细粒度网络流量分类架构及其优化  

作　　者：李勋 唐亚哲[1] LI Xun;TANG Yazhe(Faculty of Electronic and Information Engineering,Xi’an Jiaotong University,Xi’an 710049,China;Science and Technologyon Information Transmission and Dissemination in Communication Networks Laboratory,Shijiazhuang 050081,China)

机构地区：[1]西安交通大学电信学部,西安710049 [2]通信网信息传输与分发技术重点实验室,石家庄050081

出　　处：《西安交通大学学报》2020年第11期121-128,共8页Journal of Xi'an Jiaotong University

基　　金：通信网信息传输与分发技术重点实验室开放基金资助项目(SXX18641X024)。

摘　　要：针对现有网络流量指纹自动生成难度大、粒度粗及匹配阶段内存消耗大等问题,提出了细粒度网络流量分类架构及其优化。在线下,根据特定字符片段在对应流量中保持不变,且代表流量功能的有效字符片段比随机噪声片段出现的频率高这一特性,寻找流量中字符片段出现频率和长度达到一定阈值的有效片段,并将其作为备选指纹规则,通过交并、合并、指纹提纯操作获取该流量对应的指纹。在线上字符串匹配时,根据k均值分类思想重新定义距离,并利用异构位分割状态机的启发式算法对指纹中的字符串进行重新组织,对内存使用进行优化。实验结果表明:所提算法能够在未知网络流量协议格式的情况下自动生成细粒度的流量指纹,平均识别准确率为93.65%,对噪声不敏感;在匹配时若将原所有指纹字符片段重新优化组织,当指纹规则数量在4000以上时,可节约近50%的内存需求。To solve the problems of coarse-grained network traffic fingerprints and large memory consumption in the matching phase,we proposed a fine-grained network traffic classification architecture to achieve automated signature generation and optimize memory.As some portion of the data payload in a function is invariant and the signature reflecting the application function is atypical in internet traffic,the signature generation is mapped into the problem of obtaining the frequently occurring substrings and their corresponding occurrence frequency.In the case of online matching,according to the idea of k-means classification,the distance is redefined and the rules are reorganized using the heuristic heterogeneous bit-split deterministic finite automaton method to achieve the purpose of optimizing memory usage.The experimental results show that without knowing the format of the network traffic protocol,the method can automatically generate fine-grained traffic fingerprints with an average recognition accuracy of 93.65%,and is not sensitive to noise.In addition,if all fingerprint character fragments are re-optimized during matching,when the number of fingerprint rules is above 4000,it can save nearly 50%of memory requirements compared with the previous bit-split string matching methods.

关 键 词：细粒度网络流量 指纹自动生成 位分割状态机 启发式算法 字符串匹配 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]