[go: up one dir, main page]

CN117221242B - Network flow direction identification method, device and medium - Google Patents

Network flow direction identification method, device and medium Download PDF

Info

Publication number
CN117221242B
CN117221242B CN202311129589.0A CN202311129589A CN117221242B CN 117221242 B CN117221242 B CN 117221242B CN 202311129589 A CN202311129589 A CN 202311129589A CN 117221242 B CN117221242 B CN 117221242B
Authority
CN
China
Prior art keywords
mac address
traffic
flow
access
bipartite graph
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311129589.0A
Other languages
Chinese (zh)
Other versions
CN117221242A (en
Inventor
牟一林
马晓东
胡邦强
柳亚磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Slow Sound Technology Co ltd
Original Assignee
Anhui Manyin Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anhui Manyin Technology Co ltd filed Critical Anhui Manyin Technology Co ltd
Priority to CN202311129589.0A priority Critical patent/CN117221242B/en
Publication of CN117221242A publication Critical patent/CN117221242A/en
Application granted granted Critical
Publication of CN117221242B publication Critical patent/CN117221242B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network flow direction identification method, equipment and medium. The method comprises the following steps: acquiring MAC addresses of all access flows, and acquiring a communication relationship between the MAC addresses; based on the MAC address and the communication relation, establishing at least one MAC address bipartite graph; screening first flow with deterministic flow direction from the access flow corresponding to each MAC address bipartite graph; and identifying the flow directions of all access flows based on all the MAC address bipartite graphs and the first flows corresponding to all the MAC address bipartite graphs. By the scheme of the invention, the flow direction of the global network flow can be effectively identified, the maintenance cost of the global network flow direction identification is reduced, and the accuracy and the efficiency of the global network flow direction identification are improved.

Description

一种网络流向识别方法、设备及介质A network flow identification method, device and medium

技术领域Technical Field

本发明涉及计算机网络安全领域,尤其涉及一种网络流向识别方法、设备及介质。The present invention relates to the field of computer network security, and in particular to a network flow direction identification method, device and medium.

背景技术Background Art

随着网络未知应用呈爆炸式发展,使未知流量数量激增,与此同时海量未知流量带来的隐患不容忽视。在大型区域网络进出口边界的各类网络流量分析场景中,分析系统均需要通过有效的流量方向判断来解决网络威胁或数据泄露等网络安全问题。With the explosive development of unknown network applications, the amount of unknown traffic has increased dramatically. At the same time, the hidden dangers brought by massive unknown traffic cannot be ignored. In various network traffic analysis scenarios at the import and export boundaries of large regional networks, the analysis system needs to solve network security issues such as network threats or data leakage through effective traffic direction judgment.

相关技术中,主要通过局域网互联网协议(Internet Protocol,IP)地址、内部网络资产的物理(Media Access Control(媒体接入控制),MAC)地址或IP地址以及MAC学习的流量方向三种方式来判断网络流量的方向。但上述三种判断方式对应用的网络环境具有较高的标准,当网络边界两侧均包含公网地址、内部资产地址较多,或者可学习流量较少的情况下,则无法有效判断网络流量的方向。因此,如何高效、准确地判断网络边界和识别网络流量方向是当前各类流量分析系统普遍面临的技术问题。In the related technology, the direction of network traffic is mainly determined by three methods: the LAN Internet Protocol (IP) address, the physical (Media Access Control, MAC) address or IP address of the internal network asset, and the traffic direction learned by MAC. However, the above three judgment methods have high standards for the network environment of the application. When both sides of the network boundary contain public network addresses, there are many internal asset addresses, or there is less learnable traffic, the direction of network traffic cannot be effectively determined. Therefore, how to efficiently and accurately determine the network boundary and identify the direction of network traffic is a technical problem commonly faced by various types of traffic analysis systems.

发明内容Summary of the invention

有鉴于此,本发明提出了一种网络流向识别方法、设备及介质,解决了网络流量分析过程中无法有效判断网络流量方向的问题,实现了较好的网络环境应变能力,降低了维护成本,提升了网络流量方向识别的准确率及效率。In view of this, the present invention proposes a network flow direction identification method, device and medium, which solves the problem that the network flow direction cannot be effectively determined during the network flow analysis process, achieves better network environment adaptability, reduces maintenance costs, and improves the accuracy and efficiency of network flow direction identification.

基于上述目的,本发明实施例的一方面提供了一种网络流向识别方法,具体包括如下步骤:Based on the above purpose, an embodiment of the present invention provides a method for identifying a network flow direction, which specifically includes the following steps:

获取全部接入流量的MAC地址,并获取所述MAC地址之间的通联关系;Obtain the MAC addresses of all access traffic and the communication relationship between the MAC addresses;

基于所述MAC地址以及所述通联关系,建立至少一个MAC地址二分图;Based on the MAC addresses and the communication relationships, establish at least one MAC address bipartite graph;

分别在各MAC地址二分图对应的接入流量中筛选具有确定性流量方向的第一流量;Selecting first flows with deterministic flow directions from access flows corresponding to each MAC address bipartite graph respectively;

基于所有MAC地址二分图以及各MAC地址二分图对应的第一流量,识别全部接入流量的流量方向。Based on all MAC address bipartite graphs and first flows corresponding to each MAC address bipartite graph, flow directions of all access flows are identified.

在一些实施方式中,所述基于所述MAC地址以及所述通联关系,建立至少一个MAC地址二分图的步骤,包括:In some implementations, the step of establishing at least one MAC address bipartite graph based on the MAC address and the communication relationship includes:

将所述MAC地址作为节点,所述通联关系作为连接线,建立至少一个MAC地址二分图。At least one MAC address bipartite graph is established by using the MAC addresses as nodes and the communication relationships as connecting lines.

在一些实施方式中,所述分别在各MAC地址二分图对应的接入流量中筛选具有确定性流量方向的第一流量的步骤,包括:In some implementations, the step of screening the first traffic with a deterministic traffic direction from the access traffic corresponding to each MAC address bipartite graph includes:

根据应用场景,建立包含至少一条识别策略的局部流量方向判断库;According to the application scenario, a local traffic direction judgment library including at least one identification strategy is established;

基于所述局部流量方向判断库中的识别策略,分别在各MAC地址二分图对应的接入流量中筛选出具有确定性流量方向的第一流量。Based on the identification strategy in the local traffic direction judgment library, the first traffic with a deterministic traffic direction is screened out from the access traffic corresponding to each MAC address bipartite graph.

在一些实施方式中,所述基于所有MAC地址二分图以及各MAC地址二分图对应的第一流量,识别全部接入流量的流量方向的步骤,包括:In some implementations, the step of identifying the traffic direction of all access traffic based on all MAC address bipartite graphs and the first traffic corresponding to each MAC address bipartite graph includes:

针对每个MAC地址二分图,将其中包括的全部MAC地址划分为位于两个不同网络区域的第一MAC地址集合和第二MAC地址集合,并确定相应的第一流量的第一流量方向;For each MAC address bipartite graph, all MAC addresses included therein are divided into a first MAC address set and a second MAC address set located in two different network areas, and a first flow direction of the corresponding first flow is determined;

基于每个MAC地址二分图的第一流量方向、第一MAC地址集合和第二MAC地址集合,识别每个所述MAC地址二分图分别对应的接入流量的流量方向;Based on the first traffic direction of each MAC address bipartite graph, the first MAC address set, and the second MAC address set, identifying the traffic direction of the access traffic corresponding to each of the MAC address bipartite graphs;

基于全部所述MAC地址二分图分别对应的接入流量的流量方向,得到全部接入流量的流量方向。Based on the traffic directions of the access traffic corresponding to all the MAC address bipartite graphs respectively, the traffic directions of all the access traffic are obtained.

在一些实施方式中,所述基于每个MAC地址二分图的第一流量方向、第一MAC地址集合和第二MAC地址集合,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:In some implementations, the step of identifying the traffic direction of the access traffic corresponding to each of the MAC address bipartite graphs based on the first traffic direction of each MAC address bipartite graph, the first MAC address set, and the second MAC address set includes:

针对每个MAC地址二分图,基于并查集算法,建立第一MAC地址集合的第一MAC地址并查集,以及建立第二MAC地址集合的第二MAC地址并查集;For each MAC address bipartite graph, based on a union-find algorithm, a first MAC address union-find set of the first MAC address set is established, and a second MAC address union-find set of the second MAC address set is established;

获取各MAC地址二分图中第一流量对应的外网MAC地址和内网MAC地址,并基于第一MAC地址并查集与第二MAC地址并查集,确定所述外网MAC地址和所述内网MAC地址分别与对应MAC地址二分图中第一MAC地址集合和第二MAC地址集合的匹配关系,并确定第一流量方向为内联方向或外联方向;Obtain an external MAC address and an internal MAC address corresponding to the first flow in each MAC address bipartite graph, and determine a matching relationship between the external MAC address and the internal MAC address and the first MAC address set and the second MAC address set in the corresponding MAC address bipartite graph, respectively, based on a union-find set of the first MAC address and a union-find set of the second MAC address, and determine whether the first flow direction is an inline direction or an external direction;

基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向。Based on the matching relationship and whether the first traffic direction is an inline direction or an outline direction, a traffic direction of the access traffic corresponding to each of the MAC address bipartite graphs is identified.

在一些实施方式中,所述基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:In some implementations, the step of identifying the flow direction of the access flow corresponding to each of the MAC address bipartite graphs based on the matching relationship and whether the first flow direction is an inline direction or an outline direction includes:

针对每个所述MAC地址二分图,若第一流量方向为外联方向,并且外网MAC地址位于第一MAC地址集合和/或内网MAC地址位于第二MAC地址集合,将所述MAC地址二分图对应的接入流量的流量方向标注为由第二MAC地址集合流向第一MAC地址集合。For each of the MAC address bipartite graphs, if the first traffic direction is an external connection direction, and the external network MAC address is located in the first MAC address set and/or the internal network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the second MAC address set to the first MAC address set.

在一些实施方式中,所述基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:In some implementations, the step of identifying the flow direction of the access flow corresponding to each of the MAC address bipartite graphs based on the matching relationship and whether the first flow direction is an inline direction or an outline direction includes:

针对每个所述MAC地址二分图,若第一流量方向为外联方向,并且内网MAC地址位于第一MAC地址集合和/或外网MAC地址位于第二MAC地址集合,将所述MAC地址二分图对应的接入流量的流量方向标注为由第一MAC地址集合流向第二MAC地址集合。For each of the MAC address bipartite graphs, if the first traffic direction is an external connection direction, and the internal network MAC address is located in the first MAC address set and/or the external network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the first MAC address set to the second MAC address set.

在一些实施方式中,所述基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:In some implementations, the step of identifying the flow direction of the access flow corresponding to each of the MAC address bipartite graphs based on the matching relationship and whether the first flow direction is an inline direction or an outline direction includes:

针对每个所述MAC地址二分图,若第一流量方向为内联方向,并且外网MAC地址位于第一MAC地址集合和/或内网MAC地址位于第二MAC地址集合,将所述MAC地址二分图对应的接入流量的流量方向标注为由第一MAC地址集合流向第二MAC地址集合。For each of the MAC address bipartite graphs, if the first traffic direction is an inline direction, and the external network MAC address is located in the first MAC address set and/or the internal network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the first MAC address set to the second MAC address set.

在一些实施方式中,所述基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:In some implementations, the step of identifying the flow direction of the access flow corresponding to each of the MAC address bipartite graphs based on the matching relationship and whether the first flow direction is an inline direction or an outline direction includes:

针对每个所述MAC地址二分图,若第一流量方向为内联方向,并且内网MAC地址位于第一MAC地址集合和/或外网MAC地址位于第二MAC地址集合,将所述MAC地址二分图对应的接入流量的流量方向标注为由第二MAC地址集合流向第一MAC地址集合。For each of the MAC address bipartite graphs, if the first traffic direction is an inline direction, and the internal network MAC address is located in the first MAC address set and/or the external network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the second MAC address set to the first MAC address set.

本发明实施例的又一方面,还提供了一种计算机设备,包括:至少一个处理器;以及存储器,所述存储器存储有可在所述处理器上运行的计算机程序,所述计算机程序由所述处理器执行时实现如上方法的步骤。According to another aspect of an embodiment of the present invention, a computer device is provided, comprising: at least one processor; and a memory, wherein the memory stores a computer program executable on the processor, and the computer program implements the steps of the above method when executed by the processor.

本发明实施例的再一方面,还提供了一种计算机可读存储介质,计算机可读存储介质存储有被处理器执行时实现如上方法步骤的计算机程序。According to another aspect of the embodiments of the present invention, a computer-readable storage medium is provided, which stores a computer program that implements the above method steps when executed by a processor.

本发明至少具有以下有益技术效果:预先分析接入的所有流量的MAC地址及其通联关系,形成至少一个MAC地址二分图,能够快速将所有流量的MAC地址进行集合或划分,同时在每个MAC地址二分图对应的接入流量中筛选出可识别流量方向的第一流量,基于各个MAC地址二分图的第一流量以及所有MAC地址二分图,实现快速识别全局网络流量的流量方向的目的,形成针对全局流量的流量方向判断能力,降低全局网络流向识别的维护成本的同时,提升了全局网络流向识别的准确率及效率。The present invention has at least the following beneficial technical effects: pre-analyzing the MAC addresses of all accessed traffic and their communication relationships to form at least one MAC address bipartite graph, which can quickly aggregate or divide the MAC addresses of all traffic, and at the same time screen out the first traffic with identifiable traffic direction from the accessed traffic corresponding to each MAC address bipartite graph, based on the first traffic of each MAC address bipartite graph and all MAC address bipartite graphs, the purpose of quickly identifying the traffic direction of global network traffic is achieved, forming a traffic direction judgment capability for global traffic, reducing the maintenance cost of global network flow direction identification while improving the accuracy and efficiency of global network flow direction identification.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的实施例。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For ordinary technicians in this field, other embodiments can be obtained based on these drawings without paying creative work.

图1为本发明提供的一种网络流向识别方法的一实施例的流程图;FIG1 is a flow chart of an embodiment of a network flow direction identification method provided by the present invention;

图2为本发明提供的一种网络流向识别方法的一实施例的示意图;FIG2 is a schematic diagram of an embodiment of a network flow direction identification method provided by the present invention;

图3为本发明提供的计算机设备的一实施例的结构示意图;FIG3 is a schematic diagram of the structure of a computer device according to an embodiment of the present invention;

图4为本发明提供的计算机可读存储介质的一实施例的结构示意图。FIG. 4 is a schematic diagram of the structure of an embodiment of a computer-readable storage medium provided by the present invention.

具体实施方式DETAILED DESCRIPTION

为使本发明的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本发明实施例进一步详细说明。In order to make the objectives, technical solutions and advantages of the present invention more clearly understood, the embodiments of the present invention are further described in detail below in combination with specific embodiments and with reference to the accompanying drawings.

需要说明的是,本发明实施例中所有使用“第一”和“第二”的表述均是为了区分两个相同名称非相同的实体或者非相同的参量,可见“第一”“第二”仅为了表述的方便,不应理解为对本发明实施例的限定,后续实施例对此不再一一说明。It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are for distinguishing two non-identical entities with the same name or non-identical parameters. It can be seen that "first" and "second" are only for the convenience of expression and should not be understood as limitations on the embodiments of the present invention. The subsequent embodiments will not explain this one by one.

基于上述目的,本发明实施例的第一个方面,提出了一种网络流向识别方法的实施例。如图1所示,其包括如下步骤:Based on the above purpose, the first aspect of the embodiment of the present invention provides an embodiment of a network flow direction identification method. As shown in FIG1 , the method comprises the following steps:

S100,获取全部接入流量的MAC地址,并获取MAC地址之间的通联关系。S100, obtaining MAC addresses of all access traffic and obtaining the communication relationship between the MAC addresses.

S200,基于MAC地址以及通联关系,建立至少一个MAC地址二分图。S200: Establish at least one MAC address bipartite graph based on the MAC addresses and communication relationships.

S300,分别在各MAC地址二分图对应的接入流量中筛选具有确定性流量方向的第一流量。S300, filtering first flows with deterministic flow directions from access flows corresponding to respective MAC address bipartite graphs.

S400,基于所有MAC地址二分图以及各MAC地址二分图对应的第一流量,识别全部接入流量的流量方向。S400, identifying the traffic direction of all access traffic based on all MAC address bipartite graphs and the first traffic corresponding to each MAC address bipartite graph.

上述的一种网络流向识别方法,预先分析接入的所有流量的MAC地址及其通联关系,形成至少一个MAC地址二分图,能够快速将所有流量的MAC地址进行集合或划分,同时在每个MAC地址二分图对应的接入流量中筛选出可识别流量方向的第一流量,基于各个MAC地址二分图的第一流量以及所有MAC地址二分图,实现快速识别全局网络流量的流量方向的目的,形成针对全局流量的流量方向判断能力,降低全局网络流向识别的维护成本的同时,提升了全局网络流向识别的准确率及效率。The above-mentioned network flow direction identification method pre-analyzes the MAC addresses of all accessed traffic and their communication relationships to form at least one MAC address bipartite graph, which can quickly aggregate or divide the MAC addresses of all traffic, and at the same time screen out the first traffic that can identify the traffic direction from the accessed traffic corresponding to each MAC address bipartite graph. Based on the first traffic of each MAC address bipartite graph and all MAC address bipartite graphs, the purpose of quickly identifying the traffic direction of the global network traffic is achieved, forming the traffic direction judgment capability for the global traffic, reducing the maintenance cost of the global network flow direction identification while improving the accuracy and efficiency of the global network flow direction identification.

具体的上述步骤200具体包括:The above step 200 specifically includes:

S210,将MAC地址作为节点,通联关系作为连接线,建立至少一个MAC地址二分图。S210, using MAC addresses as nodes and communication relationships as connecting lines to establish at least one MAC address bipartite graph.

在网络边界,MAC地址可以稳定地代表大量的网络资产,具有较大的覆盖面。在流量分析过程中,能够对所有接入流量中的MAC地址进行提取,并提取MAC地址对应的通联关系,以MAC地址为节点,通联关系为连接线能够建立得到至少一个无向图,进一步将无向图绘制为MAC地址二分图,得到至少一个MAC地址二分图。其中,MAC地址二分图中包括的所有MAC地址可以清晰地基于连接线划分到两个网络区域的集合中。At the network boundary, MAC addresses can stably represent a large number of network assets and have a large coverage. During the traffic analysis process, the MAC addresses in all access traffic can be extracted, and the communication relationships corresponding to the MAC addresses can be extracted. With MAC addresses as nodes and communication relationships as connecting lines, at least one undirected graph can be established. The undirected graph is further drawn as a MAC address bipartite graph to obtain at least one MAC address bipartite graph. Among them, all MAC addresses included in the MAC address bipartite graph can be clearly divided into sets of two network areas based on the connecting lines.

上述的一种网络流向识别方法,能够在网络流量分析过程中,仅需要通过短时间的MAC地址分析,即可形成全局的MAC地址二分图,从而可以快速形成针对全局的网络流量方向的识别能力,降低全局网络流向识别的维护成本的同时,提升了全局网络流向识别的准确率及效率。The above-mentioned network flow direction identification method can form a global MAC address bipartite graph through only a short MAC address analysis during the network traffic analysis process, thereby quickly forming the ability to identify the direction of global network traffic, reducing the maintenance cost of global network flow direction identification while improving the accuracy and efficiency of global network flow direction identification.

具体的上述步骤300具体包括:The above step 300 specifically includes:

S310,根据应用场景,建立包含至少一条识别策略的局部流量方向判断库。S310: Establish a local traffic direction determination library including at least one identification strategy according to an application scenario.

S320,基于局部流量方向判断库中的识别策略,分别在各MAC地址二分图对应的接入流量中筛选出具有确定性流量方向的第一流量。S320 , based on the identification strategy in the local traffic direction determination library, select the first traffic with a deterministic traffic direction from the access traffic corresponding to each MAC address bipartite graph.

基于应用场景,设置局部可识别流量方向的一条或多条识别策略,该识别策略不需要具备全局流量的流向识别覆盖能力,但需要具备较高的流量匹配概率和准确的流量识别能力,针对不同的网络边界环境,最优识别策略通常不完全一致,可以基于应用场景灵活配置。Based on the application scenario, set one or more identification strategies that can locally identify the direction of traffic. This identification strategy does not need to have the ability to identify and cover the direction of global traffic, but it needs to have a high traffic matching probability and accurate traffic identification capabilities. For different network boundary environments, the optimal identification strategy is usually not completely consistent and can be flexibly configured based on the application scenario.

其中,流量方向包括内联方向和外联方向。内联方向可以包括在内外网络环境中,由外网网络资产发起的连向内网网络资产的通信行为。外联方向可以包括在内外网络环境中,由内网网络资产发起的连向外网网络资产的通信行为。The traffic direction includes the internal direction and the external direction. The internal direction may include the communication behavior initiated by the external network assets to the internal network assets in the internal and external network environments. The external direction may include the communication behavior initiated by the internal network assets to the external network assets in the internal and external network environments.

在一些实施例中,识别策略可以包括但不限于如下一条或多条内容:In some embodiments, the identification strategy may include, but is not limited to, one or more of the following:

1.基于内网环境,配置较高概率出现的外网域名系统(Domain Name System,DNS)访问为外联方向流量,或配置局域网IP地址发起的流量为外联方向流量。1. Based on the intranet environment, configure the external Domain Name System (DNS) access that appears with a high probability as external traffic, or configure the traffic initiated by the LAN IP address as external traffic.

2.针对某一个方向具备固定网络资产的环境,例如服务器、接口或网络设备等固定网络资产,基于该固定网络资产的所在方向识别流量方向。2. For an environment with fixed network assets in a certain direction, such as fixed network assets such as servers, interfaces or network devices, identify the traffic direction based on the direction of the fixed network assets.

3.针对具备确定访问方向的网络服务接口的环境,基于该接口的访问方向识别流量方向。3. For an environment with a network service interface with a determined access direction, identify the traffic direction based on the access direction of the interface.

4.针对确定某一方向为某一地区网络的环境,基于地区外IP的通信行为识别流量方向,例如针对四川省内的区域时,将非四川省IP发起的流量方向视作内联方向流量。4. For an environment where a certain direction is determined to be a network in a certain region, the traffic direction is identified based on the communication behavior of IPs outside the region. For example, for an area within Sichuan Province, the traffic direction initiated by IPs outside Sichuan Province is regarded as inline direction traffic.

当完成一条或多条识别策略的设置后,即可完成局部流量方向判断库的准备,对接入流量进行分析,筛选出满足局部流量方向判断库中识别策略的流量,并将筛选出的流量作为第一流量,同时得到第一流量对应的流量方向识别结果并对第一流量的流量方向进行标注。After completing the setting of one or more identification strategies, the preparation of the local traffic direction judgment library can be completed, the access traffic can be analyzed, and the traffic that meets the identification strategies in the local traffic direction judgment library can be screened out. The screened out traffic is used as the first traffic. At the same time, the traffic direction identification result corresponding to the first traffic is obtained and the traffic direction of the first traffic is marked.

通过将所有的流量方向识别结果放入MAC地址二分图中,一旦出现个别流量方向识别结果与多数流量方向识别结果不一致的情况,即出现少数流量方向识别结果和MAC地址二分图中其他流量方向识别结果存在冲突,能够自动在局部流量方向判断库中,对筛选得到错误流量方向识别结果的错误识别策略进行屏蔽和警告,相关技术人员也可以及时发现错误识别策略并进行修正。By putting all traffic direction identification results into the MAC address bipartite graph, once individual traffic direction identification results are inconsistent with the majority traffic direction identification results, that is, there is a conflict between a few traffic direction identification results and other traffic direction identification results in the MAC address bipartite graph, the erroneous identification strategies that filter out erroneous traffic direction identification results can be automatically shielded and warned in the local traffic direction judgment library, and relevant technical personnel can also discover the erroneous identification strategies in time and correct them.

上述的一种网络流向识别方法,通过设置识别策略建立局部流量方向判断库对接入流量进行分析,得到可识别流量方向的流量,能够实现仅需少量或局部的网络流向判断库即可关联到全局网络流量,在大多数应用场景中,局部流量方向判断库实现更简单、明确和稳定,不再需要维护大量的网络流量方向判断方法或网络资产区域判断方法,大幅度降低了全局网络流向识别的维护成本,同时基于MAC地址二分图能够及时发现并排除错误的识别策略,从而保证了全局的流向识别的正确性。The above-mentioned network flow direction identification method analyzes the access traffic by setting the identification strategy to establish a local traffic direction judgment library to obtain the traffic with identifiable traffic direction. It can realize that only a small or local network flow direction judgment library is needed to associate with the global network traffic. In most application scenarios, the local traffic direction judgment library is simpler, clearer and more stable to implement. It is no longer necessary to maintain a large number of network traffic direction judgment methods or network asset area judgment methods, which greatly reduces the maintenance cost of global network flow direction identification. At the same time, based on the MAC address bipartite graph, it can timely discover and eliminate erroneous identification strategies, thereby ensuring the correctness of global flow direction identification.

具体的上述步骤400具体包括:Specifically, the above step 400 includes:

S410,针对每个MAC地址二分图,将其中包括的全部MAC地址划分为位于两个不同网络区域的第一MAC地址集合和第二MAC地址集合,并确定相应的第一流量的第一流量方向。S410: For each MAC address bipartite graph, divide all MAC addresses included therein into a first MAC address set and a second MAC address set located in two different network areas, and determine a first flow direction of a corresponding first flow.

S420,基于每个MAC地址二分图的第一流量方向、第一MAC地址集合和第二MAC地址集合,识别每个MAC地址二分图分别对应的接入流量的流量方向。S420: Based on the first traffic direction of each MAC address bipartite graph, the first MAC address set, and the second MAC address set, identify the traffic direction of the access traffic corresponding to each MAC address bipartite graph.

S430,基于全部MAC地址二分图分别对应的接入流量的流量方向,得到全部接入流量的流量方向。S430, obtaining the traffic directions of all access traffic based on the traffic directions of the access traffic corresponding to all MAC address bipartite graphs.

对所有接入流量的MAC地址及通联关系进行预先分析,得到至少一个MAC地址二分图,并能够将每个MAC地址二分图各自对应的MAC地址划分为两个不同网络区域的MAC地址集合。其中,网络区域可以包括外网区域和内网区域,内网区域对应的MAC地址集合中包括内网MAC地址,外网区域对应的MAC地址集合中包括外网MAC地址。两个网络区域的MAC地址合集可以分别代表网络边界两侧区域的网络资产合集。由各MAC地址二分图将各自包括的全部MAC地址分别划分到两个网络区域的集合后,确定MAC地址二分图各自对应的第一流量的流量方向,进而确定每个MAC地址二分图中各自对应的接入流量的流量方向。当确定了所有的MAC地址二分图中各自对应的接入流量的流量方向,即可完成对全局流量的流量方向识别。Preliminary analysis is performed on the MAC addresses and communication relationships of all access traffic to obtain at least one MAC address bipartite graph, and the MAC addresses corresponding to each MAC address bipartite graph can be divided into MAC address sets of two different network areas. Among them, the network area may include an external network area and an internal network area, and the MAC address set corresponding to the internal network area includes the internal network MAC address, and the MAC address set corresponding to the external network area includes the external network MAC address. The MAC address collections of the two network areas can respectively represent the network asset collections of the areas on both sides of the network boundary. After each MAC address bipartite graph divides all the MAC addresses included in each of the two network areas into sets, the flow direction of the first flow corresponding to each MAC address bipartite graph is determined, and then the flow direction of the access flow corresponding to each MAC address bipartite graph is determined. When the flow direction of the access flow corresponding to each of the MAC address bipartite graphs is determined, the flow direction identification of the global flow can be completed.

上述的一种网络流向识别方法,在流量分析过程中,针对MAC地址二分图形成不同网络区域的MAC地址集合,并确定MAC地址二分图所对应的第一流量的流量方向,从而可以快速形成针对全局的网络流量方向的识别能力,降低全局网络流向识别的维护成本的同时,提升了全局网络流向识别的准确率及效率。The above-mentioned network flow direction identification method, during the traffic analysis process, forms a MAC address set of different network areas for the MAC address bipartite graph, and determines the traffic direction of the first traffic corresponding to the MAC address bipartite graph, thereby quickly forming the ability to identify the global network traffic direction, reducing the maintenance cost of global network flow direction identification while improving the accuracy and efficiency of global network flow direction identification.

具体的上述步骤420具体包括:Specifically, the above step 420 includes:

S421,针对每个MAC地址二分图,基于并查集算法,建立第一MAC地址集合的第一MAC地址并查集,以及建立第二MAC地址集合的第二MAC地址并查集。S421 , for each MAC address bipartite graph, based on a union-find algorithm, establish a first MAC address union-find set of the first MAC address set, and establish a second MAC address union-find set of the second MAC address set.

S422,获取各MAC地址二分图中第一流量对应的外网MAC地址和内网MAC地址,并基于第一MAC地址并查集与第二MAC地址并查集,确定外网MAC地址和内网MAC地址分别与对应MAC地址二分图中第一MAC地址集合和第二MAC地址集合的匹配关系,并确定第一流量方向为内联方向或外联方向。S422, obtain the external network MAC address and the internal network MAC address corresponding to the first flow in each MAC address bipartite graph, and based on the first MAC address union-find set and the second MAC address union-find set, determine the matching relationship between the external network MAC address and the internal network MAC address and the first MAC address set and the second MAC address set in the corresponding MAC address bipartite graph, and determine whether the first flow direction is the inline direction or the external direction.

S423,基于匹配关系以及第一流量方向为内联方向或外联方向,识别每个MAC地址二分图分别对应的接入流量的流量方向。S423: Based on the matching relationship and whether the first traffic direction is an inline direction or an outline direction, identify the traffic direction of the access traffic corresponding to each MAC address bipartite graph.

基于并查集算法针对每个MAC地址二分图对应的两个区域的MAC地址合集分别建立并查集树,得到两个区域的MAC地址集合分别对应的并查集,即完成对第一MAC地址集合的第一MAC地址并查集建立,以及完成对第二MAC地址集合的第二MAC地址并查集建立。Based on the union-find algorithm, a union-find tree is established for the MAC address sets of the two areas corresponding to each MAC address bipartite graph, and the union-find sets corresponding to the MAC address sets of the two areas are obtained, that is, the establishment of the first MAC address union-find set of the first MAC address set is completed, and the establishment of the second MAC address union-find set of the second MAC address set is completed.

同时获取每个MAC地址二分图中各自第一流量分别对应的外网MAC地址和内网MAC地址。通过第一MAC地址并查集和第二MAC地址并查集分别查询哪个MAC地址集合中包括了外网MAC地址,以及哪个MAC地址集合中包括了内网MAC地址,得到外网MAC地址和内网MAC地址分别与对应MAC地址二分图中第一MAC地址集合和第二MAC地址集合的匹配关系。进一步通过匹配关系和第一流量的流量方向,识别出每个MAC地址二分图各自接入流量的流量方向。At the same time, obtain the external network MAC address and the internal network MAC address corresponding to each first flow in each MAC address bipartite graph. Through the first MAC address union-find set and the second MAC address union-find set, respectively query which MAC address set includes the external network MAC address and which MAC address set includes the internal network MAC address, and obtain the matching relationship between the external network MAC address and the internal network MAC address and the first MAC address set and the second MAC address set in the corresponding MAC address bipartite graph. Further, through the matching relationship and the flow direction of the first flow, identify the flow direction of each MAC address bipartite graph's access flow.

上述的一种网络流向识别方法,通过确定第一流量的外网MAC地址和内网MAC地址与第一MAC地址集合和第二MAC地址集合之间的匹配关系,使第一MAC地址集合和第二MAC地址集合对可识别流量方向的第一流量进行学习,识别每个MAC地址二分图分别对应的接入流量的流量方向,实现快速形成针对全局流量的流量方向识别能力,降低全局网络流向识别的维护成本的同时,提升了全局网络流向识别的准确率及效率。The above-mentioned network flow direction identification method, by determining the matching relationship between the external network MAC address and the internal network MAC address of the first flow and the first MAC address set and the second MAC address set, enables the first MAC address set and the second MAC address set to learn the first flow with identifiable flow direction, identify the flow direction of the access flow corresponding to each MAC address bipartite graph, and realize the rapid formation of flow direction identification capability for global flow, while reducing the maintenance cost of global network flow direction identification, and improving the accuracy and efficiency of global network flow direction identification.

具体的上述步骤423具体包括:Specifically, the above step 423 includes:

S4231,针对每个MAC地址二分图,若第一流量方向为外联方向,并且外网MAC地址位于第一MAC地址集合和/或内网MAC地址位于第二MAC地址集合,将MAC地址二分图对应的接入流量的流量方向标注为由第二MAC地址集合流向第一MAC地址集合。S4231, for each MAC address bipartite graph, if the first traffic direction is an external connection direction, and the external network MAC address is located in the first MAC address set and/or the internal network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the second MAC address set to the first MAC address set.

S4232,针对每个MAC地址二分图,若第一流量方向为外联方向,并且内网MAC地址位于第一MAC地址集合和/或外网MAC地址位于第二MAC地址集合,将MAC地址二分图对应的接入流量的流量方向标注为由第一MAC地址集合流向第二MAC地址集合。S4232, for each MAC address bipartite graph, if the first traffic direction is an external connection direction, and the internal network MAC address is located in the first MAC address set and/or the external network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the first MAC address set to the second MAC address set.

S4233,针对每个MAC地址二分图,若第一流量方向为内联方向,并且外网MAC地址位于第一MAC地址集合和/或内网MAC地址位于第二MAC地址集合,将MAC地址二分图对应的接入流量的流量方向标注为由第一MAC地址集合流向第二MAC地址集合。S4233, for each MAC address bipartite graph, if the first traffic direction is an inline direction, and the external network MAC address is located in the first MAC address set and/or the internal network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the first MAC address set to the second MAC address set.

S4234,针对每个MAC地址二分图,若第一流量方向为内联方向,并且内网MAC地址位于第一MAC地址集合和/或外网MAC地址位于第二MAC地址集合,将MAC地址二分图对应的接入流量的流量方向标注为由第二MAC地址集合流向第一MAC地址集合。S4234, for each MAC address bipartite graph, if the first traffic direction is an inline direction, and the internal network MAC address is located in the first MAC address set and/or the external network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the second MAC address set to the first MAC address set.

将具有确定性流量方向的第一流量对应的外网MAC地址和内网MAC地址分别与位于不同网络区域的MAC地址集合进行匹配。当确定MAC地址集合中包括了第一流量对应的外网MAC地址,即确定该MAC地址集合与外网MAC地址存在匹配关系。当确定MAC地址集合包括了第一流量对应的内网MAC地址,即确定该MAC地址集合与内网MAC地址存在匹配关系。进一步根据匹配关系与第一流量方向之间的情况,对相应MAC地址二分图对应的接入流量的流量方向进行标注,完成对全部MAC地址二分图对应的接入流量的流量方向标注时,即可确定出全局流量的流量方向情况。The external network MAC address and the internal network MAC address corresponding to the first flow with a deterministic flow direction are matched with the MAC address sets located in different network areas respectively. When it is determined that the MAC address set includes the external network MAC address corresponding to the first flow, it is determined that the MAC address set has a matching relationship with the external network MAC address. When it is determined that the MAC address set includes the internal network MAC address corresponding to the first flow, it is determined that the MAC address set has a matching relationship with the internal network MAC address. Further, based on the matching relationship and the first flow direction, the flow direction of the access flow corresponding to the corresponding MAC address bipartite graph is marked. When the flow direction marking of the access flow corresponding to all MAC address bipartite graphs is completed, the flow direction of the global flow can be determined.

基于对所有接入流量通信关联性的预先分析,建立MAC地址二分图,将网络中的MAC地址划分为两个不同MAC地址集合,后续只用判断到任意一个MAC地址集合中的任意MAC地址的区域,即可判断MAC地址二分图对应的全部接入流量的MAC地址所在区域。即仅确认了第一流量的外网MAC地址位于第一MAC地址集合时,就能够判断第一MAC地址集合中包括的所有MAC地址为外网MAC地址,且第二MAC地址集合中包括的所有MAC地址为内网MAC地址。Based on the preliminary analysis of the communication relevance of all access traffic, a MAC address bipartite graph is established to divide the MAC addresses in the network into two different MAC address sets. Subsequently, only the area of any MAC address in any MAC address set is determined to determine the area where the MAC addresses of all access traffic corresponding to the MAC address bipartite graph are located. That is, when only the external network MAC address of the first traffic is confirmed to be in the first MAC address set, it can be determined that all MAC addresses included in the first MAC address set are external network MAC addresses, and all MAC addresses included in the second MAC address set are internal network MAC addresses.

当第一流量方向为外联方向,且确认了外网MAC地址位于第一MAC地址集合,或者确认了内网MAC地址位于第二MAC地址集合,或者同时确认了外网MAC地址位于第一MAC地址集合以及内网MAC地址位于第二MAC地址集合时,将MAC地址二分图对应的接入流量的流量方向标注为由第二MAC地址集合流向第一MAC地址集合。When the first traffic direction is an external connection direction, and it is confirmed that the external network MAC address is located in the first MAC address set, or it is confirmed that the internal network MAC address is located in the second MAC address set, or it is confirmed that the external network MAC address is located in the first MAC address set and the internal network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the second MAC address set to the first MAC address set.

当第一流量方向为外联方向,且确认了外网MAC地址位于第二MAC地址集合,或者确认了内网MAC地址位于第一MAC地址集合,或者同时确认了外网MAC地址位于第二MAC地址集合以及内网MAC地址位于第一MAC地址集合时,将MAC地址二分图对应的接入流量的流量方向标注为由第一MAC地址集合流向第二MAC地址集合。When the first traffic direction is an external connection direction, and it is confirmed that the external network MAC address is located in the second MAC address set, or it is confirmed that the internal network MAC address is located in the first MAC address set, or it is confirmed that the external network MAC address is located in the second MAC address set and the internal network MAC address is located in the first MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the first MAC address set to the second MAC address set.

当第一流量方向为内联方向,且确认了外网MAC地址位于第一MAC地址集合,或者确认了内网MAC地址位于第二MAC地址集合,或者同时确认了外网MAC地址位于第一MAC地址集合以及内网MAC地址位于第二MAC地址集合时,将MAC地址二分图对应的接入流量的流量方向标注为由第一MAC地址集合流向第二MAC地址集合。When the first traffic direction is an inline direction, and it is confirmed that the external network MAC address is located in the first MAC address set, or it is confirmed that the internal network MAC address is located in the second MAC address set, or it is confirmed that the external network MAC address is located in the first MAC address set and the internal network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the first MAC address set to the second MAC address set.

当第一流量方向为内联方向,且确认了外网MAC地址位于第二MAC地址集合,或者确认了内网MAC地址位于第一MAC地址集合,或者同时确认了外网MAC地址位于第二MAC地址集合以及内网MAC地址位于第一MAC地址集合时,将MAC地址二分图对应的接入流量的流量方向标注为由第二MAC地址集合流向第一MAC地址集合。When the first traffic direction is an inline direction, and it is confirmed that the external network MAC address is located in the second MAC address set, or it is confirmed that the internal network MAC address is located in the first MAC address set, or it is confirmed that the external network MAC address is located in the second MAC address set and the internal network MAC address is located in the first MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the second MAC address set to the first MAC address set.

当标注完全部MAC地址二分图对应的接入流量的流量方向后,针对后续接入流量,通过分析后续接入流量的MAC地址和通联关系,确定后续接入流量被划分到具体哪个MAC地址二分图中,并确定后续接入流量对应的两个MAC地址分别与该MAC地址二分图的第一MAC地址集合或第二MAC地址集合之间的匹配关系,最终根据匹配关系将后续接入流量的流量方向标注为该MAC地址二分图对应的接入流量的流量方向。After marking the traffic direction of the access traffic corresponding to all MAC address bipartite graphs, for subsequent access traffic, by analyzing the MAC addresses and communication relationships of the subsequent access traffic, determine which specific MAC address bipartite graph the subsequent access traffic is divided into, and determine the matching relationship between the two MAC addresses corresponding to the subsequent access traffic and the first MAC address set or the second MAC address set of the MAC address bipartite graph, and finally mark the traffic direction of the subsequent access traffic as the traffic direction of the access traffic corresponding to the MAC address bipartite graph according to the matching relationship.

上述的一种网络流向识别方法,通过确定与第一流量对应外网MAC地址和内网MAC地址与第一MAC地址集合和第二MAC地址集合之间的匹配关系,使第一MAC地址集合和第二MAC地址集合对能确定方向的网络流量进行学习,将第一MAC地址集合和第二MAC地址集合中所有MAC地址对应的流量通过流量方向学习结果进行识别,即可进行后续流量方向识别,快速形成针对全局流量的流量方向识别能力,降低全局网络流向识别的维护成本的同时,提升了全局网络流向识别的准确率及效率。The above-mentioned network flow direction identification method determines the matching relationship between the external network MAC address and the internal network MAC address corresponding to the first flow and the first MAC address set and the second MAC address set, so that the first MAC address set and the second MAC address set learn the network flow with determined direction, and identifies the flow corresponding to all MAC addresses in the first MAC address set and the second MAC address set through the flow direction learning result, and then performs subsequent flow direction identification, quickly forming the flow direction identification capability for global flow, reducing the maintenance cost of global network flow direction identification while improving the accuracy and efficiency of global network flow direction identification.

在一些实施例中,网络流向识别方法的示意图如图2所示。本实施例中的网络流向识别方法包括局部流量方向判断库的准备、流量学习步骤和MAC地址的方向确认步骤。其中,流量学习步骤和MAC地址的方向确认步骤是基于流量分析的不断进行而持续进行的,一旦网络环境改变,例如MAC地址变化等,可以及时将该网络环境的变化暴露在流量分析的MAC地址二分图中,并能够持续维护MAC地址二分图,保证流向识别方法同步于实际网络环境的流向识别能力。In some embodiments, a schematic diagram of a network flow direction identification method is shown in FIG2. The network flow direction identification method in this embodiment includes the preparation of a local flow direction judgment library, a flow learning step, and a MAC address direction confirmation step. Among them, the flow learning step and the MAC address direction confirmation step are continuously performed based on the continuous flow analysis. Once the network environment changes, such as the MAC address changes, the changes in the network environment can be exposed in time in the MAC address bipartite graph of the flow analysis, and the MAC address bipartite graph can be continuously maintained to ensure that the flow direction identification method is synchronized with the flow direction identification capability of the actual network environment.

上述的一种网络流向识别方法,预先分析接入的所有流量的MAC地址及其通联关系,形成至少一个MAC地址二分图,能够快速将所有流量的MAC地址进行集合或划分,同时在每个MAC地址二分图对应的接入流量中筛选出可识别流量方向的第一流量,基于各个MAC地址二分图的第一流量以及所有MAC地址二分图,实现快速识别全局网络流量的流量方向的目的,形成针对全局流量的流量方向判断能力,降低全局网络流向识别的维护成本的同时,提升了全局网络流向识别的准确率及效率。The above-mentioned network flow direction identification method pre-analyzes the MAC addresses of all accessed traffic and their communication relationships to form at least one MAC address bipartite graph, which can quickly aggregate or divide the MAC addresses of all traffic, and at the same time screen out the first traffic that can identify the traffic direction from the accessed traffic corresponding to each MAC address bipartite graph. Based on the first traffic of each MAC address bipartite graph and all MAC address bipartite graphs, the purpose of quickly identifying the traffic direction of the global network traffic is achieved, forming the traffic direction judgment capability for the global traffic, reducing the maintenance cost of the global network flow direction identification while improving the accuracy and efficiency of the global network flow direction identification.

基于同一发明构思,根据本发明的另一个方面,如图3所示,本发明的实施例还提供了一种计算机设备30,在该计算机设备30中包括处理器310以及存储器320,存储器320存储有可在处理器上运行的计算机程序321,处理器310执行程序时执行如上的方法的步骤。Based on the same inventive concept, according to another aspect of the present invention, as shown in FIG3 , an embodiment of the present invention further provides a computer device 30, which includes a processor 310 and a memory 320, wherein the memory 320 stores a computer program 321 that can be run on the processor, and the processor 310 executes the steps of the above method when executing the program.

基于同一发明构思,根据本发明的另一个方面,如图4所示,本发明的实施例还提供了一种计算机可读存储介质40,计算机可读存储介质40存储有被处理器执行时执行如上方法的计算机程序410。Based on the same inventive concept, according to another aspect of the present invention, as shown in FIG. 4 , an embodiment of the present invention further provides a computer-readable storage medium 40 , which stores a computer program 410 that performs the above method when executed by a processor.

最后需要说明的是,本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,可以通过计算机程序来指令相关硬件来完成,程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,程序的存储介质可为磁碟、光盘、只读存储记忆体(ROM)或随机存储记忆体(RAM)等。上述计算机程序的实施例,可以达到与之对应的前述任意方法实施例相同或者相类似的效果。Finally, it should be noted that a person of ordinary skill in the art can understand that all or part of the processes in the above-mentioned embodiments can be implemented by instructing the relevant hardware through a computer program, and the program can be stored in a computer-readable storage medium. When the program is executed, it can include the processes of the embodiments of the above-mentioned methods. Among them, the storage medium of the program can be a disk, an optical disk, a read-only storage memory (ROM) or a random access memory (RAM), etc. The above-mentioned computer program embodiments can achieve the same or similar effects as the corresponding above-mentioned arbitrary method embodiments.

本领域技术人员还将明白的是,结合这里的公开所描述的各种示例性逻辑块、模块、电路和算法步骤可以被实现为电子硬件、计算机软件或两者的组合。为了清楚地说明硬件和软件的这种可互换性,已经就各种示意性组件、方块、模块、电路和步骤的功能对其进行了一般性的描述。这种功能是被实现为软件还是被实现为硬件取决于具体应用以及施加给整个系统的设计约束。本领域技术人员可以针对每种具体应用以各种方式来实现的功能,但是这种实现决定不应被解释为导致脱离本发明实施例公开的范围。It will also be appreciated by those skilled in the art that various exemplary logic blocks, modules, circuits and algorithm steps described in conjunction with the disclosure herein can be implemented as electronic hardware, computer software or a combination of the two. In order to clearly illustrate this interchangeability of hardware and software, a general description has been given to the functions of various schematic components, blocks, modules, circuits and steps. Whether this function is implemented as software or hardware depends on specific applications and the design constraints imposed on the entire system. Those skilled in the art can implement the function in various ways for each specific application, but this implementation decision should not be interpreted as causing a departure from the disclosed scope of the embodiments of the present invention.

以上是本发明公开的示例性实施例,但是应当注意,在不背离权利要求限定的本发明实施例公开的范围的前提下,可以进行多种改变和修改。根据这里描述的公开实施例的方法权利要求的功能、步骤和/或动作不需以任何特定顺序执行。上述本发明实施例公开实施例序号仅仅为了描述,不代表实施例的优劣。此外,尽管本发明实施例公开的元素可以以个体形式描述或要求,但除非明确限制为单数,也可以理解为多个。The above are exemplary embodiments disclosed in the present invention, but it should be noted that various changes and modifications may be made without departing from the scope of the embodiments disclosed in the present invention as defined in the claims. The functions, steps and/or actions of the method claims according to the disclosed embodiments described herein do not need to be performed in any particular order. The serial numbers of the embodiments disclosed in the above embodiments of the present invention are for description only and do not represent the advantages and disadvantages of the embodiments. In addition, although the elements disclosed in the embodiments of the present invention may be described or required in individual form, they may also be understood as multiple unless explicitly limited to the singular.

应当理解的是,在本文中使用的,除非上下文清楚地支持例外情况,单数形式“一个”旨在也包括复数形式。还应当理解的是,在本文中使用的“和/或”是指包括一个或者一个以上相关联地列出的项目的任意和所有可能组合。It should be understood that, as used herein, the singular forms "a", "an" are intended to include the plural forms as well, unless the context clearly supports an exception. It should also be understood that, as used herein, "and/or" refers to any and all possible combinations including one or more of the associated listed items.

所属领域的普通技术人员应当理解:以上任何实施例的讨论仅为示例性的,并非旨在暗示本发明实施例公开的范围(包括权利要求)被限于这些例子;在本发明实施例的思路下,以上实施例或者不同实施例中的技术特征之间也可以进行组合,并存在如上的本发明实施例的不同方面的许多其它变化,为了简明它们没有在细节中提供。因此,凡在本发明实施例的精神和原则之内,所做的任何省略、修改、等同替换、改进等,均应包含在本发明实施例的保护范围之内。A person skilled in the art should understand that the discussion of any of the above embodiments is only exemplary and is not intended to imply that the scope of the disclosure of the embodiments of the present invention (including the claims) is limited to these examples; under the idea of the embodiments of the present invention, the technical features in the above embodiments or different embodiments can also be combined, and there are many other changes in different aspects of the above embodiments of the present invention, which are not provided in detail for the sake of simplicity. Therefore, any omissions, modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the embodiments of the present invention should be included in the protection scope of the embodiments of the present invention.

Claims (8)

1.一种网络流向识别方法,其特征在于,包括:1. A network flow direction identification method, characterized by comprising: 获取全部接入流量的MAC地址,并获取所述MAC地址之间的通联关系;Obtain the MAC addresses of all access traffic and the communication relationship between the MAC addresses; 基于所述MAC地址以及所述通联关系,建立至少一个MAC地址二分图;Based on the MAC addresses and the communication relationships, establish at least one MAC address bipartite graph; 分别在各MAC地址二分图对应的接入流量中筛选具有确定性流量方向的第一流量;Selecting first flows with deterministic flow directions from access flows corresponding to each MAC address bipartite graph respectively; 基于所有MAC地址二分图以及各MAC地址二分图对应的第一流量,识别全部接入流量的流量方向;Based on all MAC address bipartite graphs and first flows corresponding to each MAC address bipartite graph, identifying the flow direction of all access flows; 所述分别在各MAC地址二分图对应的接入流量中筛选具有确定性流量方向的第一流量的步骤,包括:The step of selecting the first flow with a deterministic flow direction from the access flow corresponding to each MAC address bipartite graph includes: 根据应用场景,建立包含至少一条识别策略的局部流量方向判断库;According to the application scenario, a local traffic direction judgment library including at least one identification strategy is established; 基于所述局部流量方向判断库中的识别策略,分别在各MAC地址二分图对应的接入流量中筛选出具有确定性流量方向的第一流量;Based on the identification strategy in the local traffic direction judgment library, first traffic with a deterministic traffic direction is screened out from the access traffic corresponding to each MAC address bipartite graph; 所述基于所有MAC地址二分图以及各MAC地址二分图对应的第一流量,识别全部接入流量的流量方向的步骤,包括:The step of identifying the flow direction of all access flows based on all MAC address bipartite graphs and the first flow corresponding to each MAC address bipartite graph comprises: 针对每个MAC地址二分图,将其中包括的全部MAC地址划分为位于两个不同网络区域的第一MAC地址集合和第二MAC地址集合,并确定相应的第一流量的第一流量方向;For each MAC address bipartite graph, all MAC addresses included therein are divided into a first MAC address set and a second MAC address set located in two different network areas, and a first flow direction of the corresponding first flow is determined; 基于每个MAC地址二分图的第一流量方向、第一MAC地址集合和第二MAC地址集合,识别每个所述MAC地址二分图分别对应的接入流量的流量方向;Based on the first traffic direction of each MAC address bipartite graph, the first MAC address set, and the second MAC address set, identifying the traffic direction of the access traffic corresponding to each of the MAC address bipartite graphs; 基于全部所述MAC地址二分图分别对应的接入流量的流量方向,得到全部接入流量的流量方向;Based on the traffic directions of the access traffic corresponding to all the MAC address bipartite graphs, the traffic directions of all the access traffic are obtained; 所述基于每个MAC地址二分图的第一流量方向、第一MAC地址集合和第二MAC地址集合,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:The step of identifying the flow direction of the access flow corresponding to each MAC address bipartite graph based on the first flow direction of each MAC address bipartite graph, the first MAC address set, and the second MAC address set comprises: 针对每个MAC地址二分图,基于并查集算法,建立第一MAC地址集合的第一MAC地址并查集,以及建立第二MAC地址集合的第二MAC地址并查集;For each MAC address bipartite graph, based on a union-find algorithm, a first MAC address union-find set of the first MAC address set is established, and a second MAC address union-find set of the second MAC address set is established; 获取各MAC地址二分图中第一流量对应的外网MAC地址和内网MAC地址,并基于第一MAC地址并查集与第二MAC地址并查集,确定所述外网MAC地址和所述内网MAC地址分别与对应MAC地址二分图中第一MAC地址集合和第二MAC地址集合的匹配关系,并确定第一流量方向为内联方向或外联方向;Obtain an external MAC address and an internal MAC address corresponding to the first flow in each MAC address bipartite graph, and determine a matching relationship between the external MAC address and the internal MAC address and the first MAC address set and the second MAC address set in the corresponding MAC address bipartite graph, respectively, based on a union-find set of the first MAC address and a union-find set of the second MAC address, and determine whether the first flow direction is an inline direction or an external direction; 基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向。Based on the matching relationship and whether the first traffic direction is an inline direction or an outline direction, a traffic direction of the access traffic corresponding to each of the MAC address bipartite graphs is identified. 2.根据权利要求1所述的方法,其特征在于,所述基于所述MAC地址以及所述通联关系,建立至少一个MAC地址二分图的步骤,包括:2. The method according to claim 1, characterized in that the step of establishing at least one MAC address bipartite graph based on the MAC address and the communication relationship comprises: 将所述MAC地址作为节点,所述通联关系作为连接线,建立至少一个MAC地址二分图。At least one MAC address bipartite graph is established by using the MAC addresses as nodes and the communication relationships as connecting lines. 3.根据权利要求1所述的方法,其特征在于,所述基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:3. The method according to claim 1 is characterized in that the step of identifying the flow direction of the access flow corresponding to each of the MAC address bipartite graphs based on the matching relationship and whether the first flow direction is an inline direction or an outline direction comprises: 针对每个所述MAC地址二分图,若第一流量方向为外联方向,并且外网MAC地址位于第一MAC地址集合和/或内网MAC地址位于第二MAC地址集合,将所述MAC地址二分图对应的接入流量的流量方向标注为由第二MAC地址集合流向第一MAC地址集合。For each of the MAC address bipartite graphs, if the first traffic direction is an external connection direction, and the external network MAC address is located in the first MAC address set and/or the internal network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the second MAC address set to the first MAC address set. 4.根据权利要求1所述的方法,其特征在于,所述基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:4. The method according to claim 1, characterized in that the step of identifying the flow direction of the access flow corresponding to each of the MAC address bipartite graphs based on the matching relationship and whether the first flow direction is an inline direction or an outline direction comprises: 针对每个所述MAC地址二分图,若第一流量方向为外联方向,并且内网MAC地址位于第一MAC地址集合和/或外网MAC地址位于第二MAC地址集合,将所述MAC地址二分图对应的接入流量的流量方向标注为由第一MAC地址集合流向第二MAC地址集合。For each of the MAC address bipartite graphs, if the first traffic direction is an external connection direction, and the internal network MAC address is located in the first MAC address set and/or the external network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the first MAC address set to the second MAC address set. 5.根据权利要求1所述的方法,其特征在于,所述基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:5. The method according to claim 1, characterized in that the step of identifying the flow direction of the access flow corresponding to each of the MAC address bipartite graphs based on the matching relationship and whether the first flow direction is an inline direction or an outline direction comprises: 针对每个所述MAC地址二分图,若第一流量方向为内联方向,并且外网MAC地址位于第一MAC地址集合和/或内网MAC地址位于第二MAC地址集合,将所述MAC地址二分图对应的接入流量的流量方向标注为由第一MAC地址集合流向第二MAC地址集合。For each of the MAC address bipartite graphs, if the first traffic direction is an inline direction, and the external network MAC address is located in the first MAC address set and/or the internal network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the first MAC address set to the second MAC address set. 6.根据权利要求1所述的方法,其特征在于,所述基于所述匹配关系以及第一流量方向为内联方向或外联方向,识别每个所述MAC地址二分图分别对应的接入流量的流量方向的步骤,包括:6. The method according to claim 1, characterized in that the step of identifying the flow direction of the access flow corresponding to each of the MAC address bipartite graphs based on the matching relationship and whether the first flow direction is an inline direction or an outline direction comprises: 针对每个所述MAC地址二分图,若第一流量方向为内联方向,并且内网MAC地址位于第一MAC地址集合和/或外网MAC地址位于第二MAC地址集合,将所述MAC地址二分图对应的接入流量的流量方向标注为由第二MAC地址集合流向第一MAC地址集合。For each of the MAC address bipartite graphs, if the first traffic direction is an inline direction, and the internal network MAC address is located in the first MAC address set and/or the external network MAC address is located in the second MAC address set, the traffic direction of the access traffic corresponding to the MAC address bipartite graph is marked as flowing from the second MAC address set to the first MAC address set. 7.一种计算机设备,包括:7. A computer device comprising: 至少一个处理器;以及at least one processor; and 存储器,所述存储器存储有可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时执行如权利要求1至6任意一项所述的方法的步骤。A memory storing a computer program executable on the processor, wherein the processor executes the steps of the method according to any one of claims 1 to 6 when executing the program. 8.一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行时执行如权利要求1至6任意一项所述的方法的步骤。8. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, performs the steps of the method according to any one of claims 1 to 6.
CN202311129589.0A 2023-09-01 2023-09-01 Network flow direction identification method, device and medium Active CN117221242B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311129589.0A CN117221242B (en) 2023-09-01 2023-09-01 Network flow direction identification method, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311129589.0A CN117221242B (en) 2023-09-01 2023-09-01 Network flow direction identification method, device and medium

Publications (2)

Publication Number Publication Date
CN117221242A CN117221242A (en) 2023-12-12
CN117221242B true CN117221242B (en) 2024-09-03

Family

ID=89043517

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311129589.0A Active CN117221242B (en) 2023-09-01 2023-09-01 Network flow direction identification method, device and medium

Country Status (1)

Country Link
CN (1) CN117221242B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101202652A (en) * 2006-12-15 2008-06-18 北京大学 Device and method for classifying and identifying network application traffic
CN103036733A (en) * 2011-10-09 2013-04-10 上海城际互通通信有限公司 Unconventional network access behavior monitoring system and monitoring method

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591765A (en) * 2014-10-20 2016-05-18 中国电信股份有限公司 Flow positioning method, device and system
CN105790960B (en) * 2014-12-24 2019-07-19 中国电信股份有限公司 Method for recognizing flux and system, flow gateway
CN105871847B (en) * 2016-04-01 2018-11-30 国网江苏省电力公司电力科学研究院 A kind of intelligent substation exception flow of network detection method
CN106452940A (en) * 2016-08-22 2017-02-22 中国联合网络通信有限公司重庆市分公司 Method and device for identifying Internet business flow ownership
CN106686630B (en) * 2016-12-30 2020-04-10 南京理工大学 Mobile cellular network flow identification method based on network delay characteristics
CN108282414B (en) * 2017-12-29 2020-05-29 网宿科技股份有限公司 Data stream guiding method, server and system
US11658909B2 (en) * 2018-04-10 2023-05-23 Kentik Technologies, Inc. Analyzing network traffic by enriching inbound network flows with exit data
CN109309630B (en) * 2018-09-25 2021-09-21 深圳先进技术研究院 Network traffic classification method and system and electronic equipment
CN110572325A (en) * 2019-09-06 2019-12-13 成都深思科技有限公司 NAT router flow identification method
CN111683162B (en) * 2020-06-09 2022-10-25 福建健康之路信息技术有限公司 IP address management method based on flow identification
US11171878B1 (en) * 2020-09-21 2021-11-09 Vmware, Inc. Allocating additional bandwidth to resources in a datacenter through deployment of dedicated gateways
CN113904804B (en) * 2021-09-06 2023-07-21 河南信大网御科技有限公司 Intranet safety protection method, system and medium based on behavior strategy
CN114143049B (en) * 2021-11-18 2024-08-02 北京明略软件系统有限公司 Abnormal flow detection method and device, storage medium and electronic equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101202652A (en) * 2006-12-15 2008-06-18 北京大学 Device and method for classifying and identifying network application traffic
CN103036733A (en) * 2011-10-09 2013-04-10 上海城际互通通信有限公司 Unconventional network access behavior monitoring system and monitoring method

Also Published As

Publication number Publication date
CN117221242A (en) 2023-12-12

Similar Documents

Publication Publication Date Title
CN109802953B (en) Industrial control asset identification method and device
CN109800258B (en) Data file deployment method, device, computer equipment and storage medium
CN109286511B (en) Data processing method and device
CN110535654B (en) Block chain based parallel system deployment method and device and computer equipment
CN102474431A (en) Identification of underutilized network devices
CN115242434A (en) Application program interface API identification method and device
CN112511384B (en) Flow data processing method and device, computer equipment and storage medium
CN115049493B (en) Blockchain data tracking method, device and electronic device
CN110380925A (en) A kind of network equipment detection middle port selection method and system
CN109347785A (en) A kind of terminal type recognition methods and device
CN112769635A (en) Service identification method and device for multi-granularity feature analysis
KR20210112678A (en) Method and blockchain nodes for detecting abusing based on blockchain networks
CN117221242B (en) Network flow direction identification method, device and medium
CN113098852A (en) Log processing method and device
CN118708470A (en) A parallel fuzz testing method, system, device, storage medium and product
CN116405294A (en) A method, system, device and medium for analyzing behavior subject correlation
CN110611591A (en) Network topology establishing method and device
CN114465771B (en) Method and device for automatically recommending security policy based on firewall flow and firewall
CN110166295B (en) Method for judging whether network topology supports Byzantine fault tolerance or not
CN115696337A (en) A mobile terminal security monitoring and analysis method and device
CN115146292A (en) A tree model construction method, device, electronic device and storage medium
CN114244555A (en) Method for adjusting security policy
CN114579809A (en) Event analysis method, device, electronic device and storage medium
CN110096555B (en) Table matching processing method and device for distributed system
JP3779619B2 (en) Packet transfer device, network, program, and recording medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20241119

Address after: No. 103-1, 1st Floor, Building 03, No. 1108 Shengbang Street, High tech Zone, Chengdu City, Sichuan Province 610000

Patentee after: Chengdu Slow Sound Technology Co.,Ltd.

Country or region after: China

Address before: Room 406, Building E1, Phase II of Hefei Innovation Industrial Park, No. 2800 Innovation Avenue, High tech Zone, Hefei City, Anhui Province, 230031

Patentee before: Anhui Manyin Technology Co.,Ltd.

Country or region before: China