminal device is a re-online terminal device according to the historical traffic volume of the terminal device. If the traffic volume of the terminal device in the first time window is zero, the sending module judges that the terminal device is a terminal device that has come online again.
可选地,所述设备识别装置还包括接收模块和更新模块。所述接收模块用于接收消息。可选地,所述消息包括所述终端设备的标识,所述更新模块用于基于所述消息更新所述已知设备类型的终端设备的标识。可选地,所述消息还包括所述终端设备的设备类型,所述更新模块用于基于所述消息更新所述资产库。Optionally, the device identification device further includes a receiving module and an updating module. The receiving module is used for receiving messages. Optionally, the message includes the identifier of the terminal device, and the updating module is configured to update the identifier of the terminal device of the known device type based on the message. Optionally, the message further includes the device type of the terminal device, and the update module is configured to update the asset library based on the message.
本实施例提供的设备识别装置400,用于执行图2所示方法实施例的技术方案,其实现原理和技术效果类似。各个设备识别装置400发送设备类型未知或重新上线的终端设备的数据流统计信息给分析器,使得分析器能够识别这些终端设备的设备类型。分析器还可以基于大量设备类型未知或重新上线的终端设备的数据流统计信息训练或更新设备识别模型以提升设备识别的精度。另外,设备识别装置400向分析器选择性的发送终端设备的数据流统计信息给分析器:仅发送设备类型未知或设备类型可能发生变化的终端设备的数据流统计信息给分析器。这避免了设备类型已知且一直在线的终端设备的数据流统计信息对带宽的消耗,降低了设备识别消耗的网络资源。The device identification apparatus 400 provided in this embodiment is used to execute the technical solution of the method embodiment shown in FIG. 2 , and its implementation principle and technical effect are similar. Each device identification apparatus 400 sends the data flow statistics information of terminal devices whose device types are unknown or re-online to the analyzer, so that the analyzer can identify the device types of these terminal devices. The analyzer can also train or update the device identification model based on the data flow statistics of a large number of unknown or re-online terminal devices to improve the accuracy of device identification. In addition, the device identification apparatus 400 selectively sends the data flow statistical information of the terminal device to the analyzer: only the data flow statistical information of the terminal device whose device type is unknown or whose device type may change is sent to the analyzer. This avoids the consumption of bandwidth by the data flow statistics information of terminal devices whose device types are known and is always online, and reduces the network resources consumed by device identification.
需要说明的是,图4所示实施例提供的设备识别装置在执行设备识别方法时,仅以上述各功能模块的划分举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的设备识别装置与设备识别方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that when the device identification device provided by the embodiment shown in FIG. 4 executes the device identification method, it only uses the division of the above-mentioned functional modules as an example. In practical applications, the above-mentioned functions can be assigned to different function modules according to needs. Module completion means that the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the device identification device and the device identification method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiments, and will not be repeated here.
图5是本申请实施例提供的一种设备识别装置500的硬件结构示意图。参见图5,该设备识别装置500包括处理器520、存储器540、通信接口560和总线580,处理器520、存储器540和通信接口560通过总线580彼此连接。处理器520、存储器540和通信接口560也可以采用除了总线580之外的其他连接方式连接。FIG. 5 is a schematic diagram of a hardware structure of a device identification device 500 provided by an embodiment of the present application. Referring to FIG. 5 , the device identification apparatus 500 includes a processor 520 , a memory 540 , a communication interface 560 and a bus 580 , and the processor 520 , the memory 540 and the communication interface 560 are connected to each other through the bus 580 . The processor 520 , the memory 540 and the communication interface 560 may also be connected in other connection ways than the bus 580 .
其中,存储器540可以是各种类型的存储介质,例如随机存取存储器(random access memory,RAM)、只读存储器(read-only memory,ROM)、非易失性RAM(non-volatile RAM,NVRAM)、可编程ROM(programmable ROM,PROM)、可擦除PROM(erasable PROM,EPROM)、电可擦除PROM(electrically erasable PROM,EEPROM)、闪存、光存储器、硬盘等。Wherein, the memory 540 can be various types of storage media, such as random access memory (random access memory, RAM), read-only memory (read-only memory, ROM), non-volatile RAM (non-volatile RAM, NVRAM ), programmable ROM (programmable ROM, PROM), erasable PROM (erasable PROM, EPROM), electrically erasable PROM (electrically erasable PROM, EEPROM), flash memory, optical memory, hard disk, etc.
其中,处理器520可以是通用处理器,通用处理器可以是通过读取并执行存储器(例如存储器540)中存储的内容来执行特定步骤和/或操作的处理器。例如,通用处理器可以是中央处理器(central processing unit,CPU)。处理器520可以包括至少一个电路,以执行图2所示实施例提供的设备识别方法的全部或部分步骤。Wherein, the processor 520 may be a general-purpose processor, and the general-purpose processor may be a processor that performs specific steps and/or operations by reading and executing contents stored in a memory (such as the memory 540 ). For example, the general processor may be a central processing unit (CPU). The processor 520 may include at least one circuit to execute all or part of the steps of the device identification method provided by the embodiment shown in FIG. 2 .
其中,通信接口560包括输入/输出(input/output,I/O)接口、物理接口和逻辑接口等用于实现设备识别装置500内部的器件互连的接口,以及用于实现设备识别装置500 与其他设备(例如分析器或终端设备)互连的接口。物理接口可以是以太网接口,光纤接口,ATM接口等。Among them, the communication interface 560 includes an input/output (input/output, I/O) interface, a physical interface and a logical interface, etc., which are used to realize the interconnection of devices inside the device identification device 500, and are used to realize the connection between the device identification device 500 and The interface through which other devices, such as analyzers or end devices, are interconnected. The physical interface can be Ethernet interface, optical fiber interface, ATM interface, etc.
其中,总线580可以是任何类型的,用于实现处理器520、存储器540和通信接口560互连的通信总线,例如***总线。Wherein, the bus 580 may be any type of communication bus for interconnecting the processor 520, the memory 540 and the communication interface 560, such as a system bus.
上述器件可以分别设置在彼此独立的芯片上,也可以至少部分的或者全部的设置在同一块芯片上。将各个器件独立设置在不同的芯片上,还是整合设置在一个或者多个芯片上,往往取决于产品设计的需要。本申请实施例对上述器件的具体实现形式不做限定。The above-mentioned devices may be respectively arranged on independent chips, or at least partly or all of them may be arranged on the same chip. Whether each device is independently arranged on different chips or integrated and arranged on one or more chips often depends on the needs of product design. The embodiments of the present application do not limit the specific implementation forms of the foregoing devices.
图5所示的设备识别装置500仅仅是示例性的,在实现过程中,设备识别装置500还可以包括其他组件,本文不再一一列举。另外,上述实施例提供的设备识别装置500与设备识别方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。The device identifying apparatus 500 shown in FIG. 5 is only exemplary. During implementation, the device identifying apparatus 500 may also include other components, which will not be listed here. In addition, the device identification device 500 provided in the above embodiment is based on the same idea as the device identification method embodiment, and its specific implementation process is detailed in the method embodiment, and will not be repeated here.
图6是本申请实施例提供的一种设备识别***示意图。请参考图6,设备识别***600包括分析器610和一个或多个设备识别装置。例如,该一个或多个设备识别装置包括设备识别装置620和/或设备识别装置630。设备识别装置包括连接终端设备的接入设备或终端设备的数据流必经的汇聚设备。设备识别装置和分析器通过互联网或内联网连接。所述分析器610用于执行图2所示设备识别方法实施例中的步骤203。所述设备识别装置620或设备识别装置630用于执行图2所示设备识别方法实施例中的步骤201和步骤202。在一种可能的实现方式中,所述设备识别装置620或设备识别装置630包括图4所示的设备识别装置400。在另一种可能的实现方式中,所述设备识别装置620或设备识别装置630包括图5所示的设备识别装置500。Fig. 6 is a schematic diagram of a device identification system provided by an embodiment of the present application. Please refer to FIG. 6 , the device identification system 600 includes an analyzer 610 and one or more device identification devices. For example, the one or more device identifying means includes device identifying means 620 and/or device identifying means 630 . The equipment identification device includes the access equipment connected to the terminal equipment or the converging equipment through which the data flow of the terminal equipment must pass. The device identification device and the analyzer are connected via the Internet or an intranet. The analyzer 610 is configured to execute step 203 in the embodiment of the device identification method shown in FIG. 2 . The device identification device 620 or the device identification device 630 is used to execute step 201 and step 202 in the embodiment of the device identification method shown in FIG. 2 . In a possible implementation manner, the device identifying device 620 or the device identifying device 630 includes the device identifying device 400 shown in FIG. 4 . In another possible implementation manner, the device identifying device 620 or the device identifying device 630 includes the device identifying device 500 shown in FIG. 5 .
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present invention will be generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. The available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, DVD), or a semiconductor medium (for example, a solid state disk (solid state disk, SSD)), etc.
应理解,在本申请实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,不应对本申请实施例的实施过程构成任何限定。It should be understood that in the embodiment of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not constitute the implementation process of the embodiment of the present application. Any restrictions.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。The specific embodiments described above have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention and are not intended to limit the scope of the present invention. Protection scope, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of the present invention shall be included in the protection scope of the present invention.

Claims (26)

  1. 一种设备识别方法,其特征在于,所述方法包括:A device identification method, characterized in that the method comprises:
    获取终端设备的数据流统计信息;Obtain the data flow statistics information of the terminal device;
    当满足条件时,发送所述终端设备的数据流统计信息给分析器,以使得所述分析器识别所述终端设备的设备类型,其中,所述条件包括:所述终端设备的设备类型未知,或者,所述终端设备是重新上线的终端设备。When a condition is met, sending the data flow statistics information of the terminal device to the analyzer, so that the analyzer identifies the device type of the terminal device, wherein the condition includes: the device type of the terminal device is unknown, Alternatively, the terminal device is a terminal device that has come online again.
  2. 根据权利要求1所述的方法,其特征在于,所述方法包括:The method according to claim 1, characterized in that the method comprises:
    根据已知设备类型对应的终端设备的标识确定所述终端设备的设备类型是否为未知。Determine whether the device type of the terminal device is unknown according to the identifier of the terminal device corresponding to the known device type.
  3. 根据权利要求1所述的方法,其特征在于,所述方法包括:The method according to claim 1, characterized in that the method comprises:
    根据资产库确定所述终端设备的设备类型是否为未知;determining whether the device type of the terminal device is unknown according to the asset library;
    其中,所述资产库用于记录设备类型和所述设备类型对应的终端设备的标识。Wherein, the asset library is used to record the device type and the identifier of the terminal device corresponding to the device type.
  4. 根据权利要求1至3任一所述的方法,其特征在于,所述方法包括:The method according to any one of claims 1 to 3, characterized in that the method comprises:
    根据所述终端设备的历史流量大小判断所述终端设备是否为重新上线的终端设备。It is judged whether the terminal device is a terminal device that goes online again according to the historical traffic volume of the terminal device.
  5. 根据权利要求4所述的方法,其特征在于,若所述终端设备在第一时间窗口内的流量大小为零,所述终端设备为重新上线的终端设备。The method according to claim 4, wherein, if the traffic volume of the terminal device within the first time window is zero, the terminal device is a terminal device that goes online again.
  6. 根据权利要求2、4或5所述的方法,其特征在于,所述方法还包括:The method according to claim 2, 4 or 5, characterized in that the method further comprises:
    从所述分析器接收消息,并基于所述消息更新所述已知设备类型对应的终端设备的标识,其中,所述消息包括所述终端设备的标识。receiving a message from the analyzer, and updating the identifier of the terminal device corresponding to the known device type based on the message, wherein the message includes the identifier of the terminal device.
  7. 根据权利要求3至5任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 3 to 5, wherein the method further comprises:
    从所述分析器接收消息,并基于所述消息更新所述资产库,其中,所述消息包括所述终端设备的设备类型和所述终端设备的标识。A message is received from the analyzer, and the asset library is updated based on the message, wherein the message includes the device type of the terminal device and the identification of the terminal device.
  8. 根据权利要求1至7任一所述的方法,其特征在于,所述终端设备的数据流统计信息包括所述终端设备的至少一个数据流的源互联网协议IP地址或者目的IP地址。The method according to any one of claims 1 to 7, wherein the data flow statistical information of the terminal device includes a source Internet Protocol IP address or a destination IP address of at least one data flow of the terminal device.
  9. 根据权利要求8所述的方法,其特征在于,所述终端设备的数据流统计信息还包括以下一种或多种信息:所述终端设备的至少一个数据流在第二时间窗口内的流量大小、所述终端设备的至少一个数据流在所述第二时间窗口内的数据包数量、所述终端设备的至少一个数据流在所述第二时间窗口内的每个数据包的大小。The method according to claim 8, wherein the data flow statistical information of the terminal device further includes one or more of the following information: the traffic volume of at least one data flow of the terminal device within the second time window , the number of data packets of the at least one data flow of the terminal device within the second time window, and the size of each data packet of the at least one data flow of the terminal device within the second time window.
  10. 根据权利要求2至9任一所述的方法,其特征在于,所述终端设备的标识包括所述终端设备的IP地址。The method according to any one of claims 2 to 9, wherein the identifier of the terminal device includes the IP address of the terminal device.
  11. 根据权利要求1至10任一所述的方法,其特征在于,所述终端设备包括物联网IoT设备。The method according to any one of claims 1 to 10, wherein the terminal device comprises an IoT device of the Internet of Things.
  12. 一种设备识别装置,其特征在于,所述装置包括获取模块和发送模块,A device identification device, characterized in that the device includes an acquisition module and a sending module,
    所述获取模块,用于获取终端设备的数据流统计信息;The obtaining module is used to obtain the data flow statistics information of the terminal equipment;
    所述发送模块,用于当满足条件时,发送所述终端设备的数据流统计信息给分析器,以使得所述分析器识别所述终端设备的设备类型;The sending module is configured to send the data flow statistics information of the terminal device to the analyzer when a condition is met, so that the analyzer can identify the device type of the terminal device;
    其中,所述条件包括:所述终端设备的设备类型未知,或者,所述终端设备是重新上线的终端设备。Wherein, the condition includes: the device type of the terminal device is unknown, or the terminal device is a terminal device that has come online again.
  13. 根据权利要求12所述的装置,其特征在于,The device according to claim 12, characterized in that,
    所述发送模块,还用于根据已知设备类型对应的终端设备的标识确定所述终端设备的设备类型是否为未知。The sending module is further configured to determine whether the device type of the terminal device is unknown according to the identifier of the terminal device corresponding to the known device type.
  14. 根据权利要求12所述的装置,其特征在于,The device according to claim 12, characterized in that,
    所述发送模块,还用于根据资产库确定所述终端设备的设备类型是否为未知;The sending module is further configured to determine whether the device type of the terminal device is unknown according to the asset library;
    其中,所述资产库用于记录设备类型和所述设备类型对应的终端设备的标识。Wherein, the asset library is used to record the device type and the identifier of the terminal device corresponding to the device type.
  15. 根据权利要求12至14任一所述的装置,其特征在于,The device according to any one of claims 12 to 14, characterized in that,
    所述发送模块,还用于根据所述终端设备的历史流量大小判断所述终端设备是否为重新上线的终端设备。The sending module is further configured to judge whether the terminal device is a re-online terminal device according to the historical traffic volume of the terminal device.
  16. 根据权利要求15所述的装置,其特征在于,若所述终端设备在第一时间窗口内的流量大小为零,所述终端设备为重新上线的终端设备。The device according to claim 15, wherein, if the traffic volume of the terminal device within the first time window is zero, the terminal device is a terminal device that has come online again.
  17. 根据权利要求13、15或16所述的装置,其特征在于,所述装置还包括接收模块和更新模块,The device according to claim 13, 15 or 16, characterized in that the device further comprises a receiving module and an updating module,
    所述接收模块,用于接收消息;The receiving module is configured to receive messages;
    所述更新模块,用于基于所述消息更新所述已知设备类型对应的终端设备的标识;The update module is configured to update the identifier of the terminal device corresponding to the known device type based on the message;
    其中,所述消息包括所述终端设备的标识。Wherein, the message includes the identifier of the terminal device.
  18. 根据权利要求14至16任一所述的装置,其特征在于,所述装置还包括接收模块和更新模块,The device according to any one of claims 14 to 16, wherein the device further comprises a receiving module and an updating module,
    所述接收模块,用于接收消息;The receiving module is configured to receive messages;
    所述更新模块,用于基于所述消息更新所述资产库;The update module is configured to update the asset library based on the message;
    其中,所述消息包括所述终端设备的设备类型和所述终端设备的标识。Wherein, the message includes the device type of the terminal device and the identifier of the terminal device.
  19. 根据权利要求12至18任一所述的装置,其特征在于,所述终端设备的数据流统计信息包括所述终端设备的至少一个数据流的源互联网协议IP地址或者目的IP地址。The apparatus according to any one of claims 12 to 18, wherein the data flow statistical information of the terminal device includes a source Internet Protocol IP address or a destination IP address of at least one data flow of the terminal device.
  20. 根据权利要求19所述的装置,其特征在于,所述终端设备的数据流统计信息还包括以下一种或多种信息:所述终端设备的至少一个数据流在第二时间窗口内的流大小、所述终端设备的至少一个数据流在所述第二时间窗口内的数据包数量。The apparatus according to claim 19, wherein the data flow statistical information of the terminal device further includes one or more of the following information: the flow size of at least one data flow of the terminal device within the second time window . The number of data packets of at least one data flow of the terminal device within the second time window.
  21. 根据权利要求12至20任一所述的装置,其特征在于,所述终端设备的标识包括所述终端设备的IP地址。The apparatus according to any one of claims 12 to 20, wherein the identifier of the terminal device includes an IP address of the terminal device.
  22. 根据权利要求12至21任一所述的装置,其特征在于,所述终端设备包括物联网IoT设备。The apparatus according to any one of claims 12 to 21, wherein the terminal device comprises an IoT device of the Internet of Things.
  23. 一种设备识别装置,其特征在于,包括处理器和存储器,所述存储器中存储有程序,所述处理器用于执行所述存储器中存储的程序以实现权利要求1至11任一所述的设备识别方法。A device identification device, characterized in that it includes a processor and a memory, the memory stores a program, and the processor is used to execute the program stored in the memory to realize the device described in any one of claims 1 to 11 recognition methods.
  24. 一种设备识别***,其特征在于,所述***包括设备识别装置和分析器,An equipment identification system, characterized in that the system includes an equipment identification device and an analyzer,
    所述设备识别装置,用于实现权利要求1至11任一所述的设备识别方法;The device identification device is used to implement the device identification method described in any one of claims 1 to 11;
    所述分析器,用于接收所述设备识别装置发送的终端设备的数据流统计信息,根据所述终端设备的数据流统计信息识别所述终端设备的设备类型,并发送所述终端设备的设备类型给所述设备识别装置。The analyzer is configured to receive the data flow statistical information of the terminal device sent by the device identification device, identify the device type of the terminal device according to the data flow statistical information of the terminal device, and send the device type of the terminal device The type identifies the device to the device.
  25. 一种计算机可读存储介质,其特征在于,包括指令,当所述指令在计算机上运行时,使得所述计算机执行如实现权利要求1至11任一所述的方法。A computer-readable storage medium, characterized by comprising instructions, which, when run on a computer, cause the computer to execute the method as claimed in any one of claims 1 to 11.
  26. 一种计算机程序产品,其特征在于,包括程序代码,当计算机运行所述计算机程序产品时,使得所述计算机执行如权利要求1至11任一所述的方法。A computer program product, characterized in that it includes program codes, and when the computer runs the computer program product, the computer executes the method according to any one of claims 1 to 11.
PCT/CN2022/105623 2021-07-15 2022-07-14 Device identification method, apparatus and system WO2023284809A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN202110798343 2021-07-15
CN202110798343.7 2021-07-15
CN202111024391.7 2021-09-02
CN202111024391.7A CN115701028A (en) 2021-07-15 2021-09-02 Method, device and system for equipment identification

Publications (1)

Publication Number Publication Date
WO2023284809A1 true WO2023284809A1 (en) 2023-01-19

Family

ID=84919037

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/105623 WO2023284809A1 (en) 2021-07-15 2022-07-14 Device identification method, apparatus and system

Country Status (1)

Country Link
WO (1) WO2023284809A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010102496A1 (en) * 2009-03-11 2010-09-16 西安西电捷通无线网络通信股份有限公司 Method for implementing zero-interference charging at wapi system terminal
CN110115015A (en) * 2016-12-29 2019-08-09 爱维士软件有限责任公司 System and method by monitoring the unknown IoT equipment of its behavioral value
US20200228422A1 (en) * 2017-09-30 2020-07-16 Huawei Technologies Co., Ltd. Feature parameter obtaining method and apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010102496A1 (en) * 2009-03-11 2010-09-16 西安西电捷通无线网络通信股份有限公司 Method for implementing zero-interference charging at wapi system terminal
CN110115015A (en) * 2016-12-29 2019-08-09 爱维士软件有限责任公司 System and method by monitoring the unknown IoT equipment of its behavioral value
US20200228422A1 (en) * 2017-09-30 2020-07-16 Huawei Technologies Co., Ltd. Feature parameter obtaining method and apparatus

Similar Documents

Publication Publication Date Title
US20200344246A1 (en) Apparatus, system and method for identifying and mitigating malicious network threats
CN110113345B (en) Automatic asset discovery method based on flow of Internet of things
US9866426B2 (en) Methods and apparatus for analyzing system events
US20220174008A1 (en) System and method for identifying devices behind network address translators
US9386028B2 (en) System and method for malware detection using multidimensional feature clustering
US10547674B2 (en) Methods and systems for network flow analysis
US10798061B2 (en) Automated learning of externally defined network assets by a network security device
US8694630B1 (en) Self-learning classifier for internet traffic
CN111212053A (en) Industrial control honeypot-oriented homologous attack analysis method
CN109309591B (en) Traffic data statistical method, electronic device and storage medium
CN110839017A (en) Proxy IP address identification method, device, electronic equipment and storage medium
CN113328985B (en) Passive Internet of things equipment identification method, system, medium and equipment
EP3117334A1 (en) A method and system for generating durable host identifiers using network artifacts
US11178011B1 (en) Identifying representative entities in clusters for it management
KR102244036B1 (en) Method for Classifying Network Asset Using Network Flow data and Method for Detecting Threat to the Network Asset Classified by the Same Method
US20240154964A1 (en) Device authentication method and system, and apparatus
US20110055924A1 (en) Graph structures for event matching
WO2023284809A1 (en) Device identification method, apparatus and system
CN113765849A (en) Abnormal network traffic detection method and device
CN116527390A (en) Port scan detection
US10257093B2 (en) Information processing device, method, and medium
US11973773B2 (en) Detecting and mitigating zero-day attacks
CN115701028A (en) Method, device and system for equipment identification
US20230261948A1 (en) Device Identification Method, Apparatus, and System
CN115694863A (en) Method, device and system for equipment verification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22841442

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE