Session recognition method and device, electronic device, and storage medium

By obtaining the target data length in session recognition and processing the data using a byte distribution feature extraction model, the problem of feature loss in session recognition is solved, thus improving the recognition accuracy.

CN117478345BActive Publication Date: 2026-06-23CHINA TELECOM CORP LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM CORP LTD
Filing Date
2022-07-21
Publication Date
2026-06-23

Smart Images

  • Figure CN117478345B_ABST
    Figure CN117478345B_ABST
Patent Text Reader

Abstract

Embodiments of the present application disclose a conversation recognition method and device, electronic equipment, storage medium and program product. The method comprises the following steps: after obtaining a to-be-recognized conversation, a target data length that matches a data length of the to-be-recognized conversation is searched from a plurality of candidate data lengths, and to-be-processed data is obtained from the to-be-recognized conversation, wherein the data length of the to-be-processed data matches the target data length; then, the to-be-processed data is processed by using a byte distribution feature extraction model to obtain a byte distribution feature of the to-be-recognized conversation, and the category of the to-be-recognized conversation is determined based on the byte distribution feature. The technical scheme of the embodiments of the present application can improve the accuracy of conversation category recognition.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and more specifically, to a session recognition method and apparatus, electronic device, storage medium, and program product. Background Technology

[0002] During communication, interactions between different network elements generate sessions. To facilitate operation and maintenance of network security, it is necessary to identify the types of sessions. For example, for encrypted traffic, it is necessary to identify whether it is abnormal traffic in order to ensure network security.

[0003] In related technologies, corresponding features are typically extracted from the session, and the session is then classified based on the extracted features. However, during the feature extraction process, some features are often missing, resulting in low recognition accuracy. Summary of the Invention

[0004] To address the aforementioned technical problems, embodiments of this application provide a session identification method and apparatus, an electronic device, a storage medium, and a program product.

[0005] According to one aspect of the embodiments of this application, a session identification method is provided, the method comprising:

[0006] Obtain the session to be identified, and find the target data length that matches the data length of the session to be identified from a set number of candidate data lengths;

[0007] Data to be processed is obtained from the session to be identified; the length of the data to be processed matches the length of the target data.

[0008] The data to be processed is processed by a byte distribution feature extraction model to obtain the byte distribution features of the session to be identified;

[0009] The category of the session to be identified is determined based on the byte distribution characteristics.

[0010] According to one aspect of the embodiments of this application, a session identification device is provided, the device comprising:

[0011] The acquisition and search module is configured to acquire the session to be identified and search for a target data length that matches the data length of the session to be identified from a set number of candidate data lengths;

[0012] The data acquisition module is configured to acquire data to be processed from the session to be identified; the length of the data to be processed matches the length of the target data.

[0013] The processing module is configured to process the data to be processed using a byte distribution feature extraction model to obtain the byte distribution features of the session to be identified.

[0014] The identification module is configured to determine the category of the session to be identified based on the byte distribution characteristics.

[0015] According to one aspect of the embodiments of this application, an electronic device is provided, comprising:

[0016] One or more processors;

[0017] A storage device for storing one or more programs that, when executed by one or more processors, enable the electronic device to implement the session identification method as described above.

[0018] According to one aspect of the embodiments of this application, a computer-readable storage medium is provided, on which computer-readable instructions are stored, which, when executed by a processor of an electronic device, cause the electronic device to perform the session identification method as described above.

[0019] According to one aspect of the embodiments of this application, a computer program product is provided, including a computer program, wherein the computer instructions, when executed by a processor, implement the session recognition method as described above.

[0020] In the technical solution provided in the embodiments of this application, after obtaining the session to be identified, a target data length that matches the data length of the session to be identified is first searched from a set of multiple candidate data lengths, and data to be processed is obtained from the session to be identified, wherein the data length of the data to be processed matches the target data length; then, the data to be processed is processed by a byte distribution feature extraction model to obtain the byte distribution features of the session to be identified, and the category of the session to be identified is determined based on the byte distribution features. That is to say, the data length of the data to be processed is preset, thereby reducing the amount of data processing, and the data length of the data to be processed matches the data length of the session to be identified, so that more byte distribution features can be extracted based on the data to be processed, thereby improving the accuracy of session category identification.

[0021] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and do not limit this application. Attached Figure Description

[0022] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application. It is obvious that the drawings described below are merely some embodiments of this application, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort. In the drawings:

[0023] Figure 1 This is a flowchart illustrating a session identification method in an exemplary embodiment of this application;

[0024] Figure 2 yes Figure 1 A flowchart of step S101 in an exemplary embodiment shown in the illustrated example;

[0025] Figure 3 yes Figure 1 A flowchart of step S101 in an exemplary embodiment shown in the illustrated example;

[0026] Figure 4 yes Figure 3 A flowchart of step S303 in an exemplary embodiment shown in the illustrated example;

[0027] Figure 5 yes Figure 1 A flowchart of step S102 in an exemplary embodiment shown in the illustrated example;

[0028] Figure 6 yes Figure 1 A flowchart of step S103 in an exemplary embodiment shown in the illustrated example;

[0029] Figure 7 yes Figure 1 A flowchart of step S103 in an exemplary embodiment shown in the illustrated example;

[0030] Figure 8 yes Figure 1 A flowchart of step S104 in an exemplary embodiment shown in the illustrated example;

[0031] Figure 9 This is a flowchart illustrating a session identification method in another exemplary embodiment of this application;

[0032] Figure 10 This is a schematic diagram of the model structure shown in an exemplary embodiment of this application;

[0033] Figure 11 This is a schematic diagram illustrating the structure of a session identification device according to an exemplary embodiment of this application;

[0034] Figure 12 A schematic diagram of the structure of a computer system suitable for implementing the electronic device of the present application is shown. Detailed Implementation

[0035] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.

[0036] The block diagrams shown in the accompanying drawings are merely functional entities and do not necessarily correspond to physically independent entities. That is, these functional entities can be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.

[0037] The flowcharts shown in the accompanying drawings are merely illustrative and do not necessarily include all content and operations / steps, nor do they necessarily have to be performed in the described order. For example, some operations / steps can be broken down, while others can be combined or partially combined; therefore, the actual execution order may change depending on the specific circumstances.

[0038] It should also be noted that "multiple" as mentioned in this application refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects have an "or" relationship.

[0039] In related technologies, corresponding features are typically extracted from the conversation, and the conversation is then classified based on the extracted features. However, during the feature extraction process, some features are often missing, leading to low recognition accuracy. Therefore, embodiments of this application propose a conversation recognition method and apparatus, electronic device, storage medium, and program product, thereby improving the accuracy of conversation recognition.

[0040] See Figure 1 , Figure 1 This is a flowchart illustrating a session identification method in an exemplary embodiment of this application. Figure 1 As shown, in an exemplary embodiment, the session identification method may include steps S110 to S140, which are described in detail below:

[0041] Step S101: Obtain the session to be identified, and find the target data length that matches the data length of the session to be identified from the multiple candidate data lengths set.

[0042] It should be noted that during communication, interactions between different network elements generate sessions. Examples include TCP (Transmission Control Protocol) handshake identification sessions, DNS (Domain Name System) domain name lookup sessions, LLMNR (Link-Local Multicast Name Resolution) sessions, and sessions between different users (e.g., SMS-based sessions, email-based sessions, etc.). The session to be identified is the session whose category needs to be determined; its specific type can be flexibly set according to actual needs.

[0043] The data length of the session to be identified is used to characterize the amount of data contained in the session. The specific calculation method for the data length of the session to be identified can be flexibly set according to actual needs. In one example, the data length of the session to be identified can be the sum of the data lengths of multiple data packets contained in the session. For example, assuming the session to be identified includes data packet a and data packet b, where data packet a has a data length of 10 bytes and data packet b has a data length of 22 bytes, then the data length of the session to be identified is 32 bytes. In another example, since the difference in data length between the headers of different data packets is usually small, while the difference in data length between the payloads (i.e., the part of the data packet excluding the header) of different data packets is usually large, to reduce the amount of data processing, the data length of the session to be identified can also be the sum of the data lengths of the payloads of multiple data packets contained in the session. For example, assuming the header data length of data packet a is 1 byte and the payload data length is 9 bytes, and the header data length of data packet b is 2 bytes and the payload data length is 20 bytes, then the data length of the session to be identified is 29 bytes.

[0044] The candidate data length is a pre-set data length used to characterize the amount of byte distribution data to be obtained from the session to be identified. This byte distribution data is the data used to extract byte distribution features, i.e., the data to be processed. Since the data lengths differ significantly between different sessions—for example, emails have longer data packets than SMS messages—multiple candidate data lengths are set in this embodiment to extract sufficient data from the session to improve the accuracy of session category identification. The specific values ​​of these candidate data lengths can be flexibly set according to actual needs. In one example, multiple candidate data lengths can be determined based on the type of session to be identified; for example, a larger candidate data length can be set for email sessions, and a smaller candidate data length can be set for SMS sessions. In another example, multiple historical sessions can be obtained, and these sessions can be clustered based on their data lengths to obtain multiple historical session sets. The cluster centers of each historical session set are then used as candidate data lengths.

[0045] In this embodiment, after obtaining the session to be identified, a target data length that matches the data length of the session to be identified can be found from a plurality of pre-set candidate data lengths.

[0046] The specific method for determining the target data length can be flexibly set according to actual needs. In one example, from a set of pre-defined candidate data lengths, the candidate data length with the smallest difference from the data length of the session to be identified can be found, and this found candidate data length can be used as the target data length. In another example, to ensure that enough data is obtained, from a set of pre-defined candidate data lengths, the candidate data length that is greater than the data length of the session to be identified and has the smallest difference from the data length of the session to be identified can be found, and this found candidate data length can be used as the target data length. In other words, the target data length is greater than the data length of the session to be identified.

[0047] Step S102: Obtain the data to be processed from the session to be identified; the length of the data to be processed matches the length of the target data.

[0048] It should be noted that the data to be processed is the data used to extract byte distribution features, that is, byte distribution data.

[0049] In this embodiment, after obtaining the target data length corresponding to the session to be identified, data whose length matches the target data length is obtained from the data contained in the session to be identified, and the obtained data is used as the data to be processed.

[0050] Optionally, matching the length of the data to be processed with the target data length can be achieved by the data length of the data to be processed being equal to the target data length. For example, assuming the target data length is 6 bytes, then 6 bytes of data are extracted from the data contained in the session to be identified, and this extracted data is used as the data to be processed; that is, the data length of the data to be processed is 6 bytes. Alternatively, matching the length of the data to be processed with the target data length can be achieved by the length of the data to be processed being equal to the square of the target data length.

[0051] The specific method for retrieving data to be processed from the session to be identified can be flexibly configured according to actual needs. For example, if the session to be identified contains multiple data packets, the data to be processed can be extracted from the payload and header of multiple data packets; or, since the headers of different data packets are highly similar and the differences between the byte distribution features obtained based on the headers are small, the data to be processed can be extracted only from the payload of multiple data packets. Specifically, data can be extracted sequentially from multiple data packets according to the corresponding time order until the length of the extracted data matches the target data length. It should be noted that the time corresponding to the data packets includes, but is not limited to, at least one of the data packet reception time, transmission time, and generation time, and the sorting method can be from front to back or from back to front.

[0052] Step S103: The data to be processed is processed by the byte distribution feature extraction model to obtain the byte distribution features of the session to be identified.

[0053] Byte distribution features are used to characterize the features of the bytes contained in the session to be identified, such as the relationships between different bytes. The forms of byte distribution features include, but are not limited to, vectors, matrices, arrays, and numerical values.

[0054] The byte distribution feature extraction model is a machine learning model used to extract byte distribution features from input data. The specific type of the byte distribution feature extraction model can be flexibly set according to actual needs. For example, it includes, but is not limited to, CNN (Convolutional Neural Network), RNN (Recurrent Neural Network), etc. Optionally, in one example, the byte distribution feature extraction model can be a two-dimensional convolutional neural network.

[0055] In this embodiment, after obtaining the data to be processed from the session to be identified, the data to be processed is input into the byte distribution feature extraction model. The byte distribution feature extraction model analyzes the data to be processed and outputs the byte distribution features of the session to be identified.

[0056] Optionally, if the byte distribution feature extraction model is a two-dimensional convolutional neural network, a matrix can be constructed based on the data to be processed. This constructed matrix is ​​then input into the byte distribution feature extraction model to obtain the byte distribution features of the session to be identified. The number of rows and columns of the matrix can be flexibly set according to actual needs. In one example, the matrix can be a square matrix, and the number of rows in the square matrix can be the square root of the length of the data to be processed, or the number of rows in the square matrix can be the square root of the length of the target data.

[0057] Step S104: Determine the category of the session to be identified based on byte distribution characteristics.

[0058] After obtaining the byte distribution characteristics of the session to be identified, the session can be classified based on these characteristics to obtain the category of the session to be identified.

[0059] Optionally, to improve recognition accuracy, byte distribution features can be input into a classification model. The classification model analyzes these features and outputs the category of the session to be identified. The classification model is a machine learning model used to identify the category based on the input data. Specific types of classification models include, but are not limited to, neural network models, such as fully connected neural network models.

[0060] Optionally, to improve recognition accuracy, temporal features of the session to be identified can be extracted from the data contained in the session to be identified, and the category of the session to be identified can be determined based on the temporal features and byte distribution features. For a detailed description of the temporal features and their extraction methods, please refer to subsequent sections; they will not be elaborated here.

[0061] In this embodiment, after obtaining the session to be identified, a target data length matching the data length of the session to be identified is first searched from a set of multiple candidate data lengths. Then, data to be processed is obtained from the session to be identified, wherein the data length of the data to be processed matches the target data length. Next, the data to be processed is processed through a byte distribution feature extraction model to obtain the byte distribution features of the session to be identified. Then, the category of the session to be identified is determined based on the byte distribution features. That is to say, the data length of the data to be processed is preset, thereby reducing the amount of data processing. Moreover, compared with obtaining data of a fixed length from the session to be identified, and extracting features from data of a fixed length, which leads to feature loss and low category identification accuracy, in this embodiment, the data length of the data to be processed extracted from the session to be identified matches the data length of the session to be identified, so that more byte distribution features can be extracted based on the data to be processed, thereby improving the accuracy of session category identification.

[0062] In one exemplary embodiment, see Figure 2 As shown, Figure 2 for Figure 1 The flowchart of step S101 in the illustrated embodiment is shown in an exemplary embodiment. Figure 2 As shown, the process of obtaining the session to be identified may include steps S201-S202, which are described in detail below:

[0063] Step S201: Obtain multiple data packets.

[0064] In order to obtain the session to be identified, in this embodiment, multiple data packets can be obtained first.

[0065] Optionally, multiple data packets can be captured from the network using a packet capture tool. For example, multiple data packets can be captured from the network using PCAP (packet capture library).

[0066] Step S202: Construct the session to be identified based on the acquired multiple data packets.

[0067] After acquiring multiple data packets, a session is constructed based on the acquired data packets.

[0068] Optionally, a session can be constructed based on the 5-tuple of data packets. The 5-tuple includes the source IP (Internet Protocol) address, source port, destination IP address, destination port, and transport layer protocol. In one example, packets with matching 5-tuples can be grouped into the same session. Matching the 5-tuples of two packets can include: the two packets having the same 5-tuple without distinguishing between sending and receiving directions (i.e., without distinguishing whether the IP address is the source IP address or the destination IP address, and without distinguishing whether the port is the source port or the destination port). For example, suppose packet 1 has the 5-tuple IP1 (source IP address), IP2 (destination IP address), port 1 (source port), port 2 (destination port), and protocol 1; packet 2 has the 5-tuple IP1 (destination IP address), IP2 (source IP address), port 2 (source port), port 1 (destination port), and protocol 1. Without distinguishing between sending and receiving directions, packet 1's 5-tuple is the same as packet 2's 5-tuple; therefore, packet 1 and packet 2's 5-tuples match.

[0069] After a session is constructed, it can be directly used as the session to be identified. Alternatively, to reduce resource consumption, the constructed session can be filtered based on preset conditions, and the filtered session can be used as the session to be identified. The preset conditions can be flexibly set according to actual needs. For example, to avoid duplicate identification, duplicate sessions can be filtered out, or sessions identified by TCP handshake, DNS protocol domain name query sessions, LLMNR protocol sessions, etc. can be filtered out.

[0070] Optionally, to improve recognition accuracy, after constructing the session to be identified, the source IP address and destination IP address in the session can be anonymized. The category of the anonymized session can then be identified. The anonymization method can be flexibly configured according to actual needs; for example, the source IP address and destination IP address in the session can be replaced with specified characters.

[0071] In this embodiment, multiple data packets are first acquired, and then a session to be identified is constructed based on the acquired multiple data packets, thereby obtaining the session whose category needs to be identified.

[0072] In one exemplary embodiment, see Figure 3 As shown, Figure 3 for Figure 1 The flowchart of step S101 in the illustrated embodiment is shown in an exemplary embodiment. Figure 3 As shown, under the condition that the session to be identified contains multiple data packets and the data to be processed is data extracted from the payload of the data packets, the process of finding the target data length that matches the data length of the session to be identified from multiple set candidate data lengths may include steps S301-S303, which are described in detail below:

[0073] Step S301: Obtain the data length corresponding to the payload of each of the multiple data packets.

[0074] Since the data to be processed is extracted from the payload of data packets, the data length corresponding to the payload of each data packet contained in the session to be identified can be obtained.

[0075] Step S302: Sum the obtained data lengths to obtain the data length of the session to be identified.

[0076] After obtaining the data length corresponding to the payload of each data packet in the session to be identified, the data lengths corresponding to the payloads of multiple data packets in the session to be identified can be summed to obtain the data length of the session to be identified.

[0077] Step S303: Determine the target data length from the multiple candidate data lengths based on the difference between the data length of the session to be identified and the multiple candidate data lengths set.

[0078] After obtaining the data length of the session to be identified, the target data length can be determined from the multiple candidate data lengths based on the difference between the data length of the session to be identified and the multiple candidate data lengths set.

[0079] Optionally, the candidate data length with the smallest difference between the set multiple candidate data lengths and the data length of the session to be identified can be found, and the found candidate data length can be used as the target data length.

[0080] In this embodiment, under the condition that the session to be identified contains multiple data packets and the data to be processed is the data extracted from the payload of the data packets, the data lengths corresponding to the payloads of the multiple data packets are obtained respectively. The obtained data lengths are summed to obtain the data length of the session to be identified. Based on the difference between the data length of the session to be identified and the set multiple candidate data lengths, the target data length is determined from the multiple candidate data lengths. In this way, while reducing the amount of data processing, as much data as possible is obtained from the payload of the data packets contained in the session to be identified. Based on the obtained data, the byte distribution characteristics of the session to be identified are determined, thereby improving the accuracy of session category identification.

[0081] In one exemplary embodiment, see Figure 4 As shown, Figure 4 for Figure 3 The flowchart of step S303 in the illustrated embodiment is shown in an exemplary embodiment. Figure 4 As shown, the process of determining the target data length from multiple candidate data lengths based on the difference between the data length of the session to be identified and multiple candidate data lengths can include steps S401-S403, which are described in detail below:

[0082] Step S401: Find a first candidate data length that is shorter than the data length of the session to be identified and has the smallest difference between the two data lengths from a set number of candidate data lengths; and find a second candidate data length that is longer than the data length of the session to be identified and has the smallest difference between the two data lengths from a set number of candidate data lengths.

[0083] The first candidate data length is the candidate data length with the smallest difference between itself and the data length of the session to be identified, among the candidate data lengths that are shorter than the data length of the session to be identified; the second candidate data length is the candidate data length with the smallest difference between itself and the data length of the session to be identified, among the candidate data lengths that are longer than the data length of the session to be identified. In other words, if the candidate data lengths are sorted by numerical value, the data length of the session to be identified is between the first and second candidate data lengths, and the first and second candidate data lengths are adjacent in the sorting.

[0084] Step S402: If the data length of the session to be identified is greater than the average of the first candidate data length and the second candidate data length, but less than the second candidate data length, then the second candidate data length is taken as the target data length corresponding to the session to be identified.

[0085] If the data length of the session to be identified is greater than the average of the first candidate data length and the second candidate data length, and the data length of the session to be identified is less than the second candidate data length, then the second candidate data length will be used as the target data length corresponding to the session to be identified.

[0086] Step S403: If the data length of the session to be identified is less than the average of the first candidate data length and the second candidate data length, but greater than the first candidate data length, then the first candidate data length is taken as the target data length corresponding to the session to be identified.

[0087] If the data length of the session to be identified is greater than the average of the first candidate data length and the second candidate data length, and the data length of the session to be identified is greater than the first candidate data length, then the first candidate data length will be used as the target data length corresponding to the session to be identified.

[0088] Optionally, if for a given session to be identified, there is no corresponding first candidate data length (i.e., among multiple candidate data lengths, there is no candidate data length shorter than the data length of the session to be identified), then the second candidate data length corresponding to the session to be identified can be used as the target data length. If for a given session to be identified, there is no corresponding second candidate data length (i.e., among multiple candidate data lengths, there is no candidate data length longer than the data length of the session to be identified), then the first candidate data length corresponding to the session to be identified can be used as the target data length. The formula for calculating the target data length can be as follows:

[0089]

[0090] Among them, win width The target data length is defined as sess_payload, where sess_payload is the data length of the session to be identified, and W1-W N There are N candidate data lengths, where the index of the candidate data length (i.e., 1-N) represents the numerical value of the candidate data length. The index is positively correlated with the numerical value of the candidate data length, that is, the larger the index, the larger the numerical value of the candidate data length.

[0091] In this embodiment, a first candidate data length is found from a set of multiple candidate data lengths that is shorter than the data length of the session to be identified and has the smallest difference between the two data lengths. A second candidate data length is found from a set of multiple candidate data lengths that is longer than the data length of the session to be identified and has the smallest difference between the two data lengths. If the data length of the session to be identified is greater than the average of the first and second candidate data lengths but less than the second candidate data length, then the second candidate data length is used as the target data length corresponding to the session to be identified. If the data length of the session to be identified is less than the average of the first and second candidate data lengths but greater than the first candidate data length, then the first candidate data length is used as the target data length corresponding to the session to be identified, thereby reasonably selecting the target data length.

[0092] In one exemplary embodiment, see Figure 5 As shown, Figure 5 for Figure 1 The flowchart of step S102 in the illustrated embodiment is shown in an exemplary embodiment. Figure 5 As shown, when the session to be identified contains multiple data packets, the process of obtaining the data to be processed from the session to be identified may include steps S501-S502, which are described in detail below:

[0093] Step S501: Extract data sequentially from the payloads of multiple data packets according to the corresponding time order until the length of the extracted data matches the target data length.

[0094] Since the differences in the header of the data packets are small, it is not possible to extract many byte distribution features. Therefore, data can be extracted from the payload of the data packets. Specifically, data can be extracted sequentially from the payloads of multiple data packets contained in the session to be identified in the order of the corresponding time from front to back, until the length of the extracted data reaches the target data length.

[0095] The time corresponding to the data packet includes, but is not limited to, the data packet generation time, sending time, and receiving time.

[0096] It should be noted that the specific method for extracting data sequentially from the payloads of multiple data packets according to the corresponding time order until the length of the extracted data matches the target data length can be flexibly set according to actual needs.

[0097] In an optional implementation, data can be extracted from the payload of the first data packet according to the corresponding time sequence. Then, data can be extracted from the payload of the second data packet, and so on, until the length of the extracted data matches the target data length. For example, assuming that the length of the extracted data matches the target data length (i.e., the length of the extracted data is equal to the target data length, and the target data length is 16 bytes), and the session to be identified includes 4 data packets, which are ordered as data packet c1, data packet c2, data packet c3, and data packet c4, where the payload of data packet c1 is 15 bytes, the payload of data packet c2 is 30 bytes, the payload of data packet c3 is 6 bytes, and the payload of data packet c5 is 9 bytes, then 15 bytes of data can be extracted from the payload of data packet c1 and 1 byte of data can be extracted from the payload of data packet c2.

[0098] In another optional implementation, data of a set length can be extracted sequentially from the payload of data packets according to the corresponding time sequence until the length of the extracted data matches the target data length. The set length can be flexibly set according to actual needs; for example, it can be set to the square root of the target data length. For instance, assuming the length of the extracted data matches the target data length (i.e., the length of the extracted data equals the target data length), and the target data length is 16 bytes, and the session to be identified includes data packets c1, c2, c3, and c4, and the set length is the square root of the target data length (i.e., 4 bytes), then 4 bytes of data can be extracted from each data packet from c1 to c4, resulting in 16 bytes of data.

[0099] Step S502: The extracted data is used as data to be processed.

[0100] After extracting data of the target data length from the payload of multiple packets contained in the session to be identified, the extracted data is used as the data to be processed.

[0101] In this embodiment, data is extracted sequentially from the payloads of multiple data packets contained in the session to be identified according to the time order corresponding to the data packets, until the length of the extracted data matches the target data length. The extracted data is then used as the data to be processed. Since the data to be processed is extracted from the data packets according to the time order, the byte distribution features can be better extracted based on the data to be processed, thereby improving the accuracy of session category identification.

[0102] In one exemplary embodiment, see Figure 6 As shown, Figure 6 for Figure 1 The flowchart of step S103 in the illustrated embodiment is shown in an exemplary embodiment. Figure 6As shown, the process of processing the data to be processed using the byte distribution feature extraction model to obtain the byte distribution features of the session to be identified may include steps S601-S602, which are described in detail below:

[0103] Step S601: Input the data to be processed into the byte distribution feature extraction model so that the data to be processed can be processed through the byte distribution feature extraction model.

[0104] In order to extract the byte distribution features of the session to be identified from the data to be processed, in this embodiment, the data to be processed can be fed into the byte distribution feature extraction model so that the byte distribution feature extraction model can analyze and process the data to be processed.

[0105] Step S602: The data output by the penultimate layer of the byte distribution feature extraction model for the data to be processed is used as the byte distribution feature of the session to be identified.

[0106] It should be understood that the byte distribution feature extraction model contains multiple layers of networks, with the last layer being the output layer, which can be a fully connected neural network.

[0107] After the data to be processed is input into the byte distribution feature extraction model, the multi-layer network contained in the byte distribution feature extraction model will analyze the data to be processed. In this embodiment, the data output from the penultimate layer of the byte distribution feature extraction model is used as the byte distribution feature of the session to be identified. The data output from the penultimate layer of the byte distribution feature extraction model is input into the output layer of the byte distribution feature extraction model. Correspondingly, it is equivalent to using the input data of the output layer of the byte distribution feature extraction model as the byte distribution feature of the session to be identified.

[0108] In this embodiment, the data output by the penultimate layer of the byte distribution feature extraction model is used as the byte distribution feature of the session to be identified. Since the penultimate layer of the byte distribution feature extraction model outputs a large amount of data, it can better characterize the byte distribution feature of the session to be identified. Therefore, the accuracy of session category identification can be improved.

[0109] In one exemplary embodiment, see Figure 7 As shown, Figure 7 for Figure 1 The flowchart of step S103 in the illustrated embodiment is shown in an exemplary embodiment. Figure 7 As shown, when the session to be identified contains multiple data packets, the process of processing the data to be identified using a byte distribution feature extraction model to obtain the byte distribution features of the session to be identified may include steps S701-S702, which are described in detail below:

[0110] Step S701: Based on the corresponding target data length, classify the data to be processed corresponding to multiple sessions to be identified to obtain multiple data sets.

[0111] In this embodiment, there are multiple sessions to be identified, and correspondingly, there are multiple data to be processed. The multiple data to be processed are classified, that is, the data to be processed with the same target data length are divided into the same data set, thereby obtaining multiple data sets.

[0112] Step S702: Input each data set into the byte distribution feature extraction model to obtain the byte distribution features of the session to be identified corresponding to each data set.

[0113] Each dataset is input into the byte distribution feature extraction model, thereby obtaining the byte distribution features of the session to be identified to which the data to be processed in that dataset belongs.

[0114] Optionally, to improve feature extraction speed, each dataset and the target data length corresponding to each dataset can be input into the byte distribution feature extraction model.

[0115] In this embodiment, based on the corresponding target data length, the data to be processed corresponding to multiple sessions to be identified is classified to obtain multiple data sets. Each data set is input into the byte distribution feature extraction model to obtain the byte distribution features of the session to be identified corresponding to each data set. This allows the byte distribution feature extraction model to process data to be processed in batches with the same data length, improving the feature extraction speed and thus improving the session identification efficiency.

[0116] In one exemplary embodiment, see Figure 8 As shown, Figure 8 for Figure 1 The flowchart of step S104 in the illustrated embodiment is shown in an exemplary embodiment. Figure 8 As shown, the process of determining the category of a session to be identified based on byte distribution characteristics may include steps S801-S804, which are described in detail below:

[0117] Step S801: Extract the temporal features of the session to be identified from the data contained in the session to be identified.

[0118] It should be noted that the temporal features of the session to be identified represent the temporal characteristics of the session. The forms of temporal features include, but are not limited to, vectors, matrices, arrays, and numerical values.

[0119] In this embodiment, the timing characteristics of the session to be identified can be extracted from the data contained in the session to be identified. In one example, the timing characteristics of the session to be identified can be determined based on the packet headers of the data packets contained in the session to be identified.

[0120] In an optional implementation, data of a specified length can be extracted from the data contained in the session to be identified, and the temporal characteristics of the session to be identified can be determined based on the extracted data. If the session to be identified contains multiple data packets, the process of extracting data of a specified length from the data contained in the session to be identified and determining the temporal characteristics of the session to be identified based on the extracted data may include steps one and two, which are described in detail below:

[0121] Step 1: Obtain a specified number of data packets from the multiple data packets contained in the session to be identified.

[0122] The specific value of the specified quantity can be flexibly set according to actual needs.

[0123] The specific method for retrieving a specified number of data packets from multiple data packets contained in the session to be identified can be flexibly set according to actual needs. In one example, a specified number of data packets can be randomly retrieved from multiple data packets contained in the session to be identified. In another example, a specified number of data packets can be retrieved from multiple data packets contained in the session to be identified according to the corresponding time. The sorting method can be sorting from front to back according to the corresponding time, or sorting from back to front according to the corresponding time.

[0124] Step 2: Extract data of length m from each acquired data packet, and determine the temporal characteristics of the session to be identified based on the extracted data; where m = specified data length / specified number.

[0125] Optionally, the process of extracting data of length m from each acquired data packet may include: constructing data of length m based on at least one of the packet header, transmission direction, data length, and time interval of each data packet. The time interval corresponding to the data packet is the time difference between the time corresponding to that data packet and the time corresponding to the first data packet in the specified number of data packets. It should be noted that the sorting method can be from front to back according to the corresponding time, or from back to front according to the corresponding time. In one example, data of length 42 bytes can be extracted from each acquired data packet, where the 42 bytes of data include:

[0126] Byte 0: The direction of data transmission and the length of the data packet;

[0127] Byte 1: The time interval corresponding to the data packet;

[0128] Bytes 2-21: The first 20 bytes of the IP header of the data packet;

[0129] Bytes 22-41: If the data packet is transmitted based on the TCP protocol, it consists of the first 20 bytes of the TCP protocol header; if the data packet is transmitted based on the UDP protocol, it consists of the first 12 bytes of the UDP protocol header plus 12 bytes of zero padding.

[0130] In an optional implementation, in order to improve the accuracy of temporal feature extraction, the data contained in the session to be identified can be input into the temporal feature extraction model to obtain the temporal features of the session to be identified.

[0131] The temporal feature extraction model is a machine learning model used to extract temporal features based on input data. The specific type of the temporal feature extraction model can be flexibly set according to actual needs; for example, it can be a CNN, RNN, etc. To effectively extract temporal features, the temporal feature extraction model can be a bidirectional long short-term memory network.

[0132] Optionally, after inputting the data contained in the session to be identified into the temporal feature extraction model, the data output by the penultimate layer of the temporal feature extraction model can be used as the temporal feature of the session to be identified.

[0133] Step S802: Obtain the weights corresponding to the time sequence features and byte distribution features respectively.

[0134] The weights are used to characterize their importance in session category identification. The specific values ​​of the weights can be flexibly set according to actual needs. For example, the specific values ​​of the weights can be set by developers or users according to development requirements, allowing them to dynamically adjust the influence of temporal features and byte distribution features on category identification; or, if a classification model is used to identify the category of the session to be identified, the specific values ​​of the weights can be adjusted during the training and optimization of the classification model; or, the specific values ​​of the weights can be set by the developers, that is, the specific values ​​of the weights are hyperparameters of the classification model.

[0135] After obtaining the temporal features and byte distribution features of the session to be identified, the weights of the temporal features and the byte distribution features can be obtained.

[0136] Step S803: The temporal features and byte distribution features are fused according to the obtained weights to obtain the fused features of the session to be identified.

[0137] After obtaining the weights of the temporal features and the byte distribution features, the temporal features and byte distribution features can be fused based on the obtained weights to obtain the fused features of the session to be identified.

[0138] Optionally, the fusion method includes, but is not limited to: concatenating the temporal features and byte distribution features based on the weights of the temporal features and the weights of the byte distribution features to obtain the fused features; or summing the temporal features and byte distribution features based on the weights of the temporal features and the weights of the byte distribution features to obtain the fused features.

[0139] Step S804: Determine the category of the session to be identified based on the fused features.

[0140] After obtaining the fusion features of the session to be identified, the category of the session to be identified is determined based on the fusion features.

[0141] To improve recognition accuracy, fused features can be input into a classification model to obtain the category of the session to be recognized output by the classification model.

[0142] Among them, the classification model is a type of machine learning model, and its specific type can be flexibly set according to actual needs. For example, it can be a fully connected neural network.

[0143] In this embodiment, the temporal features of the session to be identified are extracted from the data contained in the session to be identified, and the weights corresponding to the temporal features and byte distribution features are obtained. The temporal features and byte distribution features are fused according to the obtained weights to obtain the fused features of the session to be identified. The category of the session to be identified is determined based on the fused features, thereby improving the accuracy of category identification.

[0144] The following provides a detailed description of a specific application scenario of this application. Please refer to... Figure 9 As shown, the session identification method includes:

[0145] Step S901: Obtain the PCAP file.

[0146] The PCAP file includes multiple data packets captured from the network via PCAP.

[0147] Step S902: Build a session based on the PCAP file.

[0148] This involves classifying data packets contained in the PCAP file based on 5-tuples, grouping packets with the same 5-tuple into the same session, thus resulting in multiple sessions.

[0149] Step S903: Filter the constructed sessions to obtain the sessions to be identified.

[0150] From the constructed multiple sessions, duplicate sessions, TCP handshake-identified sessions, DNS protocol domain name query sessions, and LLMNR protocol sessions are filtered out, and the remaining sessions are used as the sessions to be identified.

[0151] Optionally, the destination IP address and source IP address fields in the packets contained in the session to be identified can be anonymized.

[0152] Step S904: Obtain timing data from each session to be identified.

[0153] Optionally, the process of obtaining time-series data from each session to be identified may include steps 1.1-1.3, which are detailed below:

[0154] Step 1.1: Select SESS_PKG_NUM data packets from the multiple data packets contained in each session to be identified, in order of their corresponding times from front to back.

[0155] Optionally, the multiple data packets contained in each session to be identified can be sorted in chronological order according to their corresponding time, and the first SESS_PKG_NUM data packets can be selected. For example, assuming SESS_PKG_NUM is 5, session 1 contains 20 data packets, which are ordered from 1 to 20 according to their reception time, and session 2 contains 15 data packets, which are ordered from 21 to 35 according to their reception time, then data packets 1 to 5 can be selected from session 1, and data packets 21 to 25 can be selected from session 2.

[0156] Step 1.2: Extract 42 bytes of data from each of the SESS_PKG_NUM data packets to obtain data with a length of 42 * SESS_PKG_NUM bytes.

[0157] For a specific data packet, the corresponding 42 bytes of data are as follows:

[0158] Byte 0: The transmission direction and length of the data packet. The transmission direction of the first data packet can be denoted as positive, and the opposite direction as negative. The first data packet is the first data packet in the sequence of SESS_PKG_NUM data packets.

[0159] Byte 1: The time interval between the first data packet and the first data packet.

[0160] Bytes 2-21: The first 20 bytes of the IP header of the data packet, excluding the "optional" field;

[0161] Bytes 22-41: If the data packet is transmitted based on the TCP protocol, it consists of the first 20 bytes of the TCP protocol header; if the data packet is transmitted based on the UDP protocol, it consists of the first 12 bytes of the UDP protocol header plus 12 bytes of zero padding.

[0162] Step 1.3: Use data with a length of 42*SESS_PKG_NUM bytes as the timing data of the session to be identified.

[0163] In other words, for each identification session, the length of its corresponding time-series data is 42 * SESS_PKG_NUM bytes.

[0164] Step S905: Input the time series data of each session to be identified into a bidirectional long short-term memory network to obtain the time series features of each session to be identified.

[0165] Step S906: Obtain byte distribution data from each session to be identified.

[0166] Optionally, the process of obtaining byte distribution data from each session to be identified may include steps 2.1-2.3, which are detailed below:

[0167] Step 2.1: Determine the data length for each session to be identified.

[0168] Specifically, for each session to be identified, the data length of the payload of multiple data packets contained therein is obtained, and the data lengths of the payloads of multiple data packets are summed, and the sum is used as the data length of the session to be identified.

[0169] Step 2.2: Select the target data length that matches the data length of each session to be identified from the set multiple candidate data lengths.

[0170] Assuming the number of candidate data lengths is N, the target data length for each session to be identified can be determined using the following formula:

[0171]

[0172] in, Let be the set of candidate data lengths, where the larger the index, the larger the corresponding value.

[0173] Step 2.3: Obtain byte distribution data whose data length matches the target data length from the payload of multiple data packets contained in each session to be identified.

[0174] Optionally, assume the target data length is Then, w is obtained from the multiple data packets contained in each session to be identified in chronological order according to the corresponding time. i A data packet, from w i The data length extracted from the payload of each data packet in the data packets is w. i The data, thus obtaining a data length of... Byte distribution data, for example, Figure 9In the data matrix shown, each row represents the data contained in the payload of a single data packet, based on w. i Obtain byte distribution data from the data matrix, where if the payload of the data packet is less than w i Then you can pad with a "0" character.

[0175] Step S907: Input the byte distribution data of each session to be identified into a two-dimensional convolutional neural network to obtain the byte distribution features of each session to be identified.

[0176] Optionally, a square matrix with the number of rows equal to the square root of the target data length is constructed based on the byte distribution data of each session to be identified, and the square matrix is ​​input into a two-dimensional convolutional neural network.

[0177] To enable 2D convolutional neural networks to process data in batches, the byte distribution data of multiple sessions to be identified can be classified based on their corresponding target data lengths. Byte distribution data with the same target data length are grouped into the same set, resulting in multiple data sets. Each data set is then input into the 2D convolutional neural network to obtain the byte distribution features of the session to be identified for each data set. In one example, this involves the total set of byte distribution data corresponding to multiple sessions to be identified. Where (sess_grp1, w1) corresponds to a target data length of A data set, comprising data of length . Byte distribution data; The corresponding target data length is A data set, comprising data of length . Byte distribution data; The corresponding target data length is A data set, comprising data of length . The byte distribution data can be used to input (sess_grp1, w1) into a two-dimensional convolutional neural network to obtain the byte distribution features of multiple sessions to be identified corresponding to this dataset. For example, suppose (sess_grp1, w1) includes two data sets of length 1. By analyzing the byte distribution data, we obtain the byte distribution features of the session to be identified corresponding to the first and second byte distribution data, thereby enabling the two-dimensional convolutional neural network to process data in batches, improving data processing efficiency and thus improving category recognition efficiency.

[0178] Step S908: Input the temporal and spatial features of each session to be identified into the classification model to obtain the category of each session to be identified.

[0179] Optional, see Figure 10As shown, a two-dimensional convolutional neural network (2D Convolutional Neural Network) comprises multiple layers, such as an input layer, a second layer, and an output layer. The data output by the penultimate layer of the 2D Convolutional Neural Network based on the byte distribution data of the session to be identified is used as the byte distribution feature of the session to be identified. Similarly, a bidirectional long short-term memory (BSSM) network comprises multiple layers, such as an input layer, a second layer, and an output layer. The data output by the penultimate layer of the BSSM network based on the temporal data of the session to be identified is used as the temporal feature of the session to be identified. Then, based on the set weights of the temporal features and the byte distribution features, the temporal features and byte distribution features of the session to be identified are concatenated. The concatenated features are input into a classification model to obtain the category of the session to be identified, as output by the classification model. This allows for dynamic adjustment of the influence ratio of temporal features and byte distribution features on the identification result. Since temporal features and byte distribution features have different impacts on the accuracy and recall of the classification model, dynamically adjusting the weights of temporal features and byte distribution features can dynamically adjust the accuracy and recall of the classification model, providing effective support for operational and maintenance-related metrics.

[0180] See Figure 11 , Figure 11 This is a block diagram illustrating a session identification device in an exemplary embodiment of this application. Figure 11 As shown, the device includes:

[0181] The acquisition and search module 1101 is configured to acquire the session to be identified and search for the target data length that matches the data length of the session to be identified from a set number of candidate data lengths;

[0182] The data acquisition module 1102 is configured to acquire data to be processed from the session to be identified; the length of the data to be processed matches the length of the target data.

[0183] Processing module 1103 is configured to process the data to be processed through a byte distribution feature extraction model to obtain the byte distribution features of the session to be identified;

[0184] The identification module 1104 is configured to determine the category of the session to be identified based on byte distribution characteristics.

[0185] In another exemplary embodiment, the identification module 1104 is specifically configured as follows:

[0186] Extract the temporal features of the session to be identified from the data contained in the session to be identified;

[0187] Obtain the weights corresponding to the time-series features and byte distribution features respectively;

[0188] The temporal features and byte distribution features are fused based on the obtained weights to obtain the fused features of the session to be identified.

[0189] The category of the session to be identified is determined based on the fusion features.

[0190] In another exemplary embodiment, when there are multiple sessions to be identified, the processing module 1103 is specifically configured as follows:

[0191] Based on the corresponding target data length, the data to be processed corresponding to multiple sessions to be identified are classified to obtain multiple data sets;

[0192] Each dataset is input into the byte distribution feature extraction model to obtain the byte distribution features of the session to be identified for each dataset.

[0193] In another exemplary embodiment, the processing module 1103 is specifically configured as follows:

[0194] The data to be processed is input into the byte distribution feature extraction model so that the data to be processed can be processed by the byte distribution feature extraction model;

[0195] The data output by the penultimate layer of the byte distribution feature extraction model for the data to be processed is used as the byte distribution feature of the session to be identified.

[0196] In another exemplary embodiment, when the session to be identified contains multiple data packets, the data acquisition module 1102 is specifically configured as follows:

[0197] Data is extracted sequentially from the payloads of multiple data packets according to the corresponding time order, until the length of the extracted data matches the length of the target data.

[0198] The extracted data will be used as the data to be processed.

[0199] In another exemplary embodiment, where the session to be identified contains multiple data packets and the data to be processed is data extracted from the payload of the data packets, the acquisition and search module 1101 is specifically configured as follows:

[0200] Obtain the data length corresponding to the payload of multiple data packets respectively;

[0201] The lengths of the acquired data are summed to obtain the data length of the session to be identified;

[0202] The target data length is determined from the multiple candidate data lengths based on the difference between the data length of the session to be identified and the multiple candidate data lengths set.

[0203] In another exemplary embodiment, the acquisition and search module 1101 is specifically configured as follows:

[0204] Find the first candidate data length that is shorter than the data length of the session to be identified and has the smallest difference between the two data lengths from a set number of candidate data lengths; and find the second candidate data length that is longer than the data length of the session to be identified and has the smallest difference between the two data lengths from a set number of candidate data lengths.

[0205] If the data length of the session to be identified is greater than the average of the first candidate data length and the second candidate data length, but less than the second candidate data length, then the second candidate data length will be used as the target data length corresponding to the session to be identified.

[0206] If the data length of the session to be identified is less than the average of the first candidate data length and the second candidate data length, but greater than the first candidate data length, then the first candidate data length is taken as the target data length corresponding to the session to be identified.

[0207] It should be noted that the session recognition device provided in the above embodiments and the session recognition method provided in the above embodiments belong to the same concept. The specific way in which each module and unit performs operations has been described in detail in the method embodiments, and will not be repeated here.

[0208] Embodiments of this application also provide an electronic device, including: one or more processors; and a storage device for storing one or more programs, which, when executed by one or more processors, cause the electronic device to implement the session identification method provided in the above embodiments.

[0209] Figure 12 A schematic diagram of the structure of a computer system suitable for implementing the electronic device of the present application is shown.

[0210] It should be noted that, Figure 12 The computer system 1200 of the electronic device shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments of this application.

[0211] like Figure 12As shown, the computer system 1200 includes a Central Processing Unit (CPU) 1201, which can perform various appropriate actions and processes based on programs stored in Read-Only Memory (ROM) 1202 or programs loaded from storage portion 1208 into Random Access Memory (RAM) 1203, such as performing the methods described in the above embodiments. Various programs and data required for system operation are also stored in RAM 1203. The CPU 1201, ROM 1202, and RAM 1203 are interconnected via bus 1204. An Input / Output (I / O) interface 1205 is also connected to bus 1204.

[0212] The following components are connected to I / O interface 1205: an input section 1206 including a keyboard, mouse, etc.; an output section 1207 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and speakers, etc.; a storage section 1208 including a hard disk, etc.; and a communication section 1209 including a network interface card such as a LAN (Local Area Network) card, modem, etc. The communication section 1209 performs communication processing via a network such as the Internet. A drive 1210 is also connected to I / O interface 1205 as needed. Removable media 1211, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., are installed on drive 1210 as needed so that computer programs read from them can be installed into storage section 1208 as needed.

[0213] Specifically, according to embodiments of this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program including a computer program for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 1209, and / or installed from removable medium 1211. When the computer program is executed by central processing unit (CPU) 1201, it performs various functions defined in the system of this application.

[0214] It should be noted that the computer-readable medium shown in the embodiments of this application can be a computer-readable signal medium or a computer-readable storage medium, or any combination of the two. A computer-readable storage medium can be, for example, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, optical fiber, portable compact disc read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying a computer-readable computer program. The transmitted data signal can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. The computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The computer program contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to wireless, wired, etc., or any suitable combination thereof.

[0215] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. Each block in a flowchart or block diagram may represent a module, segment, or portion of code, which contains one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0216] The units described in the embodiments of this application can be implemented in software or hardware, and the described units can also be located in a processor. The names of these units do not necessarily limit the specific unit itself.

[0217] Another aspect of this application provides a computer-readable storage medium storing computer-readable instructions thereon, which, when executed by a processor of an electronic device, cause the electronic device to perform the method described above. This computer-readable storage medium may be included in the electronic device described in the above embodiments, or it may exist independently and not assembled into the electronic device.

[0218] Another aspect of this application provides a computer program product or computer program that includes computer instructions that, when executed by a processor, implement the methods provided in the various embodiments described above. The computer instructions may be stored in a computer-readable storage medium; a processor of an electronic device may read the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the electronic device to perform the methods provided in the various embodiments described above.

[0219] The above description is merely a preferred exemplary embodiment of this application and is not intended to limit the implementation of this application. Those skilled in the art can easily make corresponding modifications or alterations based on the main concept and spirit of this application. Therefore, the scope of protection of this application should be determined by the scope of protection claimed in the claims.

Claims

1. A session recognition method, characterized in that, The method includes: Obtain the session to be identified, and find the target data length that matches the data length of the session to be identified from a set number of candidate data lengths. The session to be identified contains multiple data packets. Data to be processed is obtained from the session to be identified; the data length of the data to be processed matches the target data length, and the data to be processed is data extracted from the payload of the data packet; The data to be processed is processed by a byte distribution feature extraction model to obtain the byte distribution features of the session to be identified; The category of the session to be identified is determined based on the byte distribution characteristics; The step of finding a target data length that matches the data length of the session to be identified from a set of multiple candidate data lengths includes: Obtain the data length corresponding to the payload of multiple data packets respectively; The data lengths of the acquired data are summed to obtain the data length of the session to be identified; The target data length is determined from the multiple candidate data lengths based on the difference between the data length of the session to be identified and the multiple candidate data lengths set. The step of determining the category of the session to be identified based on the byte distribution characteristics includes: Extract the temporal features of the session to be identified from the data contained in the session to be identified; Obtain the weights corresponding to the time-series features and the byte distribution features respectively; The temporal features and the byte distribution features are fused according to the obtained weights to obtain the fused features of the session to be identified. The data output by the penultimate layer of the two-dimensional convolutional neural network for the byte distribution data of the session to be identified is used as the byte distribution features of the session to be identified, and the data output by the penultimate layer of the bidirectional long short-term memory network for the temporal data of the session to be identified is used as the temporal features of the session to be identified. The category of the session to be identified is determined based on the fusion features.

2. The method as described in claim 1, characterized in that, The number of sessions to be identified is multiple; the process of processing the data to be processed using a byte distribution feature extraction model to obtain the byte distribution features of the sessions to be identified includes: Based on the corresponding target data length, the data to be processed corresponding to the multiple sessions to be identified are classified to obtain multiple data sets; Each dataset is input into the byte distribution feature extraction model to obtain the byte distribution features of the session to be identified corresponding to each dataset.

3. The method as described in claim 1, characterized in that, The process of processing the data to be processed using a byte distribution feature extraction model to obtain the byte distribution features of the session to be identified includes: The data to be processed is input into the byte distribution feature extraction model so that the data to be processed can be processed by the byte distribution feature extraction model; The data output by the penultimate layer of the byte distribution feature extraction model for the data to be processed is used as the byte distribution feature of the session to be identified.

4. The method as described in claim 1, characterized in that, The session to be identified contains multiple data packets; obtaining the data to be processed from the session to be identified includes: Data is extracted sequentially from the payloads of multiple data packets according to the corresponding time order, until the length of the extracted data matches the target data length; The extracted data is used as the data to be processed.

5. The method as described in claim 1, characterized in that, The step of determining the target data length from the plurality of candidate data lengths based on the difference between the data length of the session to be identified and the set plurality of candidate data lengths includes: From a set number of candidate data lengths, find a first candidate data length that is shorter than the data length of the session to be identified and has the smallest difference between the two lengths. From the set number of candidate data lengths, find a second candidate data length that is longer than the data length of the session to be identified and has the smallest difference between the two lengths. If the data length of the session to be identified is greater than the average of the first candidate data length and the second candidate data length, but less than the second candidate data length, then the second candidate data length is taken as the target data length corresponding to the session to be identified. If the data length of the session to be identified is less than the average of the first candidate data length and the second candidate data length, but greater than the first candidate data length, then the first candidate data length is taken as the target data length corresponding to the session to be identified.

6. A session recognition device, characterized in that, The device includes: The acquisition and search module is configured to acquire a session to be identified and search for a target data length that matches the data length of the session to be identified from a set number of candidate data lengths, wherein the session to be identified contains multiple data packets; The data acquisition module is configured to acquire data to be processed from the session to be identified; the data length of the data to be processed matches the target data length, and the data to be processed is data extracted from the payload of the data packet; The processing module is configured to process the data to be processed using a byte distribution feature extraction model to obtain the byte distribution features of the session to be identified. The identification module is configured to determine the category of the session to be identified based on the byte distribution characteristics; The acquisition and search module is further configured as follows: Obtain the data length corresponding to the payload of multiple data packets respectively; The data lengths of the acquired data are summed to obtain the data length of the session to be identified; The target data length is determined from the multiple candidate data lengths based on the difference between the data length of the session to be identified and the multiple candidate data lengths set. The identification module is further configured as follows: Extract the temporal features of the session to be identified from the data contained in the session to be identified; Obtain the weights corresponding to the time-series features and the byte distribution features respectively; The temporal features and the byte distribution features are fused according to the obtained weights to obtain the fused features of the session to be identified. The data output by the penultimate layer of the two-dimensional convolutional neural network for the byte distribution data of the session to be identified is used as the byte distribution features of the session to be identified, and the data output by the penultimate layer of the bidirectional long short-term memory network for the temporal data of the session to be identified is used as the temporal features of the session to be identified. The category of the session to be identified is determined based on the fusion features.

7. An electronic device, characterized in that, include: One or more processors; A storage device for storing one or more computer programs that, when executed by one or more processors, cause the electronic device to implement the session identification method according to any one of claims 1-5.

8. A computer-readable storage medium, characterized in that, It stores a computer program that, when executed by the processor of the electronic device, causes the electronic device to implement the session identification method according to any one of claims 1-5.