CN102984242A - Automatic identification method and device of application protocols - Google Patents
Automatic identification method and device of application protocols Download PDFInfo
- Publication number
- CN102984242A CN102984242A CN2012104770266A CN201210477026A CN102984242A CN 102984242 A CN102984242 A CN 102984242A CN 2012104770266 A CN2012104770266 A CN 2012104770266A CN 201210477026 A CN201210477026 A CN 201210477026A CN 102984242 A CN102984242 A CN 102984242A
- Authority
- CN
- China
- Prior art keywords
- protocol
- application protocol
- http
- model
- protocol model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides an automatic identification method and a device of application protocols and belongs to the technical filed of network communication. The method includes obtaining hyper text transport protocol (HTTP) mutual information between a client and a server; obtaining an application protocol name from the HTTP mutual information; obtaining a follow-up session flow between the client and the server, extracting attributive characters of the follow-up session flow, and generating a corresponding protocol model of the application protocol name according to the attributive characters; matching the generated protocol model with a stored protocol model, wherein if the matching is successful, a specific application protocol is identified, and if the matching is failed, the application protocol name and the corresponding protocol model are stored. According to the automatic identification method and the device of application protocols, encrypted application protocols can be identified from complex background flows accurately, effectively and rapidly.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of automatic identifying method and device of application protocol.
Background technology
The Internet was fast-developing in recent years, and various application occur in a large number, and wherein using greatly all is the unexposed proprietary protocol of encrypting, and this has just brought very large challenge to effective management of network.Generally speaking, country, enterprise and ISP all use the network flow sorting technique as the basic guarantee of network management.By network flow classification and control technology, effectively alleviating network congestion improves network service quality, strengthens network measure and managerial ability etc.
Present emerging refined net application protocol is various, such as P2P agreement, instant messaging (Instant Messenger, IM) agreement, online game agreement etc.These refined nets are used and are had the huge user of quantity, and the network traffics that produce have occupied the significant proportion of internet traffic.For example, within Chinese territory, QQ is the IM instrument of normal use, and it has several hundred million online user; A sudden peal of thunder is the most widely used P2P file-sharing instrument, has occupied main flow in education network.These agreements mostly are proprietary protocols, and convection current loading gage lotus is encrypted, to protect its Content of Communication.Owing to encrypt, by flow analysis method, can't directly obtain its protocol architecture; The communication port of these cryptographic protocols is generally unfixing in addition, presents the characteristics of dynamic change.
The method of existing identification application protocol mainly contains following two kinds:
Method 1
Recognition technology based on port: port identification is to identify application according to the port of TCP/UDP, and detection efficiency is high, and is simple.
This kind method only specification protocol to traditional is effective, as just identifying inaccurate not according to the agreement of normalized definition port and the agreement of use dynamic end slogan with the method.
Method 2
Deep packet inspection technical: be different from the field of other agreements in its reciprocal process as the feature of this agreement by analyzing the TCP/UDP load contents, finding out.
This kind method only has has tagged word to identify in the load data, can more effectively identify traditional disclosure agreement and the proprietary protocol do not encrypted, but helpless to the agreement of encrypting.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of automatic identifying method and device of application protocol, can from the background stream of complexity, identify accurate and effective, rapidly the application protocol of encryption.
For achieving the above object, it is as follows to the invention provides technical scheme:
A kind of automatic identifying method of application protocol is applied on the network equipment, and described method comprises:
Obtain the http interactive information between client and the server;
From described http interactive information, obtain the application protocol title;
Obtain the subsequent session stream between client and the server, extract the attributive character of described subsequent session stream, generate protocol model corresponding to this application protocol title according to described attributive character;
The protocol model of generation and the protocol model of storage are mated, if the match is successful, then identify concrete application protocol;
If it fails to match, then this application protocol title and corresponding protocol model are stored.
Above-mentioned method wherein, is describedly obtained the application protocol title from described http interactive information, comprising:
Extract the key-strings in the described http interactive information, with described key-strings as described application protocol title.
Above-mentioned method wherein, describedly generates protocol model corresponding to this application protocol title according to described attributive character, comprising:
Characterize described protocol model with described attributive character; Perhaps
Described attributive character is carried out statistical disposition, characterize described protocol model with the statistical disposition result.
Above-mentioned method, wherein, the described subsequent session stream that obtains between client and the server comprises:
Obtain the session stream between current http session and the next http session, obtain described subsequent session stream.
A kind of automatic identification equipment of application protocol is applied on the network equipment, and described device comprises:
Http acquisition of information module is used for obtaining the http interactive information between client and the server;
Protocol name extraction module unit is used for obtaining the application protocol title from described http interactive information;
The protocol model generation module is used for obtaining the subsequent session stream between client and the server, extracts the attributive character of described subsequent session stream, generates protocol model corresponding to this application protocol title according to described attributive character;
The protocol model detection module mates for the protocol model that will generate and the protocol model of storage, if the match is successful, then identifies concrete application protocol;
The protocol model update module is used for when protocol model detection module when it fails to match the protocol model of this application protocol title and correspondence being stored.
With compare in the prior art, technical scheme of the present invention can solve the protocol identification problem of encryption stream efficiently, can obtain fast online the unknown protocol characteristic model, and, the multiple network stream attribute that the present invention has selected to be easy to analyze and obtain comes the data of description feature, greatly improves the efficient of protocal analysis and the precision of protocol identification.
Description of drawings
Fig. 1 is the automatic identifying method flow chart of the application protocol of the embodiment of the invention;
Fig. 2 is the automatic identification equipment structure chart of the application protocol of the embodiment of the invention.
Embodiment
Describe the present invention below in conjunction with accompanying drawing.
The present invention is beneficial to network management and is the basis, from the http interactive information, obtain the corresponding application protocol title of current sessions and subsequent session and (refer to from current sessions, obtain the application protocol title, this application protocol name is referred to as the application protocol title of current sessions and subsequent session), recycle the various data attributes that are easy to obtain and analyze and describe the principal character of this application protocol, a kind of new application protocol identification scheme that merges the automated analysis protocol technology has been proposed, be mainly used in solving identification and the classification problem of encrypting application protocol, this scheme can be accurately, effectively, from the background stream of complexity, identify rapidly the application protocol of encryption.
Need to prove that the identification application protocol refers to identify the affiliated application of data flow among the present invention, rather than identifies concrete protocol architecture.
Fig. 1 is the automatic identifying method of the application protocol of the embodiment of the invention, and described method is applied on the network equipment, and the described network equipment is between client and server, and it can be flow-control equipment, fire compartment wall etc.With reference to Fig. 1, described method can comprise the steps:
When producing the http session between client and the server, the network equipment can get access to the http interactive information between client and the server.
The http interactive information is expressly, therefore, (form of http interactive information is known can to extract key-strings in the described http interactive information, therefore, can extract as required the field in the precalculated position in the described http interactive information, the field of this extraction is key-strings), then, with described key-strings as described application protocol title.For example, comprise key-strings QQ in the http interactive information, then can be with QQ as the application protocol title.
Among the present invention, be from current sessions (session corresponding to described http interactive information), to obtain the application protocol title, and this application protocol name be referred to as the application protocol title of current sessions and subsequent session.
Here, described subsequent session stream can be chosen as required, for example, can obtain the session stream between current http session and the next http session, obtains described subsequent session stream; Again for example, can obtain the session stream of the scheduled duration (for example, being 1 minute) after current sessions finishes, obtain described subsequent session stream.
Get access to the subsequent session stream between client and the server, just can extract the attributive character of described subsequent session stream, be exemplified below:
Above data can be added up this data flow state property value by automatic mode and be obtained, extract above multiple network stream attribute feature after, generate this agreement statistical model according to the feature of extracting.Can directly characterize described protocol model with described attributive character particularly; Also can carry out statistical disposition to described attributive character, for example, the tendency chart by statistics getattr feature, oscillogram etc. characterize described protocol model with the statistical disposition result.
Store the variety of protocol model in the network equipment, described protocol model is the corresponding relation of application protocol title and protocol characteristic (statistics with above-mentioned attributive character or attributive character characterizes).Behind above-mentioned steps generation protocol model, need the original protocol model of storing in this protocol model and the network equipment is mated, if the match is successful, then identify concrete application protocol (namely identify data flow and belong to application corresponding to this application protocol title); If do not mate, then generate statistical model and the storage of New Deal.
Further, when having new http session to produce, continue to obtain the http interactive information, compare with a upper http session information, if identical keyword strings is arranged, then follow-up session still is current agreement; If there is not identical keyword strings, then subsequent session is not current agreement, need to obtain this http interactive information as the corresponding new application protocol title of subsequent session, and re-execute above-mentioned steps.
Corresponding with said method, the embodiment of the invention also provides a kind of automatic identification equipment of application protocol, and described application of installation is on the network equipment, and the described network equipment is between client and server, and it can be flow-control equipment, fire compartment wall etc.
With reference to Fig. 2, described device can comprise:
Http acquisition of information module is used for obtaining the http interactive information between client and the server;
Protocol name extraction module unit is used for obtaining the application protocol title from described http interactive information, particularly, can extract the key-strings in the described http interactive information, with described key-strings as described application protocol title;
The protocol model generation module, be used for obtaining the subsequent session stream between client and the server, extract the attributive character of described subsequent session stream, generate protocol model corresponding to this application protocol title according to described attributive character, particularly, obtain the session stream between current http session and the next http session, obtain described subsequent session stream, and, can characterize described protocol model with described attributive character, also can carry out statistical disposition to described attributive character, characterize described protocol model with the statistical disposition result;
The protocol model detection module mates for the protocol model that will generate and the protocol model of storage, if the match is successful, then identifies concrete application protocol;
The protocol model update module is used for when protocol model detection module when it fails to match the protocol model of this application protocol title and correspondence being stored.
In sum, the present invention can solve the protocol identification problem of encryption stream efficiently, can obtain fast online the unknown protocol characteristic model, and, the multiple network stream attribute that the present invention has selected to be easy to analyze and obtain comes the data of description feature, greatly improves the efficient of protocal analysis and the precision of protocol identification.
The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (8)
1. the automatic identifying method of an application protocol is applied to it is characterized in that on the network equipment that described method comprises:
Obtain the http interactive information between client and the server;
From described http interactive information, obtain the application protocol title;
Obtain the subsequent session stream between client and the server, extract the attributive character of described subsequent session stream, generate protocol model corresponding to this application protocol title according to described attributive character;
The protocol model of generation and the protocol model of storage are mated, if the match is successful, then identify concrete application protocol;
If it fails to match, then this application protocol title and corresponding protocol model are stored.
2. automatic identifying method as claimed in claim 1 is characterized in that, describedly obtains the application protocol title from described http interactive information, comprising:
Extract the key-strings in the described http interactive information, with described key-strings as described application protocol title.
3. automatic identifying method as claimed in claim 1 is characterized in that, describedly generates protocol model corresponding to this application protocol title according to described attributive character, comprising:
Characterize described protocol model with described attributive character; Perhaps
Described attributive character is carried out statistical disposition, characterize described protocol model with the statistical disposition result.
4. automatic identifying method as claimed in claim 1 is characterized in that, the described subsequent session stream that obtains between client and the server comprises:
Obtain the session stream between current http session and the next http session, obtain described subsequent session stream.
5. the automatic identification equipment of an application protocol is applied to it is characterized in that on the network equipment that described device comprises:
Http acquisition of information module is used for obtaining the http interactive information between client and the server;
Protocol name extraction module unit is used for obtaining the application protocol title from described http interactive information;
The protocol model generation module is used for obtaining the subsequent session stream between client and the server, extracts the attributive character of described subsequent session stream, generates protocol model corresponding to this application protocol title according to described attributive character;
The protocol model detection module mates for the protocol model that will generate and the protocol model of storage, if the match is successful, then identifies concrete application protocol;
The protocol model update module is used for when protocol model detection module when it fails to match the protocol model of this application protocol title and correspondence being stored.
6. automatic identification equipment as claimed in claim 5 is characterized in that, described protocol name extraction module is further used for:
Extract the key-strings in the described http interactive information, with described key-strings as described application protocol title.
7. automatic identification equipment as claimed in claim 5 is characterized in that, described protocol model generation module is further used for:
Characterize described protocol model with described attributive character; Perhaps
Described attributive character is carried out statistical disposition, characterize described protocol model with the statistical disposition result.
8. automatic identification equipment as claimed in claim 5 is characterized in that, described protocol model generation module is further used for:
Obtain the session stream between current http session and the next http session, obtain described subsequent session stream.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210477026.6A CN102984242B (en) | 2012-11-20 | 2012-11-20 | A kind of automatic identifying method of application protocol and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210477026.6A CN102984242B (en) | 2012-11-20 | 2012-11-20 | A kind of automatic identifying method of application protocol and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102984242A true CN102984242A (en) | 2013-03-20 |
| CN102984242B CN102984242B (en) | 2015-10-14 |
Family
ID=47857976
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210477026.6A Active CN102984242B (en) | 2012-11-20 | 2012-11-20 | A kind of automatic identifying method of application protocol and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102984242B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105282123A (en) * | 2014-07-24 | 2016-01-27 | 亿阳安全技术有限公司 | Network protocol identification method and device |
| CN105991373A (en) * | 2015-04-30 | 2016-10-05 | 杭州迪普科技有限公司 | Application protocol identification method and application protocol identification device |
| CN106411930A (en) * | 2016-11-09 | 2017-02-15 | 腾讯音乐娱乐(深圳)有限公司 | Protocol information execution method and device thereof |
| CN107360062A (en) * | 2017-08-28 | 2017-11-17 | 上海国云信息科技有限公司 | Verification method, system and the DPI equipment of DPI equipment recognition results |
| CN116781634A (en) * | 2023-06-21 | 2023-09-19 | 中国电子产业工程有限公司 | Network application classification and management method based on flow waveform |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442489A (en) * | 2008-12-30 | 2009-05-27 | 北京畅讯信通科技有限公司 | Method for recognizing flux based on characteristic library |
| CN102045363A (en) * | 2010-12-31 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Establishment, identification control method and device for network flow characteristic identification rule |
-
2012
- 2012-11-20 CN CN201210477026.6A patent/CN102984242B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442489A (en) * | 2008-12-30 | 2009-05-27 | 北京畅讯信通科技有限公司 | Method for recognizing flux based on characteristic library |
| CN102045363A (en) * | 2010-12-31 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Establishment, identification control method and device for network flow characteristic identification rule |
Non-Patent Citations (5)
| Title |
|---|
| 东南大学 王梁: "《基于深度数据包检测与深度数据流检测相结合的业务识别技术研究》", 《万方学位论文数据库》 * |
| 何中阳 等: "《基于隐马尔可夫模型的协议识别技术》", 《信息工程大学学报》 * |
| 刘晓磊: "《基于Netfilter机制的智能协议识别技术研究与实现》", 《万方学位论文数据库》 * |
| 庞滨: "《跨平台的应用层网络流量监控的研究与设计》", 《万方学位论文数据库》 * |
| 徐莉 等: "《利用统计特征的网络应用协议识别方法》", 《西安交通大学学报》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105282123A (en) * | 2014-07-24 | 2016-01-27 | 亿阳安全技术有限公司 | Network protocol identification method and device |
| CN105282123B (en) * | 2014-07-24 | 2018-11-16 | 亿阳安全技术有限公司 | A kind of network protocol identification method and device |
| CN105991373A (en) * | 2015-04-30 | 2016-10-05 | 杭州迪普科技有限公司 | Application protocol identification method and application protocol identification device |
| CN105991373B (en) * | 2015-04-30 | 2019-06-25 | 杭州迪普科技股份有限公司 | A kind of application protocol recognition methods and device |
| CN106411930A (en) * | 2016-11-09 | 2017-02-15 | 腾讯音乐娱乐(深圳)有限公司 | Protocol information execution method and device thereof |
| CN106411930B (en) * | 2016-11-09 | 2019-06-07 | 腾讯音乐娱乐(深圳)有限公司 | A kind of protocol information executes method and its equipment |
| CN107360062A (en) * | 2017-08-28 | 2017-11-17 | 上海国云信息科技有限公司 | Verification method, system and the DPI equipment of DPI equipment recognition results |
| CN107360062B (en) * | 2017-08-28 | 2021-02-02 | 上海国云信息科技有限公司 | DPI equipment identification result verification method and system and DPI equipment |
| CN116781634A (en) * | 2023-06-21 | 2023-09-19 | 中国电子产业工程有限公司 | Network application classification and management method based on flow waveform |
| CN116781634B (en) * | 2023-06-21 | 2024-04-05 | 中国电子产业工程有限公司 | Network application classification and management method based on flow waveform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102984242B (en) | 2015-10-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102035698B (en) | HTTP tunnel detection method based on decision tree classification algorithm | |
| CN105162626B (en) | Network flow depth recognition system and recognition methods based on many-core processor | |
| US20110125748A1 (en) | Method and Apparatus for Real Time Identification and Recording of Artifacts | |
| CN102984242B (en) | A kind of automatic identifying method of application protocol and device | |
| CN103595576B (en) | Interconnection port ICP flow statistical system and method based on content provider identifications | |
| CN105302885B (en) | full-text data extraction method and device | |
| CN106789242B (en) | Intelligent identification application analysis method based on mobile phone client software dynamic feature library | |
| CN110868409A (en) | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint | |
| CN109151880A (en) | Mobile application flow identification method based on multilayer classifier | |
| CN111147394B (en) | Multi-stage classification detection method for remote desktop protocol traffic behavior | |
| CN102882703A (en) | Hyper text transfer protocol (HTTP)-analysis-based uniform resource locator (URL) automatically classifying and grading system and method | |
| CN111224946A (en) | TLS encrypted malicious traffic detection method and device based on supervised learning | |
| CN109525508A (en) | Encryption stream recognition method, device and the storage medium compared based on flow similitude | |
| Zhang et al. | Toward unsupervised protocol feature word extraction | |
| CN103905482B (en) | Method, push server and the system of pushed information | |
| CN104994016A (en) | Method and apparatus for packet classification | |
| Hur et al. | Towards smart phone traffic classification | |
| CN104333483A (en) | Identification method, system and identification device for internet application flow | |
| CN104333461A (en) | Identification method, system and identification device for internet application flow | |
| CN105701224A (en) | Security information customized service system based on big data | |
| CN104410533A (en) | Network user behavior identification system | |
| CN110602059B (en) | Method for accurately restoring clear text length fingerprint of TLS protocol encrypted transmission data | |
| KR20140040120A (en) | Method and device for extracting data from a data stream travelling around an ip network | |
| Lee et al. | High performance payload signature-based Internet traffic classification system | |
| CN112003884B (en) | Method for collecting network assets and retrieving natural language |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Patentee after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Patentee before: Hangzhou Dipu Technology Co., Ltd. |