A dynamic flow traction method and system for multi-source data

By automatically generating traffic redirection intents and compiling them into BGP FlowSpec rules, combined with hardware collaborative processing and hierarchical storage, the problems of static configuration of traffic redirection rules and multi-source data association in existing technologies are solved, realizing real-time, accurate traffic redirection and efficient anomaly location.

CN122247907APending Publication Date: 2026-06-19SINO TELECOM TECHNOLOGY CO INC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SINO TELECOM TECHNOLOGY CO INC
Filing Date
2026-05-22
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

In existing technologies, traffic redirection rules need to be manually configured and statically distributed, and cannot be automatically generated. This results in rule conflicts, insufficient semantic aggregation, inability to identify disguised applications, and the inability to uniformly correlate multi-source data, leading to delayed redirection strategies, frequent false redirection and missed redirection, and low processing efficiency in high-bandwidth scenarios.

Method used

By monitoring events, traffic redirection intentions are automatically generated, compiled into BGP FlowSpec rules, and priority sorting, conflict resolution, and lifecycle management are performed. The routing chip, DPU, and CPU work together to achieve hardware traffic redirection and zero-copy data collection. Data retrieval is performed by combining hierarchical storage and multi-level indexes, and the analysis results are fed back for precise traffic redirection.

Benefits of technology

It enables real-time, accurate, and orderly processing of traffic flow, improves the efficiency and reliability of rule execution, significantly enhances the efficiency of anomaly location and the accuracy of traffic scheduling, and ensures packet loss-free and low-latency processing in high-bandwidth scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247907A_ABST
    Figure CN122247907A_ABST
Patent Text Reader

Abstract

This invention discloses a dynamic traffic redirection method and system for multi-source data. The method includes: generating traffic redirection intentions based on monitoring events; compiling the redirection intentions into BGP FlowSpec rules and generating corresponding NLRI matching items; performing priority sorting, conflict resolution, semantic equivalence aggregation compression, and lifecycle management on the BGP FlowSpec rules; issuing or revoking the rules to network nodes via the BGP protocol; performing hardware redirection, zero-copy acquisition, and protocol preprocessing on traffic matching the BGP FlowSpec rules; performing bidirectional session reconstruction and session-level metadata extraction on the preprocessed traffic; performing unified identification and time-series synchronization on multi-source heterogeneous network data; and performing traffic redirection based on the retrieval and analysis results. This invention achieves event-driven automated redirection, efficient rule governance, high-bandwidth line-speed acquisition, accurate identification of spoofed traffic, and second-level backtracking of massive data. It is suitable for precise traffic redirection, anomaly monitoring, and behavior analysis of target objects in backbone networks and metropolitan area networks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of flow traction technology, specifically to a dynamic flow traction method and system for multi-source data. Background Technology

[0002] In the daily operation and security protection scenarios of backbone networks and metropolitan area networks (MANs), precise traffic routing, real-time data collection, behavior tracing, and anomaly localization for target objects such as specified IPs, prefixes, and applications have become core requirements. Current mainstream industry solutions generally employ technologies such as port mirroring and policy routing to achieve traffic scheduling, use general-purpose servers for traffic collection and parsing, and employ a single storage architecture for data storage.

[0003] However, in the current process of traffic diversion, there are: 1. The rules for traction need to be manually configured and statically issued, and cannot be automatically generated and recycled based on monitoring events; the rules lack template management, conflict resolution, semantic aggregation and lifecycle control, and large-scale rules are prone to overlap, mutual exclusion, failure or residue, resulting in traction strategy lag, false traction and missed traction frequently.

[0004] 2. Traffic identification based solely on single packets and port numbers cannot identify spoofed applications and non-standard services. Data from multiple sources cannot be uniformly correlated, and analysis results cannot drive reverse strategies. Summary of the Invention

[0005] The purpose of this invention is to provide a dynamic flow control method and system for multi-source data to solve the problems mentioned in the background art.

[0006] A first aspect of the present invention provides a dynamic traffic guidance method for multi-source data, comprising: Based on the monitored events, a traffic redirection intent is generated, the redirection intent is compiled into a BGP FlowSpec rule, and a corresponding NLRI matching item is generated; The BGP FlowSpec rules are subjected to priority sorting, conflict resolution, semantic equivalence aggregation compression, and lifecycle management. The rules are then issued to or revoked by network nodes via the BGP protocol. A line-speed processing pipeline is constructed using routing chips, DPU, and CPU to perform hardware redirection, zero-copy acquisition, and protocol preprocessing on traffic that matches the BGP FlowSpec rules. Bidirectional session reconstruction and session-level metadata extraction are performed on the preprocessed traffic. Retrieval is achieved based on hierarchical storage and multi-level indexing, and the retrieval analysis results are fed back to the control plane. The control plane performs unified identification and timing synchronization on multi-source heterogeneous network data, and performs traffic guidance based on the retrieval and analysis results.

[0007] In one possible implementation, compiling the traction intent into BGP FlowSpec rules and generating corresponding NLRI matches includes: The single traffic targeting intent is mapped into multiple sets of NLRI matching items. The NLRI matching item combination is characterized by a multi-dimensional combination of source address prefix, destination address prefix, transmission protocol, transmission port, message length, and fragmentation type, so as to achieve multi-dimensional accurate matching of target traffic.

[0008] In one possible implementation, the step of performing priority sorting, conflict resolution, semantic equivalence aggregation compression, and lifecycle management on the BGP FlowSpec rules includes: When the same traffic is hit by multiple BGP FlowSpec rules at the same time, conflict decision is made according to the rule matching granularity, priority value, and execution action type. Actions that can be merged are merged, and actions that are mutually exclusive are selected to take effect by the higher priority rule and a conflict audit log is generated.

[0009] In one possible implementation, the line-rate processing pipeline, constructed collaboratively by the routing chip, DPU, and CPU, performs hardware redirection, zero-copy acquisition, and protocol preprocessing on traffic matching the BGP FlowSpec rules, including: The routing chip performs hardware-level mirroring and traffic splitting scheduling on successfully matched traffic, forwarding traffic from the same source to the corresponding DPU node; the DPU performs zero-copy collection, IP fragmentation and reassembly, TCP out-of-order reordering, and bidirectional session state machine maintenance on the traffic; the CPU monitors queue levels and resource usage in real time, and performs resource quota allocation and end-to-end backpressure control.

[0010] In one possible implementation, the step of performing bidirectional session reconstruction and session-level metadata extraction on the preprocessed traffic includes: Bidirectional session reconstruction is performed on the preprocessed traffic using a 5-tuple as an identifier. The uplink and downlink data statistics, first and last timestamps, round-trip delay, window size evolution, and message length sequence characteristics of the session are maintained, and a unique session-level metadata is generated for each session.

[0011] In one possible implementation, the retrieval based on hierarchical storage and multi-level indexing includes: A three-tiered storage architecture of hot, warm, and cold layers is adopted to store session-level metadata. A multi-level index system is constructed with time partition as the first-level index, five-tuple hash as the second-level index, and session features as the filtering index. Massive data can be retrieved quickly through time partition filtering, inverted index filtering, and primary key exact matching.

[0012] In one possible implementation, the control plane performs unified identification and timing synchronization on multi-source heterogeneous network data, and performs traffic redirection based on the retrieval and analysis results, including: In the transmission link of multi-source heterogeneous network data, a unified event identifier and rule version number are carried to complete the timing calibration. Multi-source data alignment is completed using the five-tuple, time window, and target object identifier as association keys. Based on the alignment analysis results, a refined secondary traction strategy is generated and closed-loop traffic traction is executed.

[0013] A second aspect of the present invention provides a dynamic flow traction system for multi-source data, comprising: The intent compilation unit is used to generate traffic-driving intents based on monitoring events, compile the traffic-driving intents into BGP FlowSpec rules, and generate corresponding NLRI matching items. The rule governance unit is used to perform priority sorting, conflict resolution, semantic equivalence aggregation compression, and lifecycle management on the BGP FlowSpec rules, and to issue or revoke the rules to network nodes through the BGP protocol. The collaborative processing unit is used to utilize the routing chip, DPU and CPU to collaboratively build a line-speed processing pipeline to perform hardware redirection, zero-copy acquisition and protocol preprocessing on traffic that matches the BGP FlowSpec rules; The session analysis unit is used to perform bidirectional session reconstruction and session-level metadata extraction on preprocessed traffic, implement retrieval based on hierarchical storage and multi-level indexing, and feed the retrieval analysis results back to the control plane. The closed-loop traction unit is used to perform unified identification and time synchronization on multi-source heterogeneous network data, and to perform traffic traction based on the retrieval and analysis results.

[0014] In one possible implementation, the rule governance unit is further configured to perform semantic equivalent aggregation compression of continuous network segment merging and continuous port merging, configure validity period, timed revocation policy and version number for each BGP FlowSpec rule, adopt canary release and two-phase commit to issue rules, and automatically perform version rollback in abnormal state.

[0015] In one possible implementation, the collaborative processing unit is further configured to perform multi-queue mapping, same-source and same-destination scheduling, and stepwise controllable degradation under congestion conditions, and to perform dynamic backpressure control based on queue level and resource occupancy.

[0016] Compared with the prior art, the beneficial effects of the present invention are: 1. By monitoring events, the system automatically generates traffic redirection intents and compiles them into BGP FlowSpec rules, enabling dynamic deployment and revocation of rules. It also achieves conflict resolution, semantic equivalence aggregation, and full lifecycle management of rules, completely eliminating the need for manual static configuration. This enables real-time, accurate, and orderly redirection of target traffic, significantly improving rule execution efficiency and reliability.

[0017] 2. Based on session characteristics, it enables port-independent identification of application and spoofed traffic. Through hierarchical storage and multi-level indexing, it achieves second-level retrieval and backtracking of massive data. After unifying and associating multi-source data, the analysis results drive the iterative strategy in reverse, forming a complete closed loop, which significantly improves the efficiency of anomaly location and the accuracy of traffic scheduling.

[0018] 3. Through hardware processing involving routing chips, DPU, and CPU, and utilizing zero-copy acquisition, multi-queue resource isolation, end-to-end backpressure, and congestion-controlled degradation mechanisms, the system achieves packet loss-free, low-latency, and highly stable traffic processing in high-bandwidth and burst traffic scenarios, ensuring the integrity of critical traffic acquisition. Attached Figure Description

[0019] Figure 1 This is a schematic diagram of the process for dynamic flow control of multi-source data according to the present invention; Figure 2 This is a schematic diagram of the architecture of the dynamic flow traction system for multi-source data according to the present invention; Figure 3 This is a schematic diagram illustrating the working process of each chip in this invention. Detailed Implementation

[0020] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.

[0021] It should be noted that the serial numbers assigned to the components in the embodiments of the present invention, such as "first" and "second", are only used to distinguish the described objects and have no sequential or technical meaning.

[0022] The following is combined with Figure 1 This invention describes a dynamic flow traction method for multi-source data.

[0023] A dynamic traffic guidance method for multi-source data includes: S1. Generate a traffic redirection intent based on the monitoring events of the target object, compile the redirection intent into a BGPFlowSpec rule, and generate the corresponding NLRI matching item; The system receives target object monitoring events via the event bus, including threshold alarms, anomaly detection, manual policies, and external system calls. The events include the target object identifier, the scope of the traffic redirection, the duration, and the expected action. The system automatically generates standardized traffic redirection intentions and compiles the traffic redirection intentions into standard BGP FlowSpec rules to generate corresponding NLRI matching items. The actions are carried out through community attributes / extended communities, including redirection to VRF, tagging, sampling, and rate limiting.

[0024] S2. Perform templated classification, priority sorting, overlapping rule conflict resolution, semantic equivalence aggregation compression, and full lifecycle management on the BGP FlowSpec rules, and dynamically issue or revoke the rules to backbone network and metropolitan area network nodes through the BGP protocol; The rules are classified, prioritized, conflict-resolved, semantically equivalent, aggregated, TTL configured, canary releases, and version rollbacks. The rules are issued and revoked via BGP UPDATE and WITHDRAW messages.

[0025] S3 utilizes a line-speed processing pipeline built collaboratively by routing chips, switching chips, DPU, and CPU to perform hardware redirection, same-source and same-destination scheduling, zero-copy collection, and protocol preprocessing on traffic matching rules. like Figure 3 As shown, the routing chip performs hardware-level mirroring and traffic splitting scheduling on the successfully matched traffic, forwarding the traffic with the same source and destination to the corresponding DPU node; the DPU performs zero-copy collection, IP fragmentation and reassembly, TCP out-of-order reordering and bidirectional session state machine maintenance on the traffic; the CPU interacts with the DPU through the control plane software, issues policies and executes resource quotas, end-to-end backpressure and congestion-controlled degradation.

[0026] S4. Perform bidirectional session reconstruction, multi-packet aggregation and session-level metadata extraction on the preprocessed traffic, achieve second-level retrieval based on hot, warm and cold tiered storage and multi-level indexing, and feed the retrieval analysis results back to the control plane; Using quintuples and direction bits as keys, bidirectional session reconstruction and multi-packet aggregation are completed, and session-level metadata is extracted. A three-tiered storage architecture (hot, warm, and cold) is adopted, coupled with multi-level indexes to achieve second-level retrieval of TB-level data, with retrieval results transmitted back to the control plane in real time. Reconstructed packets are bidirectionally aggregated by session, maintaining bidirectional statistics, round-trip latency, window evolution, and packet length sequences. Combining length or time series, handshake features, encryption parameters, and direction patterns, port-independent application and spoofing behavior identification is achieved. A unique 1:1 session-level metadata is generated for each session, ensuring a one-to-one correspondence between sessions and metadata.

[0027] The hot layer data is used to store high-frequency access traffic data and session metadata from the past 24 to 72 hours. It is deployed using a high-performance storage medium composed of memory and solid-state drives (SSDs). The combination of timestamp information and traffic 5-tuple hash value is used as the data primary key for unique identification and fast location. Simultaneously, three types of auxiliary index structures are built: inverted dictionary index, filtering index, and Bloom filter, to achieve millisecond-level fast retrieval and accurate hit of hot data.

[0028] The temperature layer data is used to store mid-frequency access traffic data and session metadata over several weeks to several months. It is organized using a columnar compression format to improve space utilization while ensuring data integrity. It can directly support fast scanning, statistical aggregation and offline analysis of batch historical data.

[0029] Cold layer data is used for long-term archiving and retention of low-frequency access traffic data and session metadata. It is compressed and archived using object storage format and only provides asynchronous retrieval services. While achieving extremely low storage costs, it meets the needs of compliant retention, post-event auditing, and historical data backtracking.

[0030] S5. The control plane performs unified event identification, global time-series synchronization and correlation analysis on multi-source heterogeneous network data, and performs refined dynamic traffic guidance on target objects based on the retrieval and analysis results.

[0031] A unified event ID is assigned to multi-source data, global time series calibration is completed through NTP, and data association is completed using the five-tuple, target object identifier and time window as association keys; a secondary traction strategy is generated based on the association analysis results, and closed-loop dynamic traffic traction is performed on the target object.

[0032] The secondary traffic redirection strategy has a higher priority than the initial traffic redirection strategy and is more granular, upgrading from coarse-grained matching to multi-dimensional fine-grained matching. It only redirects abnormal traffic to the target, avoiding the misdirection of normal business traffic. The generation of the secondary traffic redirection strategy can be carried out through the following steps: extract precise features of the target object, such as application type, session fingerprint, abnormal behavior, non-standard port, and transmission direction, from the correlation analysis results; optimize the coarse-grained prefix matching of the initial traffic redirection to multi-dimensional combination matching of prefix, application features, session features, and port, and adjust the full traffic redirection to redirect only abnormal or disguised traffic, while normal business traffic is allowed to pass directly; retain the original traffic redirection priority and add a trigger condition for automatically stopping traffic redirection after the anomaly is eliminated; compile into a high-priority FlowSpec rule, complete conflict resolution and semantic aggregation, and form a secondary traffic redirection strategy that can be directly deployed.

[0033] In one implementation, the towing intent and NLRI matching items have a one-to-many mapping relationship, with a single towing intent corresponding to multiple combinations of NLRI matching items. The NLRI matching items include at least two combinations of destination, source prefix, protocol, destination port range, TCP flag, packet length, and fragmentation type. By combining multiple features, accurate matching of target traffic is achieved, avoiding generalized mis-towing.

[0034] A single directional intent corresponds to multiple sets of NLRI matches, rather than a single rule. For example, the intent "monitor prefix 203.0.113.0 / 24" is mapped to: destination prefix 203.0.113.0 / 24+TCP, destination prefix 203.0.113.0 / 24+UDP, and destination prefix 203.0.113.0 / 24+packet length 128-512 bytes.

[0035] NLRI matches are required to use at least two combinations of features, including: destination or source prefix, transport protocol, source or port range, TCP flags, packet length, and fragmentation type, to achieve accurate matching and avoid generalization and misdirection.

[0036] The compiled rules fully comply with the RFC5575 standard and are compatible with all backbone network devices that support BGP FlowSpec.

[0037] In one implementation, the process of resolving overlapping rule conflicts on BGP FlowSpec rules is specifically implemented as follows: When the same data stream is hit by multiple rules, including quintuples, HOST / SNI, URL, and signature codes, the decision is made according to the principles of more specific rules taking precedence over more general rules, explicit rules taking precedence over default rules, and redirection / prohibition taking precedence over marking / sampling. Compatible actions are merged and executed, while mutually exclusive actions select the higher-priority rule to take effect and generate conflict audit information.

[0038] When the same data stream is simultaneously matched by multiple rules of the same type (five-tuple, HOST / SNI, URL, and feature code), it is considered an overlapping rule. Priority ranking: matching granularity (precise > subnet > generalized) > explicit priority (0-255) > action type (redirect or prohibit > tag > sample).

[0039] In one implementation, the specific implementation of semantic equivalence aggregation compression and full lifecycle management of BGP FlowSpec rules is as follows: The semantic equivalence aggregation compression uses the minimum CIDR mask to merge consecutive IP network segments and consecutive port range rules, maintaining the matching semantics unchanged and reducing the number of rules; the lifecycle management includes rule TTL configuration, timed revocation, version management, canary release and automatic rollback in case of anomalies, and ensures the stability of rule effectiveness through two-phase commit.

[0040] When performing semantic aggregation compression: Consecutive IPs: 1.1.1.0, 1.1.1.1, 1.1.1.2, 1.1.1.3, merged into 1.1.1.0 / 30; Consecutive ports: 80, 81, 82, 83, merged into 80-83; The matching range is completely consistent before and after the merge, and the number of rules is reduced.

[0041] The second aspect of the invention, as Figure 2 As shown, a dynamic flow traction system for multi-source data is provided, the system comprising: The intent compilation unit 10 is used to generate traffic-driving intents based on monitoring events, compile the traffic-driving intents into BGP FlowSpec rules, and generate corresponding NLRI matching items. The rule governance unit 20 is used to perform priority sorting, conflict resolution, semantic equivalence aggregation compression, and lifecycle management on the BGP FlowSpec rules, and to issue or revoke the rules to network nodes through the BGP protocol. The collaborative processing unit 30 is used to utilize the line-speed processing pipeline jointly constructed by the routing chip, DPU and CPU to perform hardware redirection, zero-copy acquisition and protocol preprocessing on traffic that matches the BGP FlowSpec rules; The session analysis unit 40 is used to perform bidirectional session reconstruction and session-level metadata extraction on the preprocessed traffic, realize retrieval based on hierarchical storage and multi-level indexing, and feed the retrieval analysis results back to the control plane. The closed-loop traction unit 50 is used to perform unified identification and time synchronization on multi-source heterogeneous network data, and to perform traffic traction based on the search and analysis results.

[0042] In one implementation, the rule governance unit is further configured to perform semantic equivalent aggregation compression of continuous network segment merging and continuous port merging, configure validity period, timed revocation policy and version number for each BGP FlowSpec rule, adopt canary release and two-phase commit to issue rules, and automatically perform version rollback in abnormal state.

[0043] In one implementation, the collaborative processing unit is further configured to perform multi-queue mapping, same-source and same-destination scheduling, and stepwise controllable degradation under congestion conditions, and to perform dynamic backpressure control based on queue level and resource occupancy.

[0044] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A dynamic flow control method for multi-source data, characterized in that, include: Based on the monitored events, a traffic redirection intent is generated, the redirection intent is compiled into a BGP FlowSpec rule, and a corresponding NLRI matching item is generated; The BGP FlowSpec rules are subject to priority sorting, conflict resolution, semantic equivalence aggregation compression, and lifecycle management. The rules are then issued to or revoked by network nodes via the BGP protocol. A line-speed processing pipeline is constructed using routing chips, DPU, and CPU to perform hardware routing, zero-copy acquisition, and protocol preprocessing on traffic that matches the BGP FlowSpec rules. The preprocessed traffic is reconstructed bidirectionally and extracted at the session level. Retrieval is achieved based on hierarchical storage and multi-level indexing. The retrieval and analysis results are then fed back to the control plane. The control plane performs unified identification and timing synchronization on multi-source heterogeneous network data, and performs traffic guidance based on the retrieval and analysis results.

2. The dynamic flow control method for multi-source data according to claim 1, characterized in that, The step of compiling the traction intent into BGP FlowSpec rules and generating corresponding NLRI matching items includes: The single traffic targeting intent is mapped into multiple sets of NLRI matching items. The NLRI matching item combination is characterized by a multi-dimensional combination of source address prefix, destination address prefix, transmission protocol, transmission port, message length, and fragmentation type, so as to achieve multi-dimensional accurate matching of target traffic.

3. The dynamic flow control method for multi-source data according to claim 1, characterized in that, The process of performing priority sorting, conflict resolution, semantic equivalence aggregation compression, and lifecycle management on the BGP FlowSpec rules includes: When the same traffic is hit by multiple BGP FlowSpec rules at the same time, conflict decision is made according to the rule matching granularity, priority value, and execution action type. Actions that can be merged are merged, and actions that are mutually exclusive are selected to take effect by the higher priority rule and a conflict audit log is generated.

4. The dynamic flow control method for multi-source data according to claim 1, characterized in that, The line-rate processing pipeline, constructed collaboratively by the routing chip, DPU, and CPU, performs hardware redirection, zero-copy data collection, and protocol preprocessing on traffic matching the BGP FlowSpec rules, including: The routing chip performs hardware-level mirroring and traffic splitting scheduling on successfully matched traffic, forwarding traffic from the same source to the corresponding DPU node; the DPU performs zero-copy collection, IP fragmentation and reassembly, TCP out-of-order reordering, and bidirectional session state machine maintenance on the traffic; the CPU monitors queue levels and resource usage in real time, and performs resource quota allocation and end-to-end backpressure control.

5. The dynamic flow control method for multi-source data according to claim 1, characterized in that, The process of performing bidirectional session reconstruction and session-level metadata extraction on the preprocessed traffic includes: Bidirectional session reconstruction is performed on the preprocessed traffic using a 5-tuple as an identifier. The uplink and downlink data statistics, first and last timestamps, round-trip delay, window size evolution, and message length sequence characteristics of the session are maintained, and a unique session-level metadata is generated for each session.

6. The dynamic flow control method for multi-source data according to claim 1, characterized in that, The retrieval based on hierarchical storage and multi-level indexing includes: A three-tiered storage architecture of hot, warm, and cold layers is adopted to store session-level metadata. A multi-level index system is constructed with time partition as the first-level index, five-tuple hash as the second-level index, and session features as the filtering index. Massive data can be retrieved quickly through time partition filtering, inverted index filtering, and primary key exact matching.

7. The dynamic flow control method for multi-source data according to claim 6, characterized in that, The control plane performs unified identification and time synchronization on multi-source heterogeneous network data, and performs traffic redirection based on the retrieval and analysis results, including: In the transmission link of multi-source heterogeneous network data, a unified event identifier and rule version number are carried to complete the timing calibration. Multi-source data alignment is completed using the five-tuple, time window, and target object identifier as association keys. Based on the alignment analysis results, a refined secondary traction strategy is generated and closed-loop traffic traction is executed.

8. A dynamic flow traction system for multi-source data, the system being used to execute the dynamic flow traction method as described in any one of claims 1-7, characterized in that, include: The intent compilation unit is used to generate traffic-driving intents based on monitoring events, compile the traffic-driving intents into BGPFlowSpec rules, and generate corresponding NLRI matching items. The rule governance unit is used to perform priority sorting, conflict resolution, semantic equivalence aggregation compression, and lifecycle management on the BGP FlowSpec rules, and to issue or revoke the rules to network nodes through the BGP protocol. The collaborative processing unit is used to utilize the routing chip, DPU and CPU to collaboratively build a line-speed processing pipeline to perform hardware redirection, zero-copy acquisition and protocol preprocessing on traffic that matches the BGP FlowSpec rules; The session analysis unit is used to perform bidirectional session reconstruction and session-level metadata extraction on preprocessed traffic, implement retrieval based on hierarchical storage and multi-level indexing, and feed the retrieval analysis results back to the control plane. The closed-loop traction unit is used to perform unified identification and time synchronization on multi-source heterogeneous network data, and to perform traffic traction based on the retrieval and analysis results.

9. The dynamic flow traction system according to claim 8, characterized in that, The rule governance unit is also configured to perform semantic equivalent aggregation compression for merging consecutive network segments and consecutive ports, configure validity period, timed revocation policy and version number for each BGP FlowSpec rule, adopt canary release and two-phase commit to issue rules, and automatically perform version rollback in abnormal state.

10. The dynamic flow traction system according to claim 8, characterized in that, The collaborative processing unit is also configured to perform multi-queue mapping, same-source and same-destination scheduling, and stepwise controllable degradation under congestion conditions, and to perform dynamic backpressure control based on queue level and resource occupancy.