CN115396937B - Data session associated information detection method and detection device - Google Patents
Data session associated information detection method and detection device Download PDFInfo
- Publication number
- CN115396937B CN115396937B CN202110566148.1A CN202110566148A CN115396937B CN 115396937 B CN115396937 B CN 115396937B CN 202110566148 A CN202110566148 A CN 202110566148A CN 115396937 B CN115396937 B CN 115396937B
- Authority
- CN
- China
- Prior art keywords
- data
- association information
- streams
- weight
- repeated code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/08—Testing, supervising or monitoring using real traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W28/00—Network traffic management; Network resource management
- H04W28/02—Traffic management, e.g. flow control or congestion control
- H04W28/0273—Traffic management, e.g. flow control or congestion control adapting protocols for flow control or congestion control to wireless environment, e.g. adapting transmission control protocol [TCP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W28/00—Network traffic management; Network resource management
- H04W28/02—Traffic management, e.g. flow control or congestion control
- H04W28/06—Optimizing the usage of the radio link, e.g. header compression, information sizing, discarding information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a data session association information detection method and device, belongs to the technical field of communication, and solves the problem that association information among data streams of different data sessions cannot be found out quickly in the prior art. A data session association information detection method, comprising: acquiring data streams of a plurality of data sessions under the same service; the bearing mode of the data flow of the plurality of data sessions is one or more; acquiring the weight of association information between every two data streams in a plurality of data sessions; the associated information comprises repeated code streams and network addresses; constructing a data flow path relation diagram based on the weight of the association information between every two data flows; and acquiring the longest path in the data flow relation diagram, and outputting the association information between every two data flows contained in the longest path as the association information of a plurality of data sessions. The method can realize quick association between data flows of different data sessions.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for detecting data session association information.
Background
The Deep Packet Inspection (DPI) technology is an application layer-based traffic Inspection and control technology, and when an IP packet, TCP or UDP data stream passes through a DPI technology-based management system, the system reorganizes application layer information in OSI seven-layer protocols by deeply reading the content of an IP packet payload, thereby obtaining the content of the entire application program, and then performing operation processing on the traffic according to a management policy defined by the system.
In the 4, 5G mobile Internet, the flow proportion of video APP is larger and larger, different video service manufacturers realize different mechanisms aiming at the process of one-time video watching of a single user, and the video bearing is converted from the former single HTTP session stream bearing to the data stream transmission comprising a plurality of different bearing modes of HTTP, TCP and UDP. In the previous scheme, only the data stream carried based on HTTP is marked as a video watching process, because of the version iteration of video APP, the customized protocol encapsulation of each manufacturer is added, DPI practitioners need to find and correlate a plurality of session data streams carried differently together, and perform subsequent data operation processing, such as downloading flow, speed, and blocking of single video watching.
There are currently two main approaches to DPI technology: one is to find out the related information between the characteristics of the data and the service by a manual mode, and the other is to use an AI technology to carry out fuzzy judgment on the data flow and the service. The manual searching mode can only find limited information visible in the clear, such as a loaded IP address and port, or a manufacturer custom id of a video file, or a played id of a single service operation, so that the manual searching is time-consuming and labor-consuming, and the code stream part containing key character description is focused more; the AI technology can only perform fuzzy matching, and cannot precisely associate data of more than one session stream. Thus, neither of the above two methods can quickly associate session flows of different bearer types together. As all traffic of a primary service, it is necessary to provide a method for detecting related information of a data session, so as to implement rapid association between data flows carried on different bearer protocols from different manufacturers and different video APPs, so that DPI detection devices of the existing network can update related information and give accurate DPI identification and detection results.
Disclosure of Invention
In view of the above analysis, the embodiments of the present invention aim to provide a method and an apparatus for detecting association information of data sessions, so as to solve the problem that the existing method cannot quickly find association information between data flows of different data sessions.
In one aspect, an embodiment of the present invention provides a method for detecting data session association information, including:
acquiring data streams of a plurality of data sessions under the same service; the bearing mode of the data flow of the plurality of data sessions is one or more;
acquiring the weight of association information between every two data streams in a plurality of data sessions; the associated information comprises repeated code streams and network addresses;
Constructing a data flow path relation diagram based on the weight of the association information between every two data flows; and acquiring the longest path in the data flow relation diagram, and outputting the association information between every two data flows contained in the longest path as the association information of a plurality of data sessions.
Based on the scheme, the scheme of the invention also makes the following improvements:
further, the data flow path relationship graph is constructed by performing the following operations:
sequencing the weights of repeated code streams and the weights of network addresses between every two data streams, and taking one item with the highest weight as the weight of the maximum association information between the current two data streams;
and constructing the data flow relation diagram by taking each data flow as a node and taking the weight of the maximum association information between every two data flows as the path length between two nodes.
Further, acquiring the weight of the repeated code stream between the two data streams includes:
The method comprises the steps of obtaining repeated code streams and offset thereof in payload information of two data streams, wherein the length of each repeated code stream is greater than or equal to the shortest length of each repeated code stream;
and obtaining the weight of the repeated code stream between the two data streams based on the length and the offset of the repeated code stream.
Further, acquiring the weight of the repeated code stream between the two data streams, further includes:
The method comprises the steps of obtaining repeated code streams and offset thereof in payload information of two data streams, wherein the length of each repeated code stream is greater than or equal to the shortest length of each repeated code stream; and checks whether a keyword related to a service appears in a range of a set length code stream before the repeated code stream,
If so, obtaining the weight of the repeated code stream between the two data streams based on the length, the offset and the keywords of the repeated code stream;
Otherwise, based on the length and the offset of the repeated code stream, the weight of the repeated code stream between the two data streams is obtained.
Further, the method also comprises the step of constructing a keyword library for storing and updating the keywords related to the business.
Further, the weight of the network address between the two data streams is obtained by performing the following operations:
And acquiring the IP addresses of the network layers and the port numbers of the transmission layers of the two data streams, comparing whether the IP address of the network layer and the port number of the transmission layer of one of the two data streams are matched with the payload information of the other data stream of the two data streams, and if so, acquiring the weight of the network address between the two data streams based on the matching relation.
Further, it is judged whether or not the matching is performed by executing the following process:
Directly comparing whether the IP address of the network layer and the port number of the transmission layer of one of the two data streams appear in the payload information of the other data stream of the two data streams, and if so, matching;
Otherwise the first set of parameters is selected,
Performing coding and decoding conversion on the IP address of the network layer and the port number of the transmission layer in one of the two data streams, and comparing whether the IP address of the network layer and the port number of the transmission layer after the coding and decoding conversion appear in the payload information of the other data stream in the two data streams or not, if so, matching; otherwise, not match.
Further, the coding and decoding conversion mode is an ASCII code conversion mode.
Further, the service is video APP playing service, and the bearing mode of the data stream is HTTP, TCP or UDP.
On the other hand, the embodiment of the invention also provides a data session association information detection device, which comprises:
A data stream acquisition module of the data session, which is used for acquiring the data streams of a plurality of data sessions under the same service; the bearing mode of the data flow of the plurality of data sessions is one or more;
The association information weight determining module is used for obtaining the weight of association information between every two data streams in a plurality of data sessions; the associated information comprises repeated code streams and network addresses;
The data session association information output module is used for constructing a data flow relation diagram based on the weight of association information between every two data flows; and acquiring the longest path in the data flow relation diagram, and outputting the weight of the association information between every two data flows contained in the longest path as the association information of a plurality of data sessions.
Compared with the prior art, the invention has at least one of the following beneficial effects:
Firstly, the invention provides a method and a device for detecting data session association information with stronger universality, which can obtain the data session association information without considering whether manufacturers to which the data session belongs, the video APP to which the data session belongs and the selected bearing mode are the same or not in the implementation process;
Secondly, the scheme of the invention determines the weight of the repeated code stream by directly comparing the payload information between the data streams and based on the length, the offset and the keyword information of the repeated code stream, and the process is simple and efficient, and can comprehensively consider the influence of the length, the offset and the keyword of the repeated code stream on the weight of the repeated code stream; in addition, in order to describe the data session association information more clearly and comprehensively, the scheme of the invention also provides a determination process of the weight of the network address, and a step of secondary comparison is added in the matching judgment process, so that the matching information can be acquired more comprehensively and accurately, and a more accurate weight result of the network address is obtained; therefore, the method is more efficient than manual discovery of the KEY between the multiple streams, and is more accurate than manual discovery of the KEY (code stream part without explicit character string identification, especially repeated part capable of giving maximum length) between the multiple streams.
Thirdly, the method determines the data session association information in a mode of constructing the data flow path relation diagram, and the method can determine the data session association information more simply, efficiently and rapidly and has the advantages of being strong in practicability, good in effect and the like.
In the invention, the technical schemes can be mutually combined to realize more preferable combination schemes. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, like reference numerals being used to refer to like parts throughout the several views.
Fig. 1 is a flowchart of a method for detecting data session association information according to embodiment 1 of the present invention.
Fig. 2 is a schematic structural diagram of a data session related information detection apparatus according to embodiment 2 of the present invention.
Detailed Description
The following detailed description of preferred embodiments of the application is made in connection with the accompanying drawings, which form a part hereof, and together with the description of the embodiments of the application, are used to explain the principles of the application and are not intended to limit the scope of the application.
Example 1
An embodiment 1 of the present invention discloses a method for detecting data session association information, wherein a flowchart is shown in fig. 1, and the method comprises the following steps:
step S1: acquiring data streams of a plurality of data sessions under the same service; the bearing mode of the data flow of the plurality of data sessions is one or more;
the service in this embodiment may be a video APP play, a game APP play, or a music APP play service, for example. When the service is video APP playing service, the common data stream carrying manner may be one or more of HTTP, TCP or UDP, where the data stream is a HTTP, TCP or UDP based data stream. The content carried by each of the data streams based on HTTP, TCP, and UDP is different. In the case of video APP playback, the traffic data carried by HTTP (i.e., HTTP-based data streams) is typically the first step in traffic occurrence. That is, when a common video is played, an HTTP-based data stream is initially requested and answered, and according to a great deal of practical experience, it generally contains association information (in this embodiment, "association information" is referred to as "KEY") of the same video service carried by a subsequent different stream.
The data streams based on HTTP, TCP or UDP have certain differences in composition modes, and the data to be transmitted encapsulated by each manufacturer has different expression modes, so that the DPI detector cannot take the specific description of each manufacturer for each data stream used. Before the method, the original code stream information is checked by a developer, and guesses are described according to ASCII. Illustratively, the HTTP-based data stream is composed of a header, which is generally a description of a domain and a method described by a fixed protocol, and a body, which is data to be transmitted, which is self-encapsulated by an application of each manufacturer. In the case of video APP playback, in the body of the HTTP session, information such as a play id (the viewer is effective in viewing this time), a video id (the unique identifier of a movie file within a certain time range) is generally identified by an ASCII code. The descriptions of play ids and video ids corresponding to different manufacturers are not uniform, for example, the description of play ids can be set to play, the description of video ids can be set to video, that is, a certain format display mark (playid =xx; video/x/x/xx) is used in a code stream, and the description of play ids can be set to other contents according to actual needs. Although the descriptions are different, the "play id" and "video id" of the same video service are generally described by the same code stream (in the code streams in different sessions), so that repeated code streams with a certain length exist between different data streams, and the association information between different data streams can be obtained by identifying the maximum repeated code stream.
In addition, if the session flows are based on different data flows of the same video service, part of the session flows will include the network layer IP address and the port number of the transport layer of the server of another flow.
Illustratively, in the HTTP session based data stream a, at least the key information of another data session stream is contained, including but not limited to (play id, video id, transport layer protocol of another stream, IP address of network layer, port number of transport layer, etc.), the stream is labeled B. In the same communication process, a stream is used to bear business information, and the new borne information is necessarily transferred through previous interaction. The data stream and the data session stream are substantially identical. Session flows emphasize session behavior once, and one service may produce multiple sessions. And different session bearers may be different. The focus of the study in this embodiment is not to carry data differently, but not to limit whether the carrying manner is the same, and the method of finding the association information from each other through the data session flows.
Before step S2 is performed, it is necessary to manually confirm the dialed data (usually a file in the pcap format, including all data streams during one video APP playing process), i.e. to close the internet access authority of other APPs to access the mobile internet operation.
Step S2: acquiring the weight of association information between every two data streams in a plurality of data sessions; the associated information comprises repeated code streams and network addresses;
considering that repeated code streams may exist in payload of different data streams of the same video service, and the IP address of the network layer and the port number of the transport layer may be the same, the association information in this embodiment is selected to include the repeated code streams and the network address;
Step S21: the weights of repeated code streams between two data streams are obtained by performing the following operations:
step S211: the method comprises the steps of obtaining repeated code streams and offset thereof in payload information of two data streams, wherein the length of each repeated code stream is greater than or equal to the shortest length (such as 4) of each repeated code stream;
step S212: and obtaining the weight of the repeated code stream between the two data streams based on the length and the offset of the repeated code stream.
In an alternative embodiment, if a key appears before the repeated code stream, the specific function of the repeated code stream is indicated, whereby it can be seen that the key also has a large influence on the determination of the associated information. For this reason, the checking flow of keywords is also added in this embodiment. The implementation may be:
The method comprises the steps of obtaining repeated code streams and offset thereof in payload information of two data streams, wherein the length of each repeated code stream is greater than or equal to the shortest length of each repeated code stream; checking whether keywords related to business appear in a preset length code stream range (for example, no more than 30 code streams are traced before) before the repeated code streams, and if so, obtaining weights of the repeated code streams between two data streams based on the length, offset and keywords of the repeated code streams; otherwise, based on the length and the offset of the repeated code stream, the weight of the repeated code stream between the two data streams is obtained.
In this embodiment, a keyword library may be constructed according to a specific service and a description manner commonly known in the art, and is used to store keywords related to the service, and update the keyword library along with the change of the description of the related information in the data stream by the user. Illustratively, the keywords in the present embodiment may include play, video, and the like.
Step S22: the weight of the network address between the two data streams is obtained by performing the following operations:
And acquiring the IP addresses of the network layers and the port numbers of the transmission layers of the two data streams, comparing whether the IP address of the network layer and the port number of the transmission layer of one of the two data streams are matched with the payload information of the other data stream of the two data streams, and if so, acquiring the weight of the network address between the two data streams based on the matching relation.
Judging whether the two are matched by executing the following processes:
directly comparing whether the IP address of the network layer and the port number of the transmission layer of one of the two data streams appear in the payload information of the other data stream of the two data streams, and if so, matching; otherwise, performing coding and decoding conversion on the IP address of the network layer and the port number of the transmission layer in one of the two data streams, and comparing whether the IP address of the network layer and the port number of the transmission layer after the coding and decoding conversion appear in the payload information of the other data stream in the two data streams, if so, matching; otherwise, not match.
Preferably, the codec conversion mode may be an ASCII code conversion mode. The method comprises the steps of obtaining IP addresses of network layers and port numbers of transmission layers of two selected data streams, judging whether the IP addresses of the network layers and the port numbers of the transmission layers of the two data streams are correspondingly matched, if not, converting the IP addresses of the network layers and the port numbers of the transmission layers of the two data streams from numerical values of the code streams into an IP address form with visible ASCII codes, and carrying out secondary comparison to judge whether the IP addresses and the port numbers of the transmission layers of the two data streams are correspondingly matched.
It should be noted that, the determination manner of the weight of the association information may be specifically set based on the use of the detection result of the association information of the subsequent data session. Illustratively, the present embodiment provides a specific manner of determining the weight of the associated information, specifically:
(1) When the weight of the repeated code stream between the two data streams is obtained based on the length and the offset of the repeated code stream only, the weight w rs of the repeated code stream between the two data streams can be obtained based on the following formula:
Wherein l rs represents the length of the repeated code stream, l s represents the shortest length of the repeated code stream, and w s represents the reference weight of the repeated code stream length; w offset denotes the weight of the offset of the repeated code stream. Illustratively, the repetition code stream shortest length takes 4 and the repetition code stream length reference weight takes 1.
It should be noted that, in the process of comparing two data streams, if there are multiple repeated code streams with different lengths or contents, each repeated code stream calculates the weight of the repeated code stream according to the above manner, and w offset of each repeated code stream is the same, and for example, 1 may be taken; if there are multiple repeated code streams with the same length and content, the weight of each repeated code stream is calculated according to the above manner, at this time, the weight of the offset of each repeated code stream decreases with the increase of the offset, and for example, w s_offset is taken as the weight w offset of the offset of the repeated code stream with the smallest offset, and 0 is taken as the weight w offset of the offset of the repeated code stream with the smallest non-offset. w s_offset denotes an offset weight reference value, and 1 is taken as an example.
(2) When the weight of the repeated code stream between the two data streams is obtained based on the length, the offset and the keyword of the repeated code stream, the weight w rs of the repeated code stream between the two data streams can be obtained based on the following formula:
w keyword represents the weight of the keyword. When the keyword library is constructed, the weights of different keywords can be set and stored according to different service scenes. When a keyword is hit, the weight of the keyword is obtained by searching a keyword library.
(3) And obtaining the weight of the network address between the two data streams based on the matching relation. Illustratively, if there is a match, the weight of the network address between the two data streams is taken as w add, otherwise, 0 is taken.
The values of the weights can be specifically set based on different services. Illustratively, the weight of the key w keyword is 2 times the network address and more, e.g., w keyword takes 10 and w add takes 5; in addition, the offset is only a relative height.
Step S3: constructing a data flow path relation diagram based on the weight of the association information between every two data flows; and acquiring the longest path in the data flow relation diagram, and outputting the association information between every two data flows contained in the longest path as the association information of a plurality of data sessions.
The process for constructing the data flow path relation diagram comprises the following steps: after obtaining the weight of the association information between every two data streams in a plurality of data sessions, sorting the weights of repeated code streams (possibly one or more sections) and the weights of network addresses between every two data streams, and taking the item with the highest weight as the weight of the maximum association information between the current two data streams; then, a data flow path relation graph is constructed by taking each data flow as a node and taking the weight of the maximum association information between every two data flows as the path length between the two nodes.
Illustratively, when the data session includes N (N > 2) data streams, a data flow path relationship graph may be constructed with each data stream as a node and a weight (> 1) of maximum association information between two data streams as a path length between two nodes. In the data flow path relation diagram, the longest path in the data flow path relation diagram can be obtained by traversing the maximum path (weight) from each node to another node, and the association information between every two data flows contained in the longest path is output as the association information of a plurality of data sessions.
Taking A, B, C data streams as an example, if the weight of the maximum association information between the AB is 10, the weight of the maximum association information between the BC is 5, and the weight of the maximum association information between the AC is 1, the maximum path length of the A-to-C nodes is 15 in total of AB and BC, which is greater than the weight of the AC 1, at the moment, the relation between the AC selects the AB and BC paths, at the moment, the AB and BC form the longest path, and the association information between the AB and BC is output as the association information of the data session.
Compared with the prior art, the embodiment of the invention provides the method and the device for detecting the data session related information with stronger universality, and in the implementation process, whether manufacturers to which the data session belongs, the video APP to which the data session belongs and the selected bearing mode are the same or not is not considered, so that the data session related information can be obtained; the scheme of the invention also determines the weight of the repeated code stream by directly comparing the payload information between the data streams and based on the length, the offset and the keyword information of the repeated code stream, and the process is simple and efficient, and can comprehensively consider the influence of the length, the offset and the keyword of the repeated code stream on the weight of the repeated code stream;
In addition, in order to describe the data session association information more clearly and comprehensively, the scheme of the invention also provides a determination process of the weight of the network address, and a step of secondary comparison is added in the matching judgment process, so that the matching information can be acquired more comprehensively and accurately, and a more accurate weight result of the network address is obtained; therefore, the method is more efficient than manual discovery of the KEY between the multiple streams, and is more accurate than manual discovery of the KEY (code stream part without explicit character string identification, especially repeated part capable of giving maximum length) between the multiple streams. Finally, the invention determines the data session association information by constructing the data flow path relation diagram, and the method can more simply and efficiently determine the data session association information, and has the advantages of strong practicability, good effect and the like.
Example 2
Embodiment 2 of the present invention discloses a data session association information detection apparatus, a schematic structure diagram of which is shown in fig. 2, the apparatus comprising:
A data stream acquisition module of the data session, which is used for acquiring the data streams of a plurality of data sessions under the same service; the bearing mode of the data flow of the plurality of data sessions is one or more;
The association information weight determining module is used for obtaining the weight of association information between every two data streams in a plurality of data sessions; the associated information comprises repeated code streams and network addresses;
The data session association information output module is used for constructing a data flow relation diagram based on the weight of association information between every two data flows; and acquiring the longest path in the data flow relation diagram, and outputting the weight of the association information between every two data flows contained in the longest path as the association information of a plurality of data sessions.
The specific implementation process of the embodiment of the present invention may refer to the above method embodiment, for example, the method for obtaining the weight of the association information between every two data streams in multiple data sessions, which is not described herein again.
Since the principle of the embodiment is the same as that of the embodiment of the method, the system also has the corresponding technical effects of the embodiment of the method.
Those skilled in the art will appreciate that all or part of the flow of the methods of the embodiments described above may be accomplished by way of a computer program to instruct associated hardware, where the program may be stored on a computer readable storage medium. Wherein the computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory, etc.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention.
Claims (10)
1. A method for detecting data session association information, comprising:
acquiring data streams of a plurality of data sessions under the same service; the bearing mode of the data flow of the plurality of data sessions is one or more;
acquiring the weight of association information between every two data streams in a plurality of data sessions; the associated information comprises repeated code streams and network addresses;
Constructing a data flow path relation diagram based on the weight of the association information between every two data flows; and acquiring the longest path in the data flow relation diagram, and outputting the association information between every two data flows contained in the longest path as the association information of a plurality of data sessions.
2. The data session association information detection method according to claim 1, wherein the data flow path relation diagram is constructed by performing the following operations:
sequencing the weights of repeated code streams and the weights of network addresses between every two data streams, and taking one item with the highest weight as the weight of the maximum association information between the current two data streams;
and constructing the data flow relation diagram by taking each data flow as a node and taking the weight of the maximum association information between every two data flows as the path length between two nodes.
3. The method for detecting data session association information according to claim 1 or 2, wherein obtaining the weight of the repeated code stream between the two data streams comprises:
The method comprises the steps of obtaining repeated code streams and offset thereof in payload information of two data streams, wherein the length of each repeated code stream is greater than or equal to the shortest length of each repeated code stream;
and obtaining the weight of the repeated code stream between the two data streams based on the length and the offset of the repeated code stream.
4. The method for detecting data session association information according to claim 1 or 2, wherein acquiring the weight of the repeated code stream between the two data streams further comprises:
The method comprises the steps of obtaining repeated code streams and offset thereof in payload information of two data streams, wherein the length of each repeated code stream is greater than or equal to the shortest length of each repeated code stream; and checks whether a keyword related to a service appears in a range of a set length code stream before the repeated code stream,
If so, obtaining the weight of the repeated code stream between the two data streams based on the length, the offset and the keywords of the repeated code stream;
Otherwise, based on the length and the offset of the repeated code stream, the weight of the repeated code stream between the two data streams is obtained.
5. The method for detecting data session association information according to claim 4, further comprising constructing a keyword library for storing and updating the keywords related to the service.
6. The data session association information detection method according to claim 1 or 2, wherein the weight of the network address between the two data streams is obtained by performing the following operations:
And acquiring the IP addresses of the network layers and the port numbers of the transmission layers of the two data streams, comparing whether the IP address of the network layer and the port number of the transmission layer of one of the two data streams are matched with the payload information of the other data stream of the two data streams, and if so, acquiring the weight of the network address between the two data streams based on the matching relation.
7. The data session association information detection method according to claim 6, wherein the determination of whether there is a match is performed by:
Directly comparing whether the IP address of the network layer and the port number of the transmission layer of one of the two data streams appear in the payload information of the other data stream of the two data streams, and if so, matching;
Otherwise the first set of parameters is selected,
Performing coding and decoding conversion on the IP address of the network layer and the port number of the transmission layer in one of the two data streams, and comparing whether the IP address of the network layer and the port number of the transmission layer after the coding and decoding conversion appear in the payload information of the other data stream in the two data streams or not, if so, matching; otherwise, not match.
8. The method for detecting data session related information according to claim 7, wherein the codec conversion method is an ASCII code conversion method.
9. The method for detecting data session related information according to claim 1, wherein the service is a video APP playing service, and the data stream is carried in HTTP, TCP or UDP.
10. A data session association information detection apparatus, comprising:
A data stream acquisition module of the data session, which is used for acquiring the data streams of a plurality of data sessions under the same service; the bearing mode of the data flow of the plurality of data sessions is one or more;
The association information weight determining module is used for obtaining the weight of association information between every two data streams in a plurality of data sessions; the associated information comprises repeated code streams and network addresses;
The data session association information output module is used for constructing a data flow relation diagram based on the weight of association information between every two data flows; and acquiring the longest path in the data flow relation diagram, and outputting the weight of the association information between every two data flows contained in the longest path as the association information of a plurality of data sessions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110566148.1A CN115396937B (en) | 2021-05-24 | 2021-05-24 | Data session associated information detection method and detection device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110566148.1A CN115396937B (en) | 2021-05-24 | 2021-05-24 | Data session associated information detection method and detection device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115396937A CN115396937A (en) | 2022-11-25 |
| CN115396937B true CN115396937B (en) | 2024-09-10 |
Family
ID=84114016
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110566148.1A Active CN115396937B (en) | 2021-05-24 | 2021-05-24 | Data session associated information detection method and detection device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115396937B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023670A (en) * | 2011-09-20 | 2013-04-03 | 中兴通讯股份有限公司 | Message service type identifying method and message service type identifying device based on data processing installation (DPI) |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8180892B2 (en) * | 2008-12-22 | 2012-05-15 | Kindsight Inc. | Apparatus and method for multi-user NAT session identification and tracking |
| US9781181B2 (en) * | 2013-06-17 | 2017-10-03 | Qualcomm Incorporated | Multiple file delivery over unidirectional transport protocol sessions for a service |
| US9887891B2 (en) * | 2015-01-21 | 2018-02-06 | International Business Machines Corporation | Graph segment representing a gist of an online social network conversation |
| US10637744B2 (en) * | 2017-04-12 | 2020-04-28 | Battelle Memorial Institute | Complementary workflows for identifying one-hop network behavior and multi-hop network dependencies |
-
2021
- 2021-05-24 CN CN202110566148.1A patent/CN115396937B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023670A (en) * | 2011-09-20 | 2013-04-03 | 中兴通讯股份有限公司 | Message service type identifying method and message service type identifying device based on data processing installation (DPI) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115396937A (en) | 2022-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7734746B2 (en) | Method and apparatus for configuring and controlling network resources in content delivery with distributed rules | |
| JP3717836B2 (en) | Dynamic load balancer | |
| US7313131B2 (en) | Processing of communication session request messages | |
| US8797902B2 (en) | Routing decision context objects | |
| CN110300065B (en) | Application flow identification method and system based on software defined network | |
| US20130294449A1 (en) | Efficient application recognition in network traffic | |
| CN109039775A (en) | Quality of service monitoring method, apparatus and system | |
| US9246798B2 (en) | Message handling extension using context artifacts | |
| US20160156729A1 (en) | State information offloading for diameter agents | |
| US7522530B2 (en) | Method for protocol recognition and analysis in data networks | |
| CN114039880B (en) | Performance test method, device and system for connectionless service | |
| CN107580079A (en) | A kind of message transmitting method and device | |
| US7907543B2 (en) | Apparatus and method for classifying network packet data | |
| Cha et al. | A mobility link service for ndn consumer mobility | |
| CN108377223A (en) | A kind of more packet recognition methods, packet identifying method and flow bootstrap technique | |
| EP1950917B1 (en) | Methods for peer-to-peer application message identifying and operating realization and their corresponding devices | |
| US20230319635A1 (en) | Apparatus and method for providing n6-lan using service function chaining in wireless communication system | |
| US9204285B2 (en) | Subscriber record context objects | |
| CN115396937B (en) | Data session associated information detection method and detection device | |
| CN101223760A (en) | Method and node for locating network users | |
| KR101344398B1 (en) | Router and method for application awareness and traffic control on flow based router | |
| WO2002051077A1 (en) | A method and system for distinguishing higher layer protocols of the internet traffic | |
| JP4429173B2 (en) | Method and computer system for triggering action based on digital communication data | |
| CN106506400B (en) | data stream identification method and outlet device | |
| US8051167B2 (en) | Optimized mirror for content identification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |