CN101741628A - Application layer service analysis-based network flow analysis method - Google Patents
Application layer service analysis-based network flow analysis method Download PDFInfo
- Publication number
- CN101741628A CN101741628A CN200810171806A CN200810171806A CN101741628A CN 101741628 A CN101741628 A CN 101741628A CN 200810171806 A CN200810171806 A CN 200810171806A CN 200810171806 A CN200810171806 A CN 200810171806A CN 101741628 A CN101741628 A CN 101741628A
- Authority
- CN
- China
- Prior art keywords
- analysis
- session
- flow
- information
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an application layer service analysis-based network flow analysis method. The method carries out the session tracking analysis of the internet service and extracts flow rate, quality of service (QoS), session state information and the like of each session, wherein the information forms a service session statistical information data base. The method is based on the theory of statistics, overcomes the defect that only the information under the forth layer protocol of the TCP/IP can be analyzed by the conventional Cisco Netflow based technology under a condition of fast development and frequent updating of the application layer service of the current network by the complete analysis of the application layer service data, avoids the information distortion of the NetFlow sampling statistic-based data sampling technology, and has a great significance in aspects of network flow analysis, service serving quality testing and abnormal flow identification. The method is based on the application layer service testing technology and the flow statistic testing technology, the statistical result is accurate, and the network maintenance, safe positioning, service quality control and the like under a complex network environment can be conveniently performed.
Description
Technical field
The present invention relates to the field of information security technology of computer internet, relate in particular to a kind of based on application layer traffic identification, network traffics, QoS test analysis, abnormal flow analytical method.
Background technology
Along with the develop rapidly of the Internet and computer, increasing internet data is professional to be that people's work, life and amusement have brought facility.The main trend of " unification of three nets " has also proposed the demand that QoS ensures to traditional the Internet, requires operator when operation NGN, multimedia, video conference etc. are professional, the service of the quality that provides safeguard.
Simultaneously,, also need a cover total solution at phenomenons such as the attack of the Internet, resource abuse, virus propagation, one side can locate abnormal flow the source, involve scope, the extent of injury etc.; On the one hand also requirement can accurately analyze the type of abnormal flow.
And traditional netflow technology based on the Cisco patent, its greatest drawback is:
1, NetFlow only analyzes the 4th layer of information of TCP/IP bag, can't grasp the application layer type of service of session;
2, NetFlow is based on sampling techniques, and it does not carry out all-the-way tracking to session, therefore omits session information or erroneous judgement easily;
3, a netflow information statistic flow information, QoS of survice index (time-delay, shake, packet loss, response time etc.) is not added up; The protocol anomaly incident is not analyzed.
Similar with the Cisco netflow technology, also have sFlow/cFlow technology that NetStream technology, HP and the 3COM etc. of Huawei Tech Co., Ltd propose etc.All there are above-described three defectives in these technology.
Therefore, must seek a kind of new technology, be used for solving, network traffics, QoS of survice index, abnormal flow are carried out the method for Accurate Analysis, satisfy operator, enterprise etc. for the network administration and maintenance demand at complex network environment.
Summary of the invention
In order to solve the problem that existing flow analysis technology exists, the invention provides the technology of a kind of application layer service traffics analysis that is applied to the network traffics analysis, measure of the quality of service analysis, abnormal traffic flow analysis, can carry out flow, QoS and abnormality detection using layer service based on statistical theory.
The method that is applied to the applied business flow analysis of the present invention, at first the internet data applied business is discerned, grasp the application layer type of service of communication session carrying, information such as the flow speed of statistics session, flow byte message, session persistence, QoS information such as the response time of analysis session, time delay, shake, packet loss, communication abnormality, the protocol anomaly information of detection session.
When conversation end, statistical information is reported to the flow analysis database, carry out statistical analysis by database to using layer service.
Description of drawings
Fig. 1 is the common treatment model of present networking products flow analysis;
Fig. 2 is the handling process when adopting the method for the invention to carry out the analysis of application layer service traffics.
Embodiment
Now reaching embodiment in conjunction with the accompanying drawings is described in further detail the present invention.To add up the session of using layer service, at first must identify the affiliated type of service of session, could take corresponding analytical method the flow of session, professional relevant qos statistic index, service exception detection etc.
In the present invention, the application layer type of service identification of session is crucial, and the various indicator-specific statistics that carry out at the application layer business are bases, on the basis of statistics, in conjunction with professional analysis expert function, just can distinguish statistic flow, test QoS quality, detect service exception situation etc.
Fig. 1 is the common treatment model that present networking products carry out flow analysis.With reference to figure 1:
In the legacy network product, when supporting the xFlow function, message at first enters the inbound port buffering area of the network equipment and ranks, and sees 101 of Fig. 1.
Then, high end network equipment carries out the session Hash lookup by means of hardware, and low side devices is carried out the session Hash lookup by means of CPU.See 102 of Fig. 1.
The flow information of each session of xFlow meeting sampling statistics forms the session traffic statistics.See 103 of Fig. 1.
And regularly export xFlow information to information collector.See 104 of Fig. 1.
Be dealt into the buffering area formation of outbound port then, wait in line to send to the outbound port network and get on.See 105 of Fig. 1.
Fig. 2 is a message transaction module used in the present invention:
Message is when arriving the network equipment, and at first access arrangement inbound port buffering area formation is waited in line processed.As 201 of Fig. 2.
Then, high end network equipment is by means of the hardware Hash lookup, and low side devices is searched by means of CPU, and the session information of a message correspondence is found.As 202 of Fig. 2.
The application layer type of service of a session, except can discerning by port, the protocol type of TCP/UDP, also need protocol analysis flow process by complexity, identify the type of application layer business, for example: analyze WEB page browsing based on 80 ports, with the online video program request, just must resolve and to distinguish them by means of application layer protocol.Under the professional situation in vogue of current P2P, also need be by means of the protocol characteristic word, for example identify P2P such as BitTorrent and use.These application all can't rely on port accurately to discern merely.As 203 of Fig. 2.
After identifying the application layer type of service of session, need carry out various flow information statistics to using layer service, comprising: traffic statistics, QoS of survice indicator-specific statistics, service exception detect and statistics.As 204 of Fig. 2.
When a conversation end, session information is outputed to the information gathering database.As 205 of Fig. 2.
After finishing these flow processs, message is outputed to the outbound port buffering area of equipment, send to the purpose network.As 206 of Fig. 2.
Claims (6)
1. one kind is applied to the application layer service traffics analysis that network traffics are analyzed; QoS is analyzed; the method of abnormal traffic flow analysis; it is characterized in that: each conversation procedure in the all-the-way tracking communication network; according to the accurate identification communication dialogue application-layer of protocol analysis principle type of service; flow information (the flow speed bps/pps of statistics session; the session byte number; session message number; session persistence); QoS information (the conversational response time; time-delay; shake; packet loss), (DoD/DdoS attacks unusual session information; unusual protocol attack etc.).
2. according to the statistical information of session,, will traffic statistics meter information output to database according to standard session stream output format.
3. database carries out the TOPN analysis according to user, business and the server of flow, the QoS of survice quality analysis, and the abnormal traffic flow detection is analyzed.
4. according to the database analysis result, provide respectively: the flow analysis function, the flow, the flow direction, the user that grasp network constitute situation, professional formation situation and server and constitute situation.
5. according to statistic analysis result, provide: qos statistic information such as professional response time, time-delay, shake, packet loss.
6. according to statistic analysis result, provide: exception flow of network detects, information such as protocol anomaly detection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810171806A CN101741628A (en) | 2008-11-13 | 2008-11-13 | Application layer service analysis-based network flow analysis method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810171806A CN101741628A (en) | 2008-11-13 | 2008-11-13 | Application layer service analysis-based network flow analysis method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101741628A true CN101741628A (en) | 2010-06-16 |
Family
ID=42464562
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810171806A Pending CN101741628A (en) | 2008-11-13 | 2008-11-13 | Application layer service analysis-based network flow analysis method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101741628A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102957813A (en) * | 2011-08-25 | 2013-03-06 | 广州银禾网络通信有限公司 | Telephone traffic data processing method and system of mobile communication network |
| CN103067192A (en) * | 2011-10-20 | 2013-04-24 | 北京天行网安信息技术有限责任公司 | Analytic system and method of network flow |
| CN103166807A (en) * | 2011-12-15 | 2013-06-19 | 中国电信股份有限公司 | Analyzing and processing method and analyzing and processing system of traffic flow direction based on application |
| CN103269337A (en) * | 2013-04-27 | 2013-08-28 | 中国科学院信息工程研究所 | Data processing method and device |
| CN103312540A (en) * | 2013-05-24 | 2013-09-18 | 中国联合网络通信集团有限公司 | User service requirement parameter determining method and device |
| CN103532776A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Service flow detection method and system |
| CN106998323A (en) * | 2017-03-06 | 2017-08-01 | 深信服科技股份有限公司 | Application layer network attack emulation mode, apparatus and system |
| CN107070851A (en) * | 2015-11-09 | 2017-08-18 | 韩国电子通信研究院 | The system and method that the generation of connection fingerprint and stepping-stone based on network flow are reviewed |
| CN107360174A (en) * | 2017-07-26 | 2017-11-17 | 成都科来软件有限公司 | A kind of network data flow analysis method based on process |
| CN115834719A (en) * | 2022-11-24 | 2023-03-21 | 中盈优创资讯科技有限公司 | FMP (failure mode detection protocol) for measuring xFlow index and application |
-
2008
- 2008-11-13 CN CN200810171806A patent/CN101741628A/en active Pending
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102957813A (en) * | 2011-08-25 | 2013-03-06 | 广州银禾网络通信有限公司 | Telephone traffic data processing method and system of mobile communication network |
| CN103067192A (en) * | 2011-10-20 | 2013-04-24 | 北京天行网安信息技术有限责任公司 | Analytic system and method of network flow |
| CN103067192B (en) * | 2011-10-20 | 2016-03-16 | 北京天行网安信息技术有限责任公司 | A kind of analytical system of network traffics and method |
| CN103166807A (en) * | 2011-12-15 | 2013-06-19 | 中国电信股份有限公司 | Analyzing and processing method and analyzing and processing system of traffic flow direction based on application |
| CN103269337A (en) * | 2013-04-27 | 2013-08-28 | 中国科学院信息工程研究所 | Data processing method and device |
| CN103269337B (en) * | 2013-04-27 | 2016-08-10 | 中国科学院信息工程研究所 | Data processing method and device |
| CN103312540A (en) * | 2013-05-24 | 2013-09-18 | 中国联合网络通信集团有限公司 | User service requirement parameter determining method and device |
| CN103312540B (en) * | 2013-05-24 | 2016-05-11 | 中国联合网络通信集团有限公司 | Customer service demand parameter is determined method and apparatus |
| CN103532776B (en) * | 2013-09-30 | 2016-06-22 | 广东电网公司电力调度控制中心 | Service traffics detection method and system |
| CN103532776A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Service flow detection method and system |
| CN107070851A (en) * | 2015-11-09 | 2017-08-18 | 韩国电子通信研究院 | The system and method that the generation of connection fingerprint and stepping-stone based on network flow are reviewed |
| CN107070851B (en) * | 2015-11-09 | 2020-07-14 | 韩国电子通信研究院 | System and method for connecting fingerprint generation and stepping stone tracing based on network flow |
| CN106998323A (en) * | 2017-03-06 | 2017-08-01 | 深信服科技股份有限公司 | Application layer network attack emulation mode, apparatus and system |
| CN106998323B (en) * | 2017-03-06 | 2020-08-14 | 深信服科技股份有限公司 | Application layer network attack simulation method, device and system |
| CN107360174A (en) * | 2017-07-26 | 2017-11-17 | 成都科来软件有限公司 | A kind of network data flow analysis method based on process |
| CN107360174B (en) * | 2017-07-26 | 2020-10-27 | 成都科来软件有限公司 | Process-based network data flow analysis method |
| CN115834719A (en) * | 2022-11-24 | 2023-03-21 | 中盈优创资讯科技有限公司 | FMP (failure mode detection protocol) for measuring xFlow index and application |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101741628A (en) | Application layer service analysis-based network flow analysis method | |
| EP3304853B1 (en) | Detection of malware and malicious applications | |
| Dusi et al. | Quantifying the accuracy of the ground truth associated with Internet traffic traces | |
| Hellemons et al. | SSHCure: a flow-based SSH intrusion detection system | |
| Tammaro et al. | Exploiting packet‐sampling measurements for traffic characterization and classification | |
| CN111683097B (en) | Cloud network flow monitoring system based on two-stage architecture | |
| KR102088299B1 (en) | Apparatus and method for detecting drdos | |
| CN106416171A (en) | Method and device for feature information analysis | |
| Gao et al. | A dos resilient flow-level intrusion detection approach for high-speed networks | |
| CN106330584A (en) | Identification method and identification device of business flow | |
| CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
| Choi et al. | Automated classifier generation for application-level mobile traffic identification | |
| CN105357071B (en) | A kind of network complexity method for recognizing flux and identifying system | |
| CN106789728A (en) | A kind of voip traffic real-time identification method based on NetFPGA | |
| Yuan et al. | Skytracer: Towards fine-grained identification for skype traffic via sequence signatures | |
| Kaushik et al. | Network forensic system for ICMP attacks | |
| CN104021348A (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
| CN111654499B (en) | Method and device for identifying attack breach based on protocol stack | |
| Shen et al. | On detection accuracy of L7-filter and OpenDPI | |
| Freire et al. | On metrics to distinguish skype flows from http traffic | |
| Sperotto et al. | Anomaly characterization in flow-based traffic time series | |
| Winding et al. | System anomaly detection: Mining firewall logs | |
| Li et al. | On sliding window based change point detection for hybrid SIP DoS attack | |
| CN114117429A (en) | Network flow detection method and device | |
| Gezer et al. | Exploitation of ICMP time exceeded packets for a large-scale router delay analysis. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: TIANJIN HANBO TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: BIMENG XINFAN BEIJING COMMUNICATION TECHNOLOGY CO., LTD. Effective date: 20100830 |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100044 NORTH AREA, 16/F, TOWER B, JINYUN BUILDING, NO.A-43, XIZHIMEN NORTH STREET, HAIDIAN DISTRICT, BEIJING TO: 300384 ROOM 104, WEST BUILDING 3, NO.18, HAITAI WEST ROAD, HUAYUAN INDUSTRIAL DISTRICT, TIANJIN CITY |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20100830 Address after: 300384 Tianjin Haitai Huayuan Industrial Zone West Road No. 18 building 104 room 3 Applicant after: Tianjin Opzoon Technology Co., Ltd. Address before: 100044, Beijing, Xizhimen, Haidian District North Street, No. 43, Jin Yun Building, block B, 16 North Zone Applicant before: BMC Network Innovation (Beijing) Technology Co., Ltd. |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100616 |