CN101287010A - Method and apparatus for identifying and verifying type of message protocol - Google Patents
Method and apparatus for identifying and verifying type of message protocol Download PDFInfo
- Publication number
- CN101287010A CN101287010A CNA2008101108342A CN200810110834A CN101287010A CN 101287010 A CN101287010 A CN 101287010A CN A2008101108342 A CNA2008101108342 A CN A2008101108342A CN 200810110834 A CN200810110834 A CN 200810110834A CN 101287010 A CN101287010 A CN 101287010A
- Authority
- CN
- China
- Prior art keywords
- message
- protocol
- type
- characteristic character
- template
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a method and a device for identifying a protocol type of a message, which can identify the protocol type to which the message pertains and has relatively high accuracy rate of identification. The method comprises that: the message transmitted between communication ends is obtained; an message identifying template matched with the message is searched, which comprises characteristic character and formats of the characteristic character of the message; the protocol type corresponding to the message identifying template matched with the message is searched. The embodiment of the invention also discloses a method and the device for certifying the protocol type of message. The embodiment of the invention is used for the identification and certification of the protocol.
Description
Technical field
The present invention relates to the communications field, relate in particular to the method and apparatus of a kind of identification and verifying type of message protocol.
Background technology
Procotol be (comprise the Internet) in the network and transmit, some standards of management information.No matter be detection,,, all at first need the affiliated protocol type of network traffics is discerned the detection of exception flow of network still in order to improve network service quality to aspects such as the network architecture, network operating positions.
Present application layer protocol identifying schemes is a kind of recognition methods based on characteristic character.This method is extracted the characteristic character of one or more message according to the characteristics of procotol, forms the agreement fingerprint, extracts the characteristic character characteristic character in addition of forming the agreement fingerprint simultaneously, forms the proof rule of agreement.
For example, with identification HTTP (Hypertext Transfer Protocol, HTML (Hypertext Markup Language)) is example: at first set up agreement fingerprint collection, comprise " GET " and " POST ", be respectively agreement fingerprint " GET " and " POST " then and set up corresponding proof rule collection.
The proof rule collection of http protocol fingerprint " GET " is:
Rule 1: must contain " TTP " character string in the text;
Rule 2: must comprise " r n " character string in the text.
The proof rule collection of http protocol fingerprint " POST " is:
Rule 1: must contain " r n " character string in the text;
Rule 2: must comprise " Content-Length " character string in the text.
The corresponding one or more agreement fingerprints of a kind of agreement, the corresponding one or more proof rules of agreement fingerprint.Existing application protocol recognition method comprises: obtain the message of transmitting between the port of two IP addresses, with message and agreement fingerprint matching, in case the match is successful, then activate the proof rule collection of this agreement fingerprint.After the checking of the proof rule collection by the agreement fingerprint, then be judged as protocol type and discern successfully.After protocol type is discerned successfully, the port of the port of employing<source IP address, source IP address, target ip address, target ip address, protocol type〉quintuple form, two transmission ends of storing message and the protocol type under the message are formed and are solidified table, to carry out " memory ".The curing table of this form is only effective to the identification of current sessions stream, and can take the space of a large amount of system resource.
In the implementation process of such scheme, the inventor finds to have following problem in the prior art at least: the simple characteristic character that passes through message is formed the agreement fingerprint, the proof rule collection of forming the agreement fingerprint by the characteristic character beyond the characteristic character of forming the agreement fingerprint, discern protocol type under it according to some characteristic characters that message comprised, such identification and verification method imperfection, rate of false alarm is than higher, as comprise and the message of other protocol type of these characteristic characters also can identifiedly belong to this protocol type.
Summary of the invention
Embodiments of the invention provide a kind of method of identification message protocol type, the protocol type under can identification message, and the accuracy of identification is than higher.
On the one hand, the embodiment of the invention provides a kind of method of identification message protocol type, comprising:
The message of transmitting between the acquisition communication terminal;
Search the message recognition template that is complementary with described message, described message recognition template comprises the characteristic character of message and the form of characteristic character;
Search the message recognition template corresponding protocols type that is complementary with this message.
On the other hand, the embodiment of the invention provides a kind of method of verifying type of message protocol, comprising:
At least two message transmitting between the continuous acquisition communication terminal;
Whether at least two message and the message validation template that judge to obtain mate, and described message validation template comprises the characteristic character of at least two message and the form of characteristic character in proper order.
The embodiment of the invention also provides a kind of method of identification message protocol type, comprising:
The message of transmitting between the acquisition communication terminal;
Search the message recognition template that is complementary with described message, described message recognition template comprises the characteristic character of message and the form of characteristic character;
Search the message recognition template corresponding protocols type that is complementary with this message;
Judge whether the message and the message validation template that obtain mate, and described message validation template comprises the characteristic character of at least two message and the form of characteristic character in proper order;
If coupling determines that then described protocol of messages type is the message recognition template corresponding protocols type that is complementary with this message of searching.
The embodiment of the invention provides a kind of device of identification message protocol type, comprising:
First obtains the unit, is used to the message that obtains to transmit between the communication terminal;
First searches the unit, is used to search the message recognition template that is complementary with this message, and described message recognition template comprises the characteristic character of message and the form of characteristic character;
Second searches the unit, is used to search the message recognition template corresponding protocols type that is complementary with this message.
The embodiment of the invention also provides a kind of device of verifying type of message protocol, comprising:
Second obtains the unit, is used for obtaining continuously at least two message transmitting between the communication terminal;
Judging unit is used to judge whether at least two message of acquisition and message validation template mate, and described message validation template comprises the characteristic character of at least two message and the form of characteristic character in proper order.
The method and apparatus of embodiment of the invention identification message protocol type, the message recognition template that is complementary by the message of transmitting between the communication terminal of searching and obtaining, and will further find with the pairing protocol type of this recognition template as type of message protocol.Not only comprise the characteristic character of message in the agreement as the message recognition template of criterion of identification, and comprise the characteristic character form of message, improved the accuracy of identification message protocol type.The method and apparatus of present embodiment verifying type of message protocol, the characteristic character that not only comprises message in the agreement as the message validation template of validation criteria, and comprise the characteristic character form of message, and the order of the characteristic character of at least two message that the message validation template comprises and the form of characteristic character is consistent with the interaction sequences of message in the communication process, simulated the reciprocal process of message, the message interaction process of each agreement is that this agreement is distinctive, so just can improve the correctness by the protocol type of protocol verification.
Description of drawings
Fig. 1 is the recognition methods flow chart of embodiment of the invention type of message protocol;
Fig. 2 is the verification method flow chart of embodiment of the invention type of message protocol;
Fig. 3 is the protocol state machine schematic diagram of embodiment of the invention protocol type identifying;
Fig. 4 is the typical reciprocal process figure of embodiment of the invention SMTP (Simple Message Transfer Protocol, Simple Mail Transfer protocol) message;
Fig. 5 is an embodiment of the invention SMTP protocol of messages proof procedure;
Fig. 6 is the device schematic diagram of embodiment of the invention identification message protocol type;
Fig. 7 is the device schematic diagram of embodiment of the invention verifying type of message protocol.
Embodiment
The technical scheme of the identification message protocol type that the embodiment of the invention provides, characteristic character and characteristic character form according to message, the identification message protocol type, and, the type of message protocol that identifies is verified according to the interaction sequences of characteristic character, characteristic character form and the message of message.
As shown in Figure 1, be the recognition methods flow chart of embodiment of the invention type of message protocol, this method comprises:
Step 101 obtains the message of transmitting between the communication terminal.
Wherein, communication terminal comprises client (Client) and server end (Server), also can comprise the communication terminal of two equities.Client comprises portable terminal (as mobile phone, PC PC, personal digital assistant PDA) and fixed terminal (as landline telephone) etc.In the present embodiment, the process that obtains message can comprise initiatively obtains message from communication terminal, perhaps is the message that passive reception communication terminal sends.
In this step, the complete message that can obtain to transmit between communication terminal (as one complete or two message), the part message that also can obtain to transmit between communication terminal, the partial bytes (as preceding 100 bytes) as a piece of news can reduce system burden like this.
Step 102 is searched the message recognition template that is complementary with this message.
In the embodiment of the invention alleged message recognition template be used to express protocol message (as the Session initiation Protocol sip message, with the call control protocol BICC message of bearer independent, simple message transfer protocol (SMTP) SMTP message etc.) characteristic character that comprises and the form of characteristic character, wherein, characteristic character is the peculiar key character of protocol message, and the form of characteristic character comprises the quantity and the order of the front and back between the different characteristic character of the position of characteristic character in the protocol message beginning or the ending of protocol message (for example), characteristic character.Alleged being complementary with this message in the present embodiment is meant that this message satisfies the characteristic character of message recognition template expression and the form of characteristic character.In the present embodiment, can set in advance a plurality of message recognition templates, the corresponding a kind of protocol type of a kind of message recognition template (being the related a kind of protocol type of a kind of message recognition template) is used to express the characteristic character that a kind of protocol message comprises and the form of characteristic character.In this step, can in the message recognition template that sets in advance (the message recognition template that sets in advance can be one or more), search the message recognition template that is complementary with this message, with the message recognition template of determining to be complementary with this message.
Message recognition template in the present embodiment can be represented with " regular expression ".Regular expression is made up of common character (for example character a is to z) and spcial character (being called metacharacter), is described in one or more characteristic characters to be matched when searching character and characteristic character form.The form of characteristic character comprises the quantity and the order of the front and back between the different characteristic character of the position of characteristic character in the message beginning or the ending of message (for example), characteristic character.For example, in regular expression (a|b) * c, " * " expression repeats 0 time or repeatedly, " | " represents exclusive disjunction.The character string that regular expression (a|b) * c represents is: 0 or a plurality of character a or character b then are 1 character c.The character string that satisfies regular expression (a|b) * c can be ac, bc, abc, aabc, abbc, c etc.Source template in the present embodiment also can adopt other method for expressing, also can adopt the expression of custom rule, as long as source template can comprise the form of characteristic character and characteristic character.
Further, can also in database (as agreement identification storehouse), the protocol type recognition rule be set in the embodiment of the invention, and with the recognition template of message, and the pairing protocol type of message recognition template is recorded in the protocol type recognition rule.Wherein, the form of recognition rule can for:
[numbering of protocol type recognition rule: message recognition template].
Wherein, " numbering of protocol type recognition rule " field is represented message recognition template corresponding protocols type; " message recognition template " field comprises the characteristic character of message, and the form of characteristic character; ": " number expression separator.
Be example below with SMTP, describe the process of searching the message recognition template that is complementary with SMTP message.
At first set in advance the message recognition template.With SMTP message is example, can be according to SMTP at process TCP (Transfer Control Protocol, transmission control protocol) after the three-way handshake, server end return first reply, set in advance SMTP message recognition template (representing that with regular expression the message recognition template is an example), and further form following protocol type recognition rule: [SMTP:^220[x09 x0b-x0d-~] * (" smtp " | " mail ")].Wherein:
SMTP is the numbering of protocol type recognition rule, and expression message recognition template corresponding protocols type is SMTP;
Regular expression ^220[x09 x0b-x0d-~] metacharacter " ^ " expression " starting position of matched character string " of * (" smtp " | " mail "), metacharacter " * " expression " zero degree or repeatedly appears in the subexpression of coupling front ", " [x09 x0b-x0d-~] " expression any character, the message recognition template that this regular expression is represented is: with 220 beginnings, be 0 or several any character then, ensuing character is smtp or mail.
Then message and the message recognition template that obtains is complementary.Preferably, present embodiment can be realized template matches by the state machine with particular state and transition condition: at first the message recognition template is compiled, form agreement identification engine, agreement identification engine is equivalent to a protocol state machine.Specifically describe the method that the message that will obtain and SMTP message recognition template are complementary below.The smtp protocol type identification that sets in advance in present embodiment rule is [SMTP:^220[x09 x0b-x0d-~] * (" smtp " | " mail ")], can set up certainty finite automaton shown in Figure 3 (DFA:DeterministicFinite Automata) according to this regular expression.Among Fig. 3, the character of the character representation input above the arrow, concentric circles is represented the hit condition of state machine, that is, if state machine runs to this state and then represents to have the character feature of an input to hit.The initial condition of protocol state machine is a state 0, when running into input character for " n " when state 0, then is transformed into state 1; When state 1, running into input character, then be transformed into state 2 for " 2 "; By that analogy.Under each state,, then come back to state 0 if run into any input character that can clearly be transformed into next state that in Fig. 3, does not mark (as run into the input of non-" 0 " for 3 times at state).For example, if the message that obtains is " 220 thisis smtp server ", then when mating with SMTP message recognition template, the state function forwards state 12 to from state 0, then expression and protocol type recognition rule [SMTP:^220[x09 x0b-x0d-~] * (" smtp " | " mail ")] and in the message recognition template of representing with regular expression the match is successful, that promptly find and the template SMTP match messages be ^220[x09 x0b-x0d-~] * (" smtp " | " mail ").
Step 103 is searched the message recognition template corresponding protocols type that is complementary with this message.
In the present embodiment, the corresponding a kind of protocol type of a kind of message recognition template (being the related a kind of protocol type of a kind of message recognition template) is used to express the characteristic character that a kind of protocol message comprises and the form of characteristic character.Thus, after searching the message recognition template that is complementary with this message, further search the message recognition template corresponding protocols type that is complementary with this message.For example, if search messaging protocol template with this match messages in certain agreement recognition rule, then the numbering of this agreement recognition rule is this message recognition template corresponding protocols type.
Step 104 determines that this protocol of messages type is the message recognition template corresponding protocols type that is complementary with this message of searching.
In this step, can be with the message recognition template corresponding protocols type that is complementary with this message, the protocol of messages type that is defined as transmitting between communication terminal.For example, if in certain agreement recognition rule, search messaging protocol template with this match messages, the protocol of messages type that the numbering (being message recognition template corresponding protocols type) of this agreement recognition rule can be defined as transmitting between communication terminal then.
Step 105 is set up the corresponding relation of communication terminal and the protocol of messages type of determining.
In the embodiment of the invention, after determining this protocol of messages type, can also further set up the corresponding relation of communication terminal and the protocol of messages type of determining.Comprise the sign (IP address and/or port numbers) of communication terminal and the curing table of protocol of messages type as foundation, the agreement recognition result is carried out " curing ", the structure of solidifying table can be<IP address, the port of IP address, protocol type 〉.
The method of embodiment of the invention identification message protocol type, the message recognition template that is complementary by the message of transmitting between the communication terminal of searching and obtaining, and will further find with the pairing protocol type of this recognition template as type of message protocol.Not only comprise the characteristic character of message in the agreement as the message recognition template of criterion of identification, and comprise the characteristic character form of message, improved the accuracy of identification message protocol type.And further set up the corresponding relation of this communication terminal and the protocol of messages type of determining, like this in the process of identification message protocol type, can be by extracting the IP address and the port numbers of the communication terminal that carries in the message respectively, the IP address and the port numbers of message communication terminal are compared with the record corresponding relation, protocol type with acknowledge message, can can improve the efficient of identification message protocol type by looking into the identification of curing table realization to protocol type.
In embodiments of the present invention, can not have step 104, promptly the message recognition template corresponding protocols type that is complementary with this message that finds of acquiescence is the protocol of messages type.
In embodiments of the present invention, can give tacit consent to execution in step 105 (setting up the corresponding relation of this communication terminal and the protocol of messages type of determining), can there be step 105 yet, promptly need not set up the corresponding relation of the protocol of messages type of transmitting between communication terminal, as some agreements (as the BT agreement), the port of each communication all is at random, and it is little to the identification help of follow-up other message to set up corresponding relation, then there is no need to set up corresponding relation.Whether also can set in advance execution in step 105, for example can in the protocol type recognition rule, increase a field, be used to represent whether to set up the corresponding relation of the protocol of messages type of transmitting between communication terminal, as: [numbering of protocol type recognition rule: message recognition template: whether solidify recognition result], wherein, field can be by 1 or 0 sign " whether to solidify recognition result ", be used to represent whether to set up the sign (IP address and/or port numbers) that comprises communication terminal and the curing table of protocol of messages type, the agreement recognition result is carried out " curing ".
In embodiments of the present invention, after step 103, before the step 104, promptly search after the message recognition template corresponding protocols type that is complementary with this message, determine that this protocol of messages type is before the message recognition template corresponding protocols type that is complementary with this message of searching, can also give tacit consent to the message recognition template corresponding protocols type that is complementary with this message that finds is verified that if the verification passes, execution in step 104 again.Whether also can set in advance the message recognition template corresponding protocols type that is complementary with this message of searching is verified, for example can in the protocol type recognition rule, increase a field, be used to represent whether the message that obtains to transmit between the communication terminal is verified, as: [numbering of protocol type recognition rule: message recognition template: whether indentification protocol type], wherein, whether " whether indentification protocol type " field can be by 1 or 0 sign, be used to represent the message recognition template corresponding protocols type that is complementary with this message of searching is verified.
As shown in Figure 2, be the verification method flow chart of embodiment of the invention type of message protocol, this method comprises:
Step 201 obtains at least two message transmitting between the communication terminal continuously;
Wherein, communication terminal comprises client (Client) and server end (Server), also can comprise the communication terminal of two peer-to-peer networks.Client comprises portable terminal (as mobile phone, PC PC, personal digital assistant PDA) and fixed terminal (as landline telephone) etc.In the present embodiment, the process that obtains message can comprise initiatively obtains message from communication terminal, and is the message that passive reception communication terminal sends.
In this step, the continuous meassage number that transmits between the communication terminal of acquisition is at least 2, generally is no more than 20.
Message validation template alleged in the embodiment of the invention comprises in proper order: the characteristic character of at least two message and the form of characteristic character, alleged order is meant, the order of the characteristic character of at least two message that comprise and the form of characteristic character is consistent with the interaction sequences of message in the communication process.Alleged coupling in the present embodiment is meant at least two message sequences of described continuous acquisition, satisfies the characteristic character of described at least two message of message validation template sequential expression and the form of characteristic character.Certainly, when the message that receives has only two, the message validation template also can comprise the characteristic character of the message more than two and the form of characteristic character, as long as two message sequences that receive satisfy the characteristic character of wherein two message of message validation template sequential expression and the form of characteristic character.
The characteristic character of the message that comprises in the message validation template can overlap with the characteristic character of this message of comprising in the message recognition template, and the message validation template also can only comprise the characteristic character beyond the characteristic character of already contained this message in the message recognition template.
The message validation template can represent that the message validation template that is used for verifying should be the pairing message validation template of type of message protocol that identifies with the type of message protocol identifying with regular expression.
Can also in database (as the protocol verification storehouse), the protocol type proof rule be set in the embodiment of the invention, and with the validation template of message, and the pairing protocol type of message validation template is recorded in the protocol type proof rule.In the proof procedure that carries out type of message protocol, only need the pairing message validation template coupling of this protocol of messages type that identifies in message and the message identifying is got final product.The form of proof rule can for:
[the numbering 1 of protocol type proof rule: message validation template 1;
The numbering 2 of protocol type proof rule: message validation template 2;
......】。
Wherein, " numbering of protocol type recognition rule " field is represented message validation template corresponding protocols type; " message validation template " field comprises the characteristic character of message, and the form of characteristic character; ": " number expression separator; "; " separators between two orders of expression message validation template.
Be example below with SMTP, describe the process that SMTP message and message validation template are complementary.In the present embodiment, to be complementary be example to the message validation template that comprises the form of the characteristic character of 6 message and characteristic character with 6 continuous meassages that will receive and order.
At first set in advance the message validation template.With SMTP message is example, can set in advance SMTP message validation template (representing that with regular expression the message recognition template is an example), and further form following protocol type proof rule according to the interaction sequences of SMTP message in communication process message.
Be illustrated in figure 4 as the typical reciprocal process of SMTP message.Reciprocal process is as follows:
Client sends " mail from " request;
Server end sends " 250 " and replys after receiving " mail from " request of client;
After reply " 250 " of client reception server end, send " rcpt to " request;
Server end sends " 250 " and replys after receiving " rcpt to " request of client;
After the replying of " 250 " of client reception server end, send " data " request;
Server end sends " 354 " and replys after receiving " data " request of client.
According to the reciprocal process of above-mentioned SMTP message, following protocol verification rule (representing that with regular expression the message validation template is an example) can be set:
[SMTP_MAIL: " ^mail from " (regular expression is wherein represented the beginning with " mail from ");
SMTP_MAIL_REPLY: " ^250 " (regular expression is wherein represented with " 250 " beginning);
SMTP_RCPT: " ^rcpt to " (regular expression is wherein represented the beginning with " rcpt to ");
SMTP_RCPT_REPLY: " ^250 " (regular expression is wherein represented with " 250 " beginning);
SMTP_DATA: " data " (regular expression is wherein represented the beginning with " data ");
SMTP_DATA_REPLY: " 354 " (regular expression is wherein represented with " 354 " beginning)].
In above-mentioned protocol verification rule, SMTP_MAIL, SMTP_MAIL_REPLY etc. represent the numbering of protocol type proof rule, the numbering of protocol type proof rule also can be represented with sequence number 1,2,3, is used for the front and back order between the presentation protocol type proof rule; Regular expression is represented the characteristic character of message and the form of characteristic character.
Then message and the message recognition template that obtains is complementary.In the present embodiment, with 6 SMTP message receiving with and the pairing message validation template of SMTP message be complementary.Preferably, present embodiment can be realized template matches by the state machine with particular state and transition condition: at first the message validation template is compiled, form the protocol verification engine, this protocol verification engine is equivalent to a protocol state machine, the typical protocol interaction behavior of protocol state machine simulation agreement, the protocol verification process can be regarded as by typical protocol state machine.If a state satisfies, then jump into next state, if pass through all states of protocol state machine, then the match is successful.Specifically describe the method that the SMTP message message validation template corresponding with SMTP message that will obtain is complementary below.In the present embodiment, after identifying type of message protocol and being smtp protocol, then that message is corresponding with SMTP message in protocol verification storehouse message validation template mates.As shown in Figure 5, SMTP protocol of messages proof procedure is as follows:
State 1 is waited for " mail from " request from client;
State 2 is waited for and being replied from " 250 " of server end;
State 3 is waited for " rcpt to " request from client;
State 4 is waited for and being replied from " 250 " of server end;
State 5 is waited for " data " request from client;
State 6 is waited for and being replied from " 354 " of server end.
If by all states of protocol state machine, then the checking of SMTP message is passed through.
In this step, the message count that is used to verify generally can be for being no more than 20, when being verified, each message only need scan a first few hundred byte (as preceding 100 bytes) of each message, qualification carry out the employed message count of protocol verification and during to the checking of each message to the maximum number of byte of each message scanning, the overhead in the time of can reducing protocol verification.
The verification method of embodiment of the invention messaging protocol is based on typical message interaction process, can write the protocol verification rule with reference to RFC (Request For Comments, Request for Comment).
Need to prove that the protocol verification process is not essential, some type of message protocol only need just can be determined type of message protocol exactly according to the recognition rule of protocol type, then do not need to carry out protocol verification, have strengthened the high efficiency of agreement identification.For example, POP3 (Post Office Protocol, Post Office Protocol 3), Telnet agreement etc.
In the embodiment of the invention, can also regularly or irregularly upgrade to agreement identification storehouse and protocol verification storehouse, thereby upgrading message recognition template and message validation template, thus can be come into force in real time in agreement identification storehouse and protocol verification storehouse, good model agreement storehouse autgmentability is arranged.
In the above-described embodiments, be that at least two message and the message recognition template that transmits between the communication terminal that will obtain continuously is complementary, in order to make checking more accurate, at least two message of general continuous acquisition comprise all message in the client and server end typical case reciprocal process, the characteristic character of at least two message that the message validation template comprises in proper order and the form of characteristic character also comprise the characteristic character of all message in the client and server end typical case reciprocal process and the form of characteristic character, and at least two message that obtain also can comprise the message in the communication terminal typical case reciprocal process in the peer-to-peer network continuously.Be illustrated in figure 4 as all message in the typical reciprocal process of SMTP message.
For system overhead conserved, can only obtain in the message typical case reciprocal process communication terminal (as client or server end, the perhaps arbitrary communication terminal in the peer-to-peer network) message that sends, the message validation template also only comprises the characteristic character of the message of a communication terminal transmission in the typical reciprocal process and the form of characteristic character in proper order, like this, message and message validation template that a communication terminal is sent are complementary, can save the matching treatment time of half, in addition, solidify in the process of table in follow-up foundation, only write down the IP address of a communication terminal, port numbers, protocol type can be saved the storage resources of system.In this kind specific implementation, increase the transmission of messages direction of message recognition template correspondence in can the agreement recognition rule, be used for the transmission communication terminal of recording messages.After finding the message recognition template that is complementary with message, can determine that the communication terminal of message transfer is respectively server end or client according to predefined transmission of messages direction in the protocol type recognition rule.As protocol type recognition rule form can for:
[numbering of protocol type recognition rule: message recognition template: the transmission of messages direction of message recognition template correspondence].
Wherein, the field of " the transmission of messages direction of message recognition template correspondence " can " server " or " client " or " Peer " be represented, wherein, " server " represents message from server end, " client " represents message from client, and " Peer " represents message from reciprocity communication terminal.
In the follow-up process that the protocol type of message is verified, only need to receive the message that this communication terminal of determining sends, and verify.The message validation template also only need comprise the characteristic character of the message that a communication terminal sends and the form of characteristic character in proper order, for example, the protocol type proof rule can for:
【SMTP_MAIL:″^mail?from″:client;
SMTP_RCPT:″^rcpt?to″:client;
SMTP_DATA:″data″:client】。
Wherein, " client " represents message from client.
Present embodiment uses the message validation template that message is verified, the characteristic character that not only comprises message in the agreement as the message validation template of validation criteria, and comprise the characteristic character form of message, and the order of the characteristic character of at least two message that the message validation template comprises and the form of characteristic character, consistent with the interaction sequences of message in the communication process, simulated the reciprocal process of message, the message interaction process of each agreement is that this agreement is distinctive, so just can guarantee the correctness by the protocol type of protocol verification.
At least two message that obtain in the present embodiment can be the message that obtains in the type of message protocol identifying, also can be the message that regains in the type of message protocol proof procedure; If the former then can not have step 201 in the embodiment of the invention.
As shown in Figure 6, be the device schematic diagram of embodiment of the invention identification message protocol type, this device comprises: first obtains the unit, and first searches unit and second searches the unit, wherein,
First obtains the unit, is used to the message that obtains to transmit between the communication terminal; Wherein, communication terminal comprises client (Client) and server end (Server), the communication terminal that also can comprise two equities, client comprise portable terminal (as mobile phone, PC PC, personal digital assistant PDA) and fixed terminal (as landline telephone) etc.In the present embodiment, the process that obtains message can comprise initiatively obtains message from communication terminal, perhaps is the message that passive reception communication terminal sends.In the present embodiment, the complete message that can obtain to transmit between communication terminal (as one complete or two message), the part message that also can obtain to transmit between communication terminal, the partial bytes (as preceding 100 bytes) as a piece of news can reduce system burden like this.
First searches the unit, is used to search the message recognition template that is complementary with this message; Wherein, the message recognition template is used to express the characteristic character that protocol message comprises and the form of characteristic character, wherein, characteristic character is the peculiar key character of protocol message, and the form of characteristic character comprises the quantity and the order of the front and back between the different characteristic character of the position of characteristic character in the protocol message beginning or the ending of protocol message (for example), characteristic character.Alleged being complementary with this message in the present embodiment is meant that this message satisfies the characteristic character of message recognition template expression and the form of characteristic character.The message recognition template can be stored in first and search in the unit, also can be stored in other modules in this device.
Second searches the unit, is used to search the message recognition template corresponding protocols type that is complementary with this message.
Optionally, the device of the identification message protocol type in the present embodiment can further include:
Set up the unit, be used to set up the corresponding relation of communication terminal and the protocol of messages type of determining; Set up the unit and can set up the sign (IP address and/or port numbers) that comprises communication terminal and the curing table of protocol of messages type, the agreement recognition result is carried out " curing ", the structure of solidifying table can be<IP address, the port of IP address, protocol type 〉.
As shown in Figure 7, be the device schematic diagram of embodiment of the invention verifying type of message protocol, this device comprises: second obtains unit and judging unit, wherein:
Second obtains the unit, is used for obtaining continuously at least two message transmitting between the communication terminal; The second continuous meassage number that obtains to transmit between the communication terminal of unit acquisition is at least 2, generally is no more than 20.
Judging unit is used to judge whether at least two message of acquisition and message validation template mate; Wherein, the message validation template comprises the characteristic character of at least two message and the form of characteristic character in proper order, and order is meant that the order of form of the characteristic character of at least two message that comprise and characteristic character is consistent with the interaction sequences of message in the communication process.Alleged coupling in the present embodiment, at least two message sequences that are meant described continuous acquisition satisfy the characteristic character of described at least two message of message validation template sequential expression and the form of characteristic character.Certainly, when the message that receives has only two, the message validation template also can comprise the characteristic character of the message more than two and the form of characteristic character, as long as two message sequences that receive satisfy the characteristic character of wherein two message of message validation template sequential expression and the form of characteristic character.The message validation template can be stored in the matching unit, also can be stored in other modules in this device.
The protocol type that can discern in the embodiment of the invention can be text protocol, for example: FTP (FileTransfer Protocol, file transfer protocol (FTP)), HTTP (Hypertext Transfer Protocol, HTML (Hypertext Markup Language)), SMTP (Simple Message Transfer Protocol, Simple Mail Transfer protocol), BT (BitTorrent, bit stream), also can be binary protocol, for example: TELNET (Telnet), TFTP (Trivial File Transfer Protocol, TFTP), DNS (Domain Name Server, domain name analysis system) etc.
The embodiment of the invention can be used in the intruding detection system and intrusion prevention system of network technology, to the identification of each layer network protocol type more than the transport layer.It will be understood by those skilled in the art that the embodiment of the invention can also be used for other and use, in for example the identification of other standard agreement or proprietary protocol being used.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to background technology in essence in other words can embody with the form of software product, this computer software product can be stored in the storage medium that can read, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
The above only is preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (15)
1, a kind of method of identification message protocol type is characterized in that, comprising:
The message of transmitting between the acquisition communication terminal;
Search the message recognition template that is complementary with described message, described message recognition template comprises the characteristic character of message and the form of characteristic character;
Search the message recognition template corresponding protocols type that is complementary with this message.
2, the method for identification message protocol type according to claim 1 is characterized in that, also comprises:
The corresponding relation of the protocol of messages type of setting up communication terminal and finding.
3, the method for identification message protocol type according to claim 2 is characterized in that, described corresponding relation is the IP address and/or the port numbers of communication terminal, with the corresponding relation of protocol of messages type.
4, the method for identification message protocol type according to claim 1 is characterized in that, described message recognition template is represented by regular expression.
5, a kind of method of verifying type of message protocol is characterized in that, comprising:
At least two message transmitting between the continuous acquisition communication terminal;
Whether at least two message and the message validation template that judge to obtain mate, and described message validation template comprises the characteristic character of at least two message and the form of characteristic character in proper order.
6, the method for verifying type of message protocol according to claim 5 is characterized in that, described message validation template is represented by regular expression.
7, a kind of method of identification message protocol type is characterized in that, comprising:
The message of transmitting between the acquisition communication terminal;
Search the message recognition template that is complementary with described message, described message recognition template comprises the characteristic character of message and the form of characteristic character;
Search the message recognition template corresponding protocols type that is complementary with this message;
Judge whether the message and the message validation template that obtain mate, and described message validation template comprises the characteristic character of at least two message and the form of characteristic character in proper order;
If coupling determines that then described protocol of messages type is the message recognition template corresponding protocols type that is complementary with this message that finds.
8, the method for identification message protocol type according to claim 7 is characterized in that, also comprises:
The corresponding relation of the protocol of messages type of setting up communication terminal and determining.
9, the method for identification message protocol type according to claim 8 is characterized in that, described corresponding relation is the IP address and/or the port numbers of communication terminal, with the corresponding relation of protocol of messages type.
10, the method for identification message protocol type according to claim 7 is characterized in that, described message recognition template and message validation template are represented by regular expression.
11, a kind of device of identification message protocol type is characterized in that, comprising:
First obtains the unit, is used to the message that obtains to transmit between the communication terminal;
First searches the unit, is used to search the message recognition template that is complementary with this message, and described message recognition template comprises the characteristic character of message and the form of characteristic character;
Second searches the unit, is used to search the message recognition template corresponding protocols type that is complementary with this message.
12, the device of identification message protocol type according to claim 11 is characterized in that, also comprises: set up the unit, be used to set up the corresponding relation of communication terminal and the protocol of messages type of determining.
13, the device of identification message protocol type according to claim 12 is characterized in that, described corresponding relation is the IP address and/or the port numbers of communication terminal, with the corresponding relation of protocol of messages type.
14, a kind of device of verifying type of message protocol is characterized in that, comprising:
Second obtains the unit, is used for obtaining continuously at least two message transmitting between the communication terminal;
Judging unit is used to judge whether at least two message of acquisition and message validation template mate, and described message validation template comprises the characteristic character of at least two message and the form of characteristic character in proper order.
15, the device of verifying type of message protocol according to claim 14 is characterized in that, described message validation template is represented by regular expression.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101108342A CN101287010A (en) | 2008-06-12 | 2008-06-12 | Method and apparatus for identifying and verifying type of message protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101108342A CN101287010A (en) | 2008-06-12 | 2008-06-12 | Method and apparatus for identifying and verifying type of message protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101287010A true CN101287010A (en) | 2008-10-15 |
Family
ID=40058976
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101108342A Pending CN101287010A (en) | 2008-06-12 | 2008-06-12 | Method and apparatus for identifying and verifying type of message protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101287010A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098272A (en) * | 2009-12-10 | 2011-06-15 | 华为技术有限公司 | Protocol identification method, device and system |
| CN102143148A (en) * | 2010-11-29 | 2011-08-03 | 华为技术有限公司 | Parameter acquiring and general protocol analyzing method and device |
| CN102164182A (en) * | 2011-04-18 | 2011-08-24 | 北京神州绿盟信息安全科技股份有限公司 | Device and method for identifying network protocol |
| CN102420809A (en) * | 2011-08-19 | 2012-04-18 | 中联重科股份有限公司 | Terminal managing system, server and method |
| CN105610763A (en) * | 2014-10-31 | 2016-05-25 | 杭州迪普科技有限公司 | Protocol identification method and protocol identification device |
| CN106330969A (en) * | 2016-10-31 | 2017-01-11 | 成都广达新网科技股份有限公司 | Method for recognizing messages in CMC system in CM online process |
| CN107133160A (en) * | 2016-02-26 | 2017-09-05 | 北京京东尚科信息技术有限公司 | Test system |
| CN107306256A (en) * | 2016-04-22 | 2017-10-31 | 上海真虹信息科技有限公司 | A kind of communications protocol analytic method based on character string type data |
| WO2018214424A1 (en) * | 2017-05-23 | 2018-11-29 | 华为技术有限公司 | Method, apparatus and system for monitoring data traffic |
| CN110166313A (en) * | 2019-03-21 | 2019-08-23 | 北京华顺信安科技有限公司 | A kind of method and system for simulating protocol server |
| CN112486139A (en) * | 2020-11-12 | 2021-03-12 | 顶象科技有限公司 | Industrial control system protection method, device, equipment and medium based on virtual patch |
| CN114448685A (en) * | 2022-01-13 | 2022-05-06 | 绿盟科技集团股份有限公司 | Method and device for generating network protocol message protection strategy |
-
2008
- 2008-06-12 CN CNA2008101108342A patent/CN101287010A/en active Pending
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011069388A1 (en) * | 2009-12-10 | 2011-06-16 | 华为技术有限公司 | Method, apparatus and system for protocol identification |
| CN102098272A (en) * | 2009-12-10 | 2011-06-15 | 华为技术有限公司 | Protocol identification method, device and system |
| CN102098272B (en) * | 2009-12-10 | 2014-02-19 | 华为技术有限公司 | Protocol identification method, device and system |
| US8782068B2 (en) | 2009-12-10 | 2014-07-15 | Huawei Technologies Co., Ltd. | Method, apparatus and system for protocol identification |
| CN102143148A (en) * | 2010-11-29 | 2011-08-03 | 华为技术有限公司 | Parameter acquiring and general protocol analyzing method and device |
| CN102143148B (en) * | 2010-11-29 | 2014-04-02 | 华为技术有限公司 | Parameter acquiring and general protocol analyzing method and device |
| CN102164182B (en) * | 2011-04-18 | 2014-08-06 | 北京神州绿盟信息安全科技股份有限公司 | Device and method for identifying network protocol |
| CN102164182A (en) * | 2011-04-18 | 2011-08-24 | 北京神州绿盟信息安全科技股份有限公司 | Device and method for identifying network protocol |
| CN102420809A (en) * | 2011-08-19 | 2012-04-18 | 中联重科股份有限公司 | Terminal managing system, server and method |
| CN105610763A (en) * | 2014-10-31 | 2016-05-25 | 杭州迪普科技有限公司 | Protocol identification method and protocol identification device |
| CN107133160A (en) * | 2016-02-26 | 2017-09-05 | 北京京东尚科信息技术有限公司 | Test system |
| CN107133160B (en) * | 2016-02-26 | 2020-06-30 | 北京京东尚科信息技术有限公司 | Server and client |
| CN107306256A (en) * | 2016-04-22 | 2017-10-31 | 上海真虹信息科技有限公司 | A kind of communications protocol analytic method based on character string type data |
| CN106330969A (en) * | 2016-10-31 | 2017-01-11 | 成都广达新网科技股份有限公司 | Method for recognizing messages in CMC system in CM online process |
| WO2018214424A1 (en) * | 2017-05-23 | 2018-11-29 | 华为技术有限公司 | Method, apparatus and system for monitoring data traffic |
| CN110166313A (en) * | 2019-03-21 | 2019-08-23 | 北京华顺信安科技有限公司 | A kind of method and system for simulating protocol server |
| CN112486139A (en) * | 2020-11-12 | 2021-03-12 | 顶象科技有限公司 | Industrial control system protection method, device, equipment and medium based on virtual patch |
| CN114448685A (en) * | 2022-01-13 | 2022-05-06 | 绿盟科技集团股份有限公司 | Method and device for generating network protocol message protection strategy |
| CN114448685B (en) * | 2022-01-13 | 2023-11-03 | 绿盟科技集团股份有限公司 | Method and device for generating network protocol message protection strategy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101287010A (en) | Method and apparatus for identifying and verifying type of message protocol | |
| US10708288B2 (en) | Computerized system and method for automatically determining malicious IP clusters using network activity data | |
| Antunes et al. | Reverse engineering of protocols from network traces | |
| Narayan et al. | A survey of automatic protocol reverse engineering tools | |
| US11425047B2 (en) | Traffic analysis method, common service traffic attribution method, and corresponding computer system | |
| US20230224232A1 (en) | System and method for extracting identifiers from traffic of an unknown protocol | |
| US11537751B2 (en) | Using machine learning algorithm to ascertain network devices used with anonymous identifiers | |
| CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
| CN114157502B (en) | Terminal identification method and device, electronic equipment and storage medium | |
| EP3364601B1 (en) | Testing method, device and system | |
| CN107911398B (en) | Identity information authentication method, device and system | |
| CN109450733B (en) | Network terminal equipment identification method and system based on machine learning | |
| CN102710504A (en) | Application identification method and application identification device | |
| WO2011076984A1 (en) | Apparatus, method and computer-readable storage medium for determining application protocol elements as different types of lawful interception content | |
| CN110768875A (en) | Application identification method and system based on DNS learning | |
| CN114095274B (en) | Attack studying and judging method and device | |
| CN104883428A (en) | Method and device for identifying VOIP calls | |
| CN104967527A (en) | Recovering method of communication recording, recovering device of communication recording and server | |
| WO2016037489A1 (en) | Method, device and system for monitoring rcs spam messages | |
| CN117201601A (en) | Internet of things equipment access method, device, equipment and storage medium | |
| CN111277449A (en) | Safety testing method and device for voice service equipment | |
| CN114050917B (en) | Audio data processing method, device, terminal, server and storage medium | |
| CN115774762A (en) | Instant messaging information processing method, device, equipment and storage medium | |
| CN115801927A (en) | Message parsing method and device | |
| CN115633359A (en) | PFCP session security detection method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20090424 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20090424 Address after: Qingshui River District, Chengdu high tech Zone, Sichuan Province, China: 611731 Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd. Address before: Headquarters office building, Bantian HUAWEI base, Longgang District, Guangdong, Shenzhen Province, China: 518129 Applicant before: Huawei Technologies Co., Ltd. |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20081015 |