Method and device for analyzing and classifying network traffic and storage medium

Abstract

The invention relates to the technical field of network security and data processing, and relates to a method, device and equipment for analyzing and classifying network traffic and a storage medium.The first aspect of the invention provides a method for analyzing and classifying network traffic, which comprises the following steps of: acquiring a message; shunting the message according to a protocol, wherein the message at least comprises common TCP/UDP; for the common TCP/UDP, extracting the fingerprint of each type according to a payload clustering method; obtaining a domain name with themaximum jaccard coefficient in the network connection; and judging whether the existing resource library has related characteristics or not, and if not, storing the corresponding classification rules.The invention further provides electronic equipment and a computer readable storage medium. According to the method for analyzing and classifying the network traffic, a sample library does not need to be prepared in advance, the traffic in the network can be automatically classified, the attribution service of each type of traffic is analyzed, and the whole process realizes automatic and accurateclassification.

Description

Technical field: [0001] The present invention relates to the technical field of network security and data processing, in particular to a method, device, equipment and storage medium for analyzing and classifying network traffic. Background technique: [0002] Network traffic classification is of great significance to the optimal configuration of network resources and the security application of the network. Real-time and accurate classification of network traffic can guarantee the normal, stable and reliable operation of the network. [0003] Common network traffic analysis methods include DPI (Deep PacKet Inspection, deep packet inspection) and DFI (Deep / Dynamic Flow Inspection, deep / dynamic flow inspection). DPI is a method of extracting fingerprint features based on a single packet, and DFI is based on a network connection. A method for extracting multi-packet features, where features can be information such as fingerprints, packet lengths, and time intervals. With the ...

AI Technical Summary

Problems solved by technology

With the development of communication technology, smart devices have more and more influence on people. Various APPs and Internet of Things devices emerge in an endless stream.

Many researchers at home and abroad have proposed some automatic classification methods for network traffic based on machine learning. These classification methods have some disadvantages: for the supervised machine learning classification method, a complete sample library is first required, and the completeness of the sample library determines the classification results. secondly, only known services can be classified, and unknown services cannot be automatically classified because there are no samples

For unsupervised machine learning classification methods, first of all, they can only classify traffic, and can only be divided into several agreed categories, which is not applicable to the classification of network traffic in reality, because the number of categories that network traffic can be divided into is unknown Secondly, they cannot automatically classify the traffic accurately into a specific business, they only have the classification function, and they do not have the ability to analyze and classify

Images