CN105764095B - Application identification and control system and method based on virtual private network - Google Patents
Application identification and control system and method based on virtual private network Download PDFInfo
- Publication number
- CN105764095B CN105764095B CN201610095452.1A CN201610095452A CN105764095B CN 105764095 B CN105764095 B CN 105764095B CN 201610095452 A CN201610095452 A CN 201610095452A CN 105764095 B CN105764095 B CN 105764095B
- Authority
- CN
- China
- Prior art keywords
- application
- module
- information
- packet
- private network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W28/00—Network traffic management; Network resource management
- H04W28/02—Traffic management, e.g. flow control or congestion control
- H04W28/10—Flow control between communication endpoints
Abstract
A application identification and control system and method based on virtual private network, the system includes mobile terminal, identification control server, wherein, the said mobile terminal communicates with the said identification control server through virtual private network; the mobile terminal identifies the application of the flow used by the mobile terminal and transmits identification information to the identification control server; acquiring control information from the identification control server to control application flow usage; and the identification control server is used for carrying out classification statistics on the user ordering information and the using flow information and controlling the application of the mobile terminal according to the statistical information. The system and the method can accurately identify the use condition of each application at the mobile terminal side, can accelerate and control the designated application, can reduce the flow rate of other applications, improve the flow distribution flexibility of the user, reduce the flow waste of the user and improve the use experience of the user.
Description
Technical Field
The invention relates to the field of mobile application, in particular to an application identification and control system and method based on a virtual private network.
Background
The bandwidth management solution of the prior DPI technology is similar to the antivirus software system which is well known in some aspects, namely the application type which can be identified by the DPI technology must be known by the system, taking BT which is well known by users as an example, and the Protocol feature word of handbreak is "BitTorrent Protocol"; in other words, a huge virus characteristic database needs to be arranged in the background of the anti-virus system, an application characteristic database needs to be maintained in the bandwidth management system based on the DPI technology, and when the flow passes through, the application type is determined by comparing the unpacked application information with the background characteristic database; when a new application appears, the application characteristic database of the background needs to be updated so as to have the capability of identifying and controlling the new application. Therefore, the existing DPI technology has the problems that the application identification rate cannot reach 100%, encrypted data is difficult to identify, identification cannot be carried out at the first time when new applications are increased, characteristics and behavior patterns of the applications need to be analyzed and then added into an identification database to carry out identification, identification delay exists and the like.
Disclosure of Invention
In order to solve the defects of the prior art, the invention aims to provide an application identification and control system and method based on a virtual private network, wherein a mobile terminal can accurately identify the use condition of each application, accurately control the use of the application and carry out use restriction or special treatment aiming at specific applications.
In order to achieve the above object, the application identification and control system based on virtual private network according to the present invention comprises a mobile terminal, an identification control server, wherein,
the mobile terminal and the identification control server communicate through a virtual private network;
the mobile terminal identifies the application of the terminal usage flow and transmits identification information to the identification control server; acquiring control information from the identification control server to control application flow usage;
and the identification control server is used for carrying out classification statistics on the user ordering information and the using flow information and controlling the application of the mobile terminal according to the statistical information.
Further, the mobile terminal further includes: a virtual private network configuration module, a data packet parsing module, a connection tracking module, an application identification module, a data packet modification and verification module, a fast sending module, a delay sending module, and a management information receiving module, wherein,
the virtual private network configuration module is used for carrying out virtual private network configuration on the mobile terminal according to the configuration information transmitted by the identification control server;
the data packet analysis module analyzes all data packets flowing through the virtual private network;
the connection tracking module is used for identifying and recording the connection according to the analyzed packet information and identifying and marking the application;
the application identification module is used for acquiring an application uid corresponding to the port and converting the application uid into a standard application ID of the control system;
the data packet modification and verification module modifies the window size of the tcp packet of the specific application according to the configuration information and recalculates the checksum of the tcp packet and the ip packet;
the rapid sending module is used for rapidly sending the data packet of the application which does not need to reduce the speed to the identification control server through a virtual private network;
the delay sending module is used for carrying out delay smooth sending on the data packet according to the length of the data packet;
and the management information receiving module is used for receiving the control information sent by the identification control server and updating the application rate configuration information.
Further, the packet parsing module analyzes a destination ip, a source port, a destination port, a window size, and a packet size of a packet flowing through the virtual private network, and stores information.
Further, the application identification module parses the system file/proc/net/tcp,/proc/net/tcp 6,/proc/net/udp 6 format according to the source port provided by the parsed packet.
Still further, the identification control server further comprises: a virtual private network service module, a charging system module, a feedback control module, and a user subscription information management module, wherein,
the virtual private network service module allocates virtual network resources for the mobile terminal and counts the identified data packet flow information;
the charging system module is used for counting and calculating the user flow information according to the data packet flow information and the user ordering information to generate statistical information;
the feedback control module is used for controlling the terminal in real time according to the statistical information;
the user order information management module provides an application package of an application requiring acceleration for a user.
In order to achieve the above object, the application identification and control method based on virtual private network provided by the present invention comprises the following steps:
1) acquiring and analyzing an application data packet, and entering an acceleration channel to quickly complete connection if the application data packet is a TCP handshake packet;
2) identifying connections and applications;
3) identifying an acceleration application;
4) counting the data packet application information and the data packet length information;
5) carrying out statistics and calculation on user flow;
6) and carrying out policy control on the flow use of the mobile terminal in real time according to the user charging statistical information and the ordering information.
Further, the step 1) of obtaining and analyzing the application data packet is to analyze a destination ip, a source port, a destination port, a window size, and a data packet size of the application data packet.
Further, the step 2) further comprises the following steps: when the data packet is not a handshake packet, acquiring whether the connection exists or not through the connection tracking module; if the connection exists, marking the data packet as the application; if the connection does not exist, the application identification module 204 is called according to the port to identify the application.
Further, the step 3) further comprises the following steps: inquiring the application rate configuration information according to the application id; if the application is the acceleration application, the application is quickly sent; if the speed-up application is not the acceleration application and the tcp packet is the tcp packet, modifying the window value of the data packet according to the current speed, recalculating the checksum, and adding the checksum to the slow sending queue.
Further, in the step 5), the charging system module performs statistics and calculation on the user flow according to the user order information and the flow information of the user, and stores the result in a database in real time.
The application identification and control system and method based on the virtual private network can accurately identify the use condition of each application at the mobile terminal side, can perform acceleration control on the specified application, can reduce the flow rate of other applications, improve the flow distribution flexibility of users, reduce the flow waste of the users and improve the use experience of the users.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a diagram of a virtual private network based application identification and control system architecture according to the present invention;
FIG. 2 is a functional block diagram of a mobile terminal according to the present invention;
FIG. 3 is a functional block diagram of an identification control server according to the present invention;
fig. 4 is a flowchart illustrating a method for identifying and controlling an application based on a virtual private network according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
Fig. 1 is a diagram illustrating an architecture of a virtual private network-based application recognition and control system according to the present invention, as shown in fig. 1, which includes a mobile terminal 101 and a recognition control server 102, wherein,
the mobile terminal 101 and the recognition control server 102 communicate through a virtual private network.
A mobile terminal 101 that applies identification to terminal usage traffic, transmits identification information to an identification control server 102, and acquires control information from the identification control server 102 to control application traffic usage;
and the identification control server 102 supports the networking behavior of the virtual private network client (the mobile terminal 101), performs classification statistics according to the user order information and the usage flow information, and sends a control command to the mobile terminal 101 according to the statistical information and the user order information.
Fig. 2 is a schematic block diagram of a mobile terminal according to the present invention, and as shown in fig. 2, the mobile terminal 101 of the present invention includes a virtual private network configuration module 201, a packet parsing module 202, a connection tracking module 203, an application identification module 204, a packet modification checking module 205, a fast sending module 206, a delayed sending module 207, and a management information receiving module 208, wherein,
a virtual private network configuration module 201 which configures the virtual private network of the mobile terminal 101 according to the configuration information transferred by the virtual private network identification control server 102.
And the packet analysis module 202 is configured to analyze all packets flowing through the vpn, analyze a destination ip, a source port, a destination port, a window size, and a packet size, and store information.
And the connection tracking module 203 is used for identifying and recording each connection in the transmission process according to the packet information analyzed by the data analysis module 202, identifying the application of the data packet in the connection process, calling the application identification module 202 after the connection is successful, identifying and marking the application, identifying the application without needing to perform application identification again in the next connection, and transmitting the application information to the identification control server 102 of the virtual private network through a specified protocol.
The application identification module 204 obtains the application uid corresponding to the port by parsing and searching the format of the system file/proc/net/tcp,/proc/net/tcp 6,/proc/net/udp 6 according to the source port provided by the packet parsing module 202, and converts the application uid into the standard application ID of the switching control system.
The data packet modification and verification module 205 is configured to modify the size of the tcp packet window of the specific application according to the configuration information, so as to notify the server accessed by the application to increase or decrease the data packet transmission amount, and recalculate the checksum of the tcp packet and the ip packet after modification;
a fast sending module 206 that fast sends the data packets of the application that do not need to be reduced in rate to the recognition control server 102 through the virtual private network.
And a delay sending module 207 for maintaining the sending and receiving buffer queue and performing delay smooth sending on the data packet according to the length of the data packet to make application traffic use perception smooth.
The management information receiving module 208 is configured to receive the control information sent by the identification control server 102 and update the application rate configuration information.
Fig. 3 is a schematic block diagram of an identification control server according to the present invention, and as shown in fig. 3, the identification control server 102 of the present invention includes a virtual private network service module 301, a billing system module 302, a feedback control module 303, and a subscriber subscription information management module 304, wherein,
a virtual private network service module 301, which is responsible for providing virtual network service, allocating virtual network resources to a client (mobile terminal 101), and sending the identified data packet flow information to a charging system module 302 by statistics;
the charging system module 302 counts and calculates the user traffic information according to the data packet traffic information transmitted by the virtual private network service module and the user order information, and generates statistical information.
A feedback control module 303, which controls the mobile terminal in real time according to the statistical information of the billing system module 302;
the user subscription information management module 304 provides the user with an application package of the application that needs acceleration and notifies the billing system module 302.
Fig. 4 is a flowchart illustrating a work flow of the virtual private network-based application identification and control method according to the present invention, and the virtual private network-based application identification and control method according to the present invention will be described in detail with reference to fig. 4.
Firstly, in step 401, after the mobile terminal is started, ordering a corresponding traffic packet; acquiring data packets of all internet applications, analyzing the data packets, and entering an acceleration channel if the data packets are TCP handshake packets to ensure that connection is completed quickly;
in step 402, when the data packet is not a handshake packet, obtaining whether the connection exists or not and whether the connection is already identified through the connection tracking module 203, if so, marking the data packet as the application, and if not, calling the application identification module 204 according to the port to identify the application;
in step 403, according to the application id, querying the application rate configuration information, if the application is an acceleration application, quickly sending the application, and if the application is not an acceleration application and is a tcp packet, modifying the window value of the data packet according to the current speed, recalculating the checksum, and adding the recalculated checksum to the slow sending queue;
in step 404, the slow sending channel sends out the data packet at a constant speed;
in step 405, the identification control server 102 of the vpn tunnel statistically transmits the received packet application information and packet length information to the billing system module 302;
in step 406, the billing system module 302 performs statistics and calculation on the user traffic according to the user subscription information and the traffic information of the user, and stores the result in a database in real time;
in step 407, the feedback control module 303 performs policy control on the user traffic usage in real time according to the user charging statistical information and the subscription information, and issues the policy control to the mobile terminal 101.
In step 408, after the management information receiving module 208 of the mobile terminal 101 in the vpn tunnel receives the control information, the application traffic policy is updated, and the application traffic rate is controlled in real time.
Therefore, application identification and control are completed, so that when a user uses a specific application, acceleration of some applications can be realized, deceleration of some unnecessary applications can be realized, and user flow experience is increased.
Those of ordinary skill in the art will understand that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (8)
1. An application identification and control system based on a virtual private network comprises a mobile terminal and an identification control server, and is characterized in that,
the mobile terminal and the identification control server communicate through a virtual private network;
the mobile terminal identifies the application of the flow used by the mobile terminal and transmits identification information to the identification control server; acquiring control information from the identification control server to control application flow usage;
the identification control server classifies and counts user order information and usage flow information and controls the application of the mobile terminal according to the statistical information,
wherein the mobile terminal further comprises: a virtual private network configuration module, a data packet parsing module, a connection tracking module, an application identification module, a data packet modification and verification module, a fast sending module, a delay sending module, and a management information receiving module, wherein,
the virtual private network configuration module is used for carrying out virtual private network configuration on the mobile terminal according to the configuration information transmitted by the identification control server;
the data packet analysis module analyzes all data packets flowing through the virtual private network;
the connection tracking module is used for identifying and recording the connection according to the analyzed packet information and identifying and marking the application;
the application identification module is used for acquiring an application uid corresponding to the port and converting the application uid into a standard application ID of the control system;
the data packet modification and verification module modifies the window size of the tcp packet of the specific application according to the configuration information and recalculates the checksum of the tcp packet and the ip packet;
the rapid sending module is used for rapidly sending the data packet of the application which does not need to reduce the speed to the identification control server through a virtual private network;
the delay sending module carries out delay smooth sending on the data packet according to the length of the data packet;
the management information receiving module is used for receiving the control information sent by the identification control server and updating the application rate configuration information;
wherein the recognition control server further comprises: a virtual private network service module, a charging system module, a feedback control module, and a user subscription information management module, wherein,
the virtual private network service module allocates virtual network resources for the mobile terminal and counts the identified data packet flow information;
the charging system module is used for counting and calculating the user flow information according to the data packet flow information and the user ordering information to generate statistical information;
the feedback control module is used for controlling the terminal in real time according to the statistical information;
the user order information management module provides an application package of an application requiring acceleration for a user.
2. The VPN-based application recognition and control system of claim 1, wherein the packet parsing module parses packets flowing through the VPN for destination ip, source port, destination port, window size, packet size, and stores the information.
3. The vpn-based application recognition and control system of claim 1, wherein the application recognition module parses the system files/proc/net/tcp,/proc/net/tcp 6,/proc/net/udp 6 format according to the source port provided by the parsed packet.
4. A virtual private network-based application recognition and control method using the virtual private network-based application recognition and control system according to any one of claims 1 to 3, comprising the steps of:
1) acquiring and analyzing an application data packet, and entering an acceleration channel to quickly complete connection if the application data packet is a TCP handshake packet;
2) identifying connections and applications;
3) identifying an acceleration application;
4) counting the data packet application information and the data packet length information;
5) carrying out statistics and calculation on user flow;
6) and carrying out policy control on the flow use of the mobile terminal in real time according to the user charging statistical information and the ordering information.
5. The VPN-based terminal application processing method according to claim 4, wherein the step 1) of obtaining and parsing the application packet is parsing a destination ip, a source port, a destination port, a window size, and a packet size of the application packet.
6. The virtual private network-based terminal application processing method according to claim 4, wherein said step 2) further comprises the steps of: when the data packet is not a handshake packet, acquiring whether the connection exists or not through the connection tracking module; if the connection exists, marking the data packet as the application; if the connection does not exist, the application identification module 204 is called according to the port to identify the application.
7. The virtual private network-based terminal application processing method according to claim 4, wherein said step 3) further comprises the steps of: inquiring the application rate configuration information according to the application id; if the application is the acceleration application, the application is quickly sent; if the speed-up application is not the acceleration application and the tcp packet is the tcp packet, modifying the window value of the data packet according to the current speed, recalculating the checksum, and adding the checksum to the slow sending queue.
8. The VPN-based terminal application processing method according to claim 4, wherein the step 5) is that the billing system module performs statistics and calculation on the user traffic according to the user subscription information and the user traffic information, and stores the result in a database in real time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610095452.1A CN105764095B (en) | 2016-02-22 | 2016-02-22 | Application identification and control system and method based on virtual private network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610095452.1A CN105764095B (en) | 2016-02-22 | 2016-02-22 | Application identification and control system and method based on virtual private network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105764095A CN105764095A (en) | 2016-07-13 |
| CN105764095B true CN105764095B (en) | 2020-08-21 |
Family
ID=56330902
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610095452.1A Active CN105764095B (en) | 2016-02-22 | 2016-02-22 | Application identification and control system and method based on virtual private network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105764095B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107787015B (en) * | 2017-10-30 | 2021-08-10 | 中国联合网络通信集团有限公司 | Network adjusting method and device based on big data |
| CN108243192B (en) * | 2018-01-11 | 2020-12-15 | 世纪龙信息网络有限责任公司 | Method and system for identifying application access network |
| CN108429701B (en) * | 2018-02-08 | 2021-08-03 | 四川速宝网络科技有限公司 | Network acceleration system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484259A (en) * | 2014-11-25 | 2015-04-01 | 北京奇虎科技有限公司 | Application program traffic monitoring method and device, and mobile terminal |
| CN104580192A (en) * | 2014-12-31 | 2015-04-29 | 网宿科技股份有限公司 | Processing method and device for network access requests of application program |
| CN105207860A (en) * | 2015-08-13 | 2015-12-30 | 中国联合网络通信集团有限公司 | Business acceleration system and method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8229812B2 (en) * | 2009-01-28 | 2012-07-24 | Headwater Partners I, Llc | Open transaction central billing system |
| CN102025593B (en) * | 2009-09-21 | 2013-04-24 | 中国移动通信集团公司 | Distributed user access system and method |
| KR20130124692A (en) * | 2012-05-07 | 2013-11-15 | 한국전자통신연구원 | System and method for managing filtering information of attack traffic |
| CN104918248A (en) * | 2015-04-16 | 2015-09-16 | 深圳市高星文网络科技有限公司 | Enterprise mobile safety gateway method of application flow management, application acceleration and safety |
-
2016
- 2016-02-22 CN CN201610095452.1A patent/CN105764095B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484259A (en) * | 2014-11-25 | 2015-04-01 | 北京奇虎科技有限公司 | Application program traffic monitoring method and device, and mobile terminal |
| CN104580192A (en) * | 2014-12-31 | 2015-04-29 | 网宿科技股份有限公司 | Processing method and device for network access requests of application program |
| CN105207860A (en) * | 2015-08-13 | 2015-12-30 | 中国联合网络通信集团有限公司 | Business acceleration system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105764095A (en) | 2016-07-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11792046B2 (en) | Method for generating forwarding information, controller, and service forwarding entity | |
| CN111770028B (en) | Method and network device for computer network | |
| US11533263B2 (en) | Self-describing packet headers for concurrent processing | |
| RU2583723C2 (en) | Method and apparatus for controlling transmission of service | |
| KR101029954B1 (en) | Providing quality of service for various traffic flows in a communications environment | |
| US10230627B2 (en) | Service path allocation method, router and service execution entity | |
| WO2017193427A1 (en) | Packet switching service recognition method and terminal | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| JP5475744B2 (en) | Distributed traffic analysis | |
| US20140140211A1 (en) | Classification of traffic for application aware policies in a wireless network | |
| US9451502B2 (en) | Service control method and system, evolved nodeB, and packet data network gateway | |
| US10033619B2 (en) | Data processing method and apparatus for OpenFlow network | |
| US8938794B2 (en) | Access relay method and access gateway device | |
| CN108353022B (en) | Data message processing method, device and system | |
| US8976813B2 (en) | Secure quality of service | |
| CN105764095B (en) | Application identification and control system and method based on virtual private network | |
| CN108881028A (en) | The SDN network resource regulating method of application perception is realized based on deep learning | |
| CN109600248B (en) | Method and device for determining quality of service and storage medium | |
| KR101292873B1 (en) | Network interface card device and method of processing traffic by using the network interface card device | |
| CN111543034B (en) | Self-describing packet headers for parallel processing | |
| US20220303201A1 (en) | Traffic Monitoring in a Network Node | |
| KR20220029142A (en) | Sdn controller server and method for analysing sdn based network traffic usage thereof | |
| CN117014967A (en) | Mobile communication system, method and user plane node | |
| CN113422699B (en) | Data stream processing method and device, computer readable storage medium and electronic equipment | |
| US11570079B2 (en) | Quality-of-service in cellular information centric network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20171211 Address after: 100006 Macao center, No. 8, East Street, Wangfujing, Dongcheng District, Beijing, 11 floors Applicant after: Century snail Communication Technology Co., Ltd. Address before: 215000 No. 171 West Avenue, Suzhou Industrial Park, Jiangsu, China Applicant before: Suzhou Snail Digital Technology Co., Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |