CN106330584A - Identification method and identification device of business flow - Google Patents
Identification method and identification device of business flow Download PDFInfo
- Publication number
- CN106330584A CN106330584A CN201510347251.1A CN201510347251A CN106330584A CN 106330584 A CN106330584 A CN 106330584A CN 201510347251 A CN201510347251 A CN 201510347251A CN 106330584 A CN106330584 A CN 106330584A
- Authority
- CN
- China
- Prior art keywords
- application
- tuple information
- file
- business stream
- corresponding relation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
- H04L43/062—Generation of reports related to network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an identification method and identification device of a business flow. The identification method of the business flow comprises the following steps: analyzing a business flow data packet at a terminal side to obtain the first IP quintuple information; analyzing a network process file in a terminal operation system to obtain the corresponding relation between the IP quintuple information and an application; determining the application corresponding to the first IP quintuple information according to the corresponding relation between the IP quintuple information and the application so as to identify the application corresponding to the business flow. Through the scheme provided by the invention, the business flow can be fast and accurately identified, the corresponding relation between the business flow and the application is obtained, and the scheme is suitable for various different applications.
Description
Technical field
The present invention relates to Business Stream identification field, particularly relate to the recognition methods of a kind of Business Stream and identify dress
Put.
Background technology
At present, the detection to Business Stream is mainly carried out by the following method with identifying.
Method 1: network traffics business recognition method based on port, by detecting the port numbers of network traffics,
And corresponding with the port numbers of application registration, it is achieved the identification of business;Port numbers as corresponding in web application is
80, DNS port numbers are 53, and e-mail is (25,110) etc..
But, this method can only identify the application of fixed port, for the application of novel dynamic distribution end mouth
Such as the application of P2P agreement, discrimination cannot ensure.
Method 2: network flow identification method based on packet, utilizes deep packet (DPI) detection technique,
Based on IP port and network packet, gather network application layer content, the application layer of packet is loaded spy
Levy the source address such as IP packet, source port, destination address, destination interface and protocol type, carry out
Detection is analyzed, and finds out tagged word, and then judges and identify Business Stream.
But, network traffics cannot be carried out accurate and the most quickly position by this method, especially for
The Business Stream of generation is called mutually, it is impossible to trace back to the real application producing data traffic between application, and cannot
Identify the variable application of port, be hidden in the tunnel applications after legal port, the application of IP address modifiable and hand over
The application types such as mutual formula application.
Method 3: network traffics identification technology based on business data flow, is carried out the gross feature of data stream
Statistics, including unit interval number of data streams, the bit rate of data stream, data stream size and data stream
Life cycles (difference of the start and end time of data stream) etc., by machine learning and contrast, it is achieved business
The identification of stream.
But, accuracy and the discrimination of this method are relatively low, and when there is packet drop, to identify
Result has a certain impact.
So, it is badly in need of the recognition methods of a kind of Business Stream, it is possible to overcome above-mentioned shortcoming.
Summary of the invention
It is an object of the invention to provide the recognition methods of a kind of Business Stream and identify device, existing in order to solve
The accuracy of the recognition methods of the Business Stream in technology and the relatively low technical problem of discrimination, identify industry to improve
The accuracy of business stream and discrimination.
In order to realize above-mentioned purpose, the present invention provides the recognition methods of a kind of Business Stream, including:
The traffic data bag of end side is resolved, obtains an IP five-tuple information;
Network process file in analysing terminal operating system, obtains IP five-tuple information corresponding with application
Relation;
According to the corresponding relation of described IP five-tuple information Yu application, determine and a described IP five-tuple letter
The application that breath is corresponding, to identify the application corresponding with described Business Stream.
Preferably, the described traffic data bag to end side resolves, and obtains an IP five-tuple letter
The step of breath includes:
Based on packet capture and decoding technique, the traffic data bag of end side is resolved, obtain
One IP five-tuple information.
Preferably, the network process file in described analysing terminal operating system, obtain IP five-tuple information
Include with the step of the corresponding relation of application:
IP five-tuple information when having data to transmit in extraction/proc/net/tcp file and the index node of correspondence
Value;
Obtain the Process identifier corresponding with described index node value;
According to the progress information in/proc/{pid}/cmdline file, determine described Process identifier and application
Corresponding relation;
According to the corresponding relation of described Process identifier Yu application, determine the right of IP five-tuple information and application
Should be related to.
Preferably, the step of the Process identifier that described acquisition is corresponding with described index node value includes:
At a time interval, each filec descriptor in scanning network process, obtain and described index
The Process identifier that nodal value is corresponding.
Preferably, the step of the Process identifier that described acquisition is corresponding with described index node value includes:
By inotify mechanism, the change of monitoring network process file;
When monitoring network process file change, each filec descriptor in scanning network process,
To the Process identifier corresponding with described index node value.
Preferably, described IP five-tuple information includes source IP address, source port, purpose IP address, mesh
Port and transport layer protocol.
Additionally, the present invention also provides for the identification device of a kind of Business Stream, including:
Parsing module, for resolving the traffic data bag of end side, obtains an IP five-tuple
Information;
Analyze module, the network process file in analysing terminal operating system, obtain IP five-tuple letter
Breath and the corresponding relation applied;
Determine module, for the corresponding relation according to described IP five-tuple information Yu application, determine with described
The application that oneth IP five-tuple information is corresponding, to identify the application corresponding with described Business Stream.
Preferably, described parsing module is specifically for based on packet capture and decoding technique, to end side
Traffic data bag resolves, and obtains an IP five-tuple information.
Preferably, described analysis module includes:
Extraction module, be used for extracting/proc/net/tcp file in IP five-tuple information when having data to transmit and
Corresponding index node value;
Acquisition module, for obtaining the Process identifier corresponding with described index node value;
First determines module, the progress information in basis/proc/{pid}/cmdline file, determines institute
State the corresponding relation of Process identifier and application;
Second determines module, for the corresponding relation according to described Process identifier Yu application, determines IP five
Tuple information and the corresponding relation of application.
Preferably, described acquisition module includes:
First scan module, at a time interval, each file in scanning network process describes
Symbol, obtains the Process identifier corresponding with described index node value.
Preferably, described acquisition module includes:
Monitoring module, for by inotify mechanism, the change of monitoring network process file;
Second scan module, for when monitoring network process file change, every in scanning network process
One filec descriptor, obtains the Process identifier corresponding with described index node value.
Preferably, described IP five-tuple information includes source IP address, source port, purpose IP address, mesh
Port and transport layer protocol.
By the technique scheme of the present invention, the beneficial effects of the present invention is:
The recognition methods of the Business Stream of the present invention and identification device, by entering the traffic data bag of end side
Row resolves, and obtains an IP five-tuple information, simultaneously the network process file in analysing terminal operating system,
Obtain the corresponding relation of IP five-tuple information and application, and right according to described IP five-tuple information and application
Should be related to, determine the application corresponding with a described IP five-tuple information, to identify industry rapidly and accurately
Business stream, obtains the corresponding relation of Business Stream and application, and is applicable to all kinds of different application.
Accompanying drawing explanation
Fig. 1 represents the flow chart of the recognition methods of the Business Stream of the embodiment of the present invention.
Fig. 2 represents the stream of the network process file in the analysing terminal operating system of the specific embodiment of the invention
Cheng Tu.
Fig. 3 represents the structural representation identifying device of the Business Stream of the embodiment of the present invention.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing pair
Specific embodiment is described in detail.
Shown in Figure 1, the embodiment of the present invention provides the recognition methods of a kind of Business Stream, including:
Step 101: resolve the traffic data bag of end side, obtains an IP five-tuple information;
Step 102: the network process file in analysing terminal operating system, obtain IP five-tuple information with
The corresponding relation of application;
Step 103: according to the corresponding relation of described IP five-tuple information Yu application, determine and described first
The application that IP five-tuple information is corresponding, to identify the application corresponding with described Business Stream.
The recognition methods of the Business Stream of the embodiment of the present invention, by solving the traffic data bag of end side
Analysis, obtains an IP five-tuple information, simultaneously the network process file in analysing terminal operating system,
To the corresponding relation of IP five-tuple information Yu application and corresponding with application according to described IP five-tuple information
Relation, determines the application corresponding with a described IP five-tuple information, to identify business rapidly and accurately
Stream, obtains the corresponding relation of Business Stream and application, and is applicable to all kinds of different application.
In the specific embodiment of the invention, in order to obtain Business Stream and the corresponding relation of application accurately, it is right to use
The traffic data bag of end side captures, and quickly decoding obtains the content of packet, described packet
E.g. IP packet.
Under normal circumstances, the transmission path of packet be followed successively by network interface card, device drive layer, data link layer,
Internet, transport layer, finally arrive application program.When a packet arrives network interface, function bag
Libpcap obtains this data first with the handle Socket created from data link layer driver
The copy of bag, then packet issued BPF filter by Tap function, subsequently, BPF filter according to
Packet is mated by filtering rule one by one that defined, and the match is successful then puts into kernel buffers,
And pass to user buffering district, it fails to match the most directly abandons.
Concrete, in order to the packet of end side is resolved, be first by data link layer based on
The PF_PACKET protocol family of driver, obtains the packet of terminal transmitting-receiving, so under non-motley pattern
After such as based on deep-packet detection DPI technology, the packet obtained is carried out restructuring and resolves, to obtain
State the IP five-tuple information of packet.
I.e. in the specific embodiment of the invention, the described traffic data bag to end side resolves, and obtains
The step of the oneth IP five-tuple information includes:
Based on packet capture and decoding technique, the traffic data bag of end side is resolved, obtain
One IP five-tuple information.
Wherein, IP five-tuple information includes source IP address, source port, purpose IP address, destination interface
And transport layer protocol.
And the process obtaining described IP five-tuple information is: in data link layer, obtain the frame head of packet
Length, obtains the original position of described packet, to obtain the inclined of the data packet header address of next layer protocol
Shifting amount;In Internet, by function ntohs (), data link layer header is converted into local host byte order,
Obtain source IP address and purpose IP address;In transport layer, by IP packet IPv4 protocol data packet header,
Extract the source port of agreement, destination interface and transport layer protocol.
In actual application, when the client software access network of terminal, all by existence in terminal operating system
Real-time process resource transfer and the log file of network interaction situation, i.e. network process file.Concrete, eventually
Dynamically recording IP five in the network process file (Network records file and process file) of end operating system
The mapping relations of the key messages such as tuple information, Process identifier (PID), application, by with certain time
Interval is gone scan corresponding network process file and be associated, available IP five-tuple information and application
Corresponding relation.
Network shown in Figure 2, in the specific embodiment of the invention, in described analysing terminal operating system
Process file, the step obtaining IP five-tuple information and the corresponding relation of application includes:
IP five-tuple information when having data to transmit in extraction/proc/net/tcp file and the index node of correspondence
Value;
Obtain the Process identifier corresponding with described index node value;
According to the progress information in/proc/{pid}/cmdline file, determine described Process identifier and application
Corresponding relation;
According to the corresponding relation of described Process identifier Yu application, determine the right of IP five-tuple information and application
Should be related to.
Wherein, in described/proc/net/tcp file, the main information of storage includes: local address, local side
Mouth, remote address, remote port, linking status, transmit queue, receiving queue, user identity prove
The information such as UID, index node value inode.
For example, with reference to following/proc/net/tcp file fragment:
Wherein, first row " s1 " is the numbering opening socket, " 1,2,3 ... " represent open several
The socket of individual this type;
Secondary series " local_address " is local address, and form is " hexadecimal (network bytes sequence)
IP address: port numbers ";
3rd row " rem_address " are remote address;
4th row " st " are connection status (st=status);Etc..
In simple terms, when obtaining Process identifier (process ID) corresponding with described index node value,
Two ways can be used, specific as follows.
Mode one
In the specific embodiment of the invention, the Process identifier that described acquisition is corresponding with described index node value
Step includes:
At a time interval, each filec descriptor in scanning network process, obtain and described index
The Process identifier that nodal value is corresponding.
Concrete ,/proc/ catalogue file has operating system and currently runs the relevant information of process, with one
Fix time interval, traverse scanning/proc/{pid}/fd file, check each of which filec descriptor fd, can
Find process to take the inode value (index node value, content is socket's []) of handle socket, see
Following /proc/{pid}/fd file fragment;
Subsequently, corresponding with the index node value extracted, to obtain the process corresponding with described index node value
Identifier.
But, this mode can consume substantial amounts of system resource and hardware resource, inefficient.
Mode two
In the specific embodiment of the invention, the Process identifier that described acquisition is corresponding with described index node value
Step includes:
By inotify mechanism, the change of monitoring network process file;
When monitoring network process file change, each filec descriptor in scanning network process,
To the Process identifier corresponding with described index node value.
Inotify be a kind of file system change notification mechanism, by inotify can make as file increase,
The events such as amendment, deletion are known by user in real time, and the file that need not open monitored target describes
Symbol fd.
Concrete, by monitoring such as proc/net/{tcp, the amendment event of the files such as udp, unix}, work as monitoring
During to file destination existence change, each filec descriptor in scanning network process, obtain and described rope
Draw Process identifier corresponding to nodal value (concrete mode refers to mode one).
Owing to mode two only just carries out traverse scanning, relative to mode when network process file exists change
Carry out at a time interval traverse scanning, the system resource of consumption and the hardware resource of one can be less, and obtain
The efficiency taking activity application process can be higher.
After obtaining the Process identifier corresponding with described index node value, can be according to/proc/{pid}/cmdline
Progress information in file, determines the corresponding relation of described Process identifier and application, referring specifically to following
/ proc/{pid}/cmdline file fragment.
Owing to described index node value is corresponding with IP five-tuple information, therefore can be according to described process identification (PID)
Symbol and the corresponding relation of application, determine the corresponding relation of IP five-tuple information and application.
Shown in Figure 3, the embodiment of the present invention also provides for the identification device of a kind of Business Stream, shown in Fig. 1
The recognition methods of Business Stream corresponding, the identification device of described Business Stream includes:
Parsing module 31, for resolving the traffic data bag of end side, obtains an IP five yuan
Group information;
Analyze module 32, the network process file in analysing terminal operating system, obtain IP five-tuple
Information and the corresponding relation of application;
Determine module 33, for the corresponding relation according to described IP five-tuple information Yu application, determine and institute
State the application that an IP five-tuple information is corresponding, to identify the application corresponding with described Business Stream.
The identification device of the Business Stream of the embodiment of the present invention, by solving the traffic data bag of end side
Analysis, obtains an IP five-tuple information, simultaneously the network process file in analysing terminal operating system,
To the corresponding relation of IP five-tuple information Yu application and corresponding with application according to described IP five-tuple information
Relation, determines the application corresponding with a described IP five-tuple information, to identify business rapidly and accurately
Stream, obtains the corresponding relation of Business Stream and application, and is applicable to all kinds of different application.
Wherein, the specifically used packet capture of described parsing module and decoding technique, the Business Stream to end side
Packet resolves, and obtains an IP five-tuple information.
And described IP five-tuple information includes source IP address, source port, purpose IP address, destination interface
And transport layer protocol.
In the specific embodiment of the invention, described analysis module includes:
Extraction module, be used for extracting/proc/net/tcp file in IP five-tuple information when having data to transmit and
Corresponding index node value;
Acquisition module, for obtaining the Process identifier corresponding with described index node value;
First determines module, the progress information in basis/proc/{pid}/cmdline file, determines institute
State the corresponding relation of Process identifier and application;
Second determines module, for the corresponding relation according to described Process identifier Yu application, determines IP five
Tuple information and the corresponding relation of application.
Wherein, described acquisition module includes:
First scan module, at a time interval, each file in scanning network process describes
Symbol, obtains the Process identifier corresponding with described index node value.
Additionally, described acquisition module includes:
Monitoring module, for by inotify mechanism, the change of monitoring network process file;
Second scan module, for when monitoring network process file change, every in scanning network process
One filec descriptor, obtains the Process identifier corresponding with described index node value.
The above is only the preferred embodiment of the present invention, it is noted that common for the art
For technical staff, under the premise without departing from the principles of the invention, it is also possible to make some improvements and modifications,
These improvements and modifications also should be regarded as protection scope of the present invention.
Claims (12)
1. the recognition methods of a Business Stream, it is characterised in that including:
The traffic data bag of end side is resolved, obtains an IP five-tuple information;
Network process file in analysing terminal operating system, obtains IP five-tuple information corresponding with application
Relation;
According to the corresponding relation of described IP five-tuple information Yu application, determine and a described IP five-tuple letter
The application that breath is corresponding, to identify the application corresponding with described Business Stream.
The recognition methods of Business Stream the most according to claim 1, it is characterised in that described to terminal
The traffic data bag of side resolves, and the step obtaining an IP five-tuple information includes:
Based on packet capture and decoding technique, the traffic data bag of end side is resolved, obtain
One IP five-tuple information.
The recognition methods of Business Stream the most according to claim 1, it is characterised in that described analysis is eventually
Network process file in end operating system, obtains the step of IP five-tuple information and the corresponding relation of application
Including:
IP five-tuple information when having data to transmit in extraction/proc/net/tcp file and the index node of correspondence
Value;
Obtain the Process identifier corresponding with described index node value;
According to the progress information in/proc/{pid}/cmdline file, determine described Process identifier and application
Corresponding relation;
According to the corresponding relation of described Process identifier Yu application, determine the right of IP five-tuple information and application
Should be related to.
The recognition methods of Business Stream the most according to claim 3, it is characterised in that described acquisition with
The step of the Process identifier that described index node value is corresponding includes:
At a time interval, each filec descriptor in scanning network process, obtain and described index
The Process identifier that nodal value is corresponding.
The recognition methods of Business Stream the most according to claim 3, it is characterised in that described acquisition with
The step of the Process identifier that described index node value is corresponding includes:
By inotify mechanism, the change of monitoring network process file;
When monitoring network process file change, each filec descriptor in scanning network process,
To the Process identifier corresponding with described index node value.
The recognition methods of Business Stream the most according to claim 1, it is characterised in that described IP five yuan
Group information includes source IP address, source port, purpose IP address, destination interface and transport layer protocol.
7. the identification device of a Business Stream, it is characterised in that including:
Parsing module, for resolving the traffic data bag of end side, obtains an IP five-tuple
Information;
Analyze module, the network process file in analysing terminal operating system, obtain IP five-tuple letter
Breath and the corresponding relation applied;
Determine module, for the corresponding relation according to described IP five-tuple information Yu application, determine with described
The application that oneth IP five-tuple information is corresponding, to identify the application corresponding with described Business Stream.
The identification device of Business Stream the most according to claim 7, it is characterised in that described parsing mould
Block specifically for based on packet capture and decoding technique, the traffic data bag of end side being resolved,
Obtain an IP five-tuple information.
The identification device of Business Stream the most according to claim 7, it is characterised in that described analysis mould
Block includes:
Extraction module, be used for extracting/proc/net/tcp file in IP five-tuple information when having data to transmit and
Corresponding index node value;
Acquisition module, for obtaining the Process identifier corresponding with described index node value;
First determines module, the progress information in basis/proc/{pid}/cmdline file, determines institute
State the corresponding relation of Process identifier and application;
Second determines module, for the corresponding relation according to described Process identifier Yu application, determines IP five
Tuple information and the corresponding relation of application.
The identification device of Business Stream the most according to claim 9, it is characterised in that described acquisition mould
Block includes:
First scan module, at a time interval, each file in scanning network process describes
Symbol, obtains the Process identifier corresponding with described index node value.
The identification device of 11. Business Streams according to claim 9, it is characterised in that described acquisition mould
Block includes:
Monitoring module, for by inotify mechanism, the change of monitoring network process file;
Second scan module, for when monitoring network process file change, every in scanning network process
One filec descriptor, obtains the Process identifier corresponding with described index node value.
The identification device of 12. Business Streams according to claim 7, it is characterised in that described IP five
Tuple information includes source IP address, source port, purpose IP address, destination interface and transport layer protocol.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510347251.1A CN106330584B (en) | 2015-06-19 | 2015-06-19 | A kind of recognition methods of Business Stream and identification device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510347251.1A CN106330584B (en) | 2015-06-19 | 2015-06-19 | A kind of recognition methods of Business Stream and identification device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106330584A true CN106330584A (en) | 2017-01-11 |
CN106330584B CN106330584B (en) | 2019-08-13 |
Family
ID=57728021
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510347251.1A Active CN106330584B (en) | 2015-06-19 | 2015-06-19 | A kind of recognition methods of Business Stream and identification device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106330584B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107623634A (en) * | 2017-10-12 | 2018-01-23 | 网宿科技股份有限公司 | Service traffics method for routing and its system and mobile electronic device |
CN107682215A (en) * | 2017-08-31 | 2018-02-09 | 哈尔滨工程大学 | A kind of DPI business recognition methods based on improvement LRFU state recordings |
CN109005227A (en) * | 2018-07-28 | 2018-12-14 | 安徽捷兴信息安全技术有限公司 | A kind of corresponding method and device of cell phone network packet and mobile phone application |
WO2019062479A1 (en) * | 2017-09-29 | 2019-04-04 | 中兴通讯股份有限公司 | Data packet processing method, device, storage medium, and terminal |
CN109756512A (en) * | 2019-02-14 | 2019-05-14 | 深信服科技股份有限公司 | A kind of flow application recognition methods, device, equipment and storage medium |
CN109905486A (en) * | 2019-03-18 | 2019-06-18 | 杭州迪普科技股份有限公司 | A kind of application program identification methods of exhibiting and device |
CN110096363A (en) * | 2019-04-29 | 2019-08-06 | 亚信科技(成都)有限公司 | A kind of correlating method and device of network event and process |
CN110460488A (en) * | 2019-07-01 | 2019-11-15 | 华为技术有限公司 | Business stream recognition method and device, model generating method and device |
CN111092913A (en) * | 2020-01-09 | 2020-05-01 | 盛科网络(苏州)有限公司 | Message processing method and system based on DPI and TAP |
CN112260889A (en) * | 2020-09-28 | 2021-01-22 | 中孚安全技术有限公司 | Linux-based process flow monitoring method, system and equipment |
CN116094924A (en) * | 2022-07-08 | 2023-05-09 | 荣耀终端有限公司 | Method for updating model and related device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080162639A1 (en) * | 2006-12-28 | 2008-07-03 | Research And Industrial Cooperation Group | System and method for identifying peer-to-peer (P2P) application service |
CN101764748A (en) * | 2009-12-16 | 2010-06-30 | 福建星网锐捷网络有限公司 | Method for identifying application program, device and system thereof |
CN101909077A (en) * | 2010-07-09 | 2010-12-08 | 北京邮电大学 | Method and device for identifying peer-to-peer services and access network |
CN102265563A (en) * | 2008-12-23 | 2011-11-30 | 爱立信电话股份有限公司 | Method and arrangement of identifying traffic flows in communication network |
CN103139315A (en) * | 2013-03-26 | 2013-06-05 | 烽火通信科技股份有限公司 | Application layer protocol analysis method suitable for home gateway |
-
2015
- 2015-06-19 CN CN201510347251.1A patent/CN106330584B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080162639A1 (en) * | 2006-12-28 | 2008-07-03 | Research And Industrial Cooperation Group | System and method for identifying peer-to-peer (P2P) application service |
CN102265563A (en) * | 2008-12-23 | 2011-11-30 | 爱立信电话股份有限公司 | Method and arrangement of identifying traffic flows in communication network |
CN101764748A (en) * | 2009-12-16 | 2010-06-30 | 福建星网锐捷网络有限公司 | Method for identifying application program, device and system thereof |
CN101909077A (en) * | 2010-07-09 | 2010-12-08 | 北京邮电大学 | Method and device for identifying peer-to-peer services and access network |
CN103139315A (en) * | 2013-03-26 | 2013-06-05 | 烽火通信科技股份有限公司 | Application layer protocol analysis method suitable for home gateway |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107682215A (en) * | 2017-08-31 | 2018-02-09 | 哈尔滨工程大学 | A kind of DPI business recognition methods based on improvement LRFU state recordings |
WO2019062479A1 (en) * | 2017-09-29 | 2019-04-04 | 中兴通讯股份有限公司 | Data packet processing method, device, storage medium, and terminal |
CN109587074A (en) * | 2017-09-29 | 2019-04-05 | 中兴通讯股份有限公司 | Message processing method, device, storage medium and processor |
CN109587074B (en) * | 2017-09-29 | 2022-04-29 | 中兴通讯股份有限公司 | Message processing method, device, storage medium and processor |
CN107623634A (en) * | 2017-10-12 | 2018-01-23 | 网宿科技股份有限公司 | Service traffics method for routing and its system and mobile electronic device |
CN109005227A (en) * | 2018-07-28 | 2018-12-14 | 安徽捷兴信息安全技术有限公司 | A kind of corresponding method and device of cell phone network packet and mobile phone application |
CN109756512B (en) * | 2019-02-14 | 2021-08-13 | 深信服科技股份有限公司 | Traffic application identification method, device, equipment and storage medium |
CN109756512A (en) * | 2019-02-14 | 2019-05-14 | 深信服科技股份有限公司 | A kind of flow application recognition methods, device, equipment and storage medium |
CN109905486B (en) * | 2019-03-18 | 2021-09-21 | 杭州迪普科技股份有限公司 | Application program identification display method and device |
CN109905486A (en) * | 2019-03-18 | 2019-06-18 | 杭州迪普科技股份有限公司 | A kind of application program identification methods of exhibiting and device |
CN110096363A (en) * | 2019-04-29 | 2019-08-06 | 亚信科技(成都)有限公司 | A kind of correlating method and device of network event and process |
CN110460488A (en) * | 2019-07-01 | 2019-11-15 | 华为技术有限公司 | Business stream recognition method and device, model generating method and device |
CN111092913A (en) * | 2020-01-09 | 2020-05-01 | 盛科网络(苏州)有限公司 | Message processing method and system based on DPI and TAP |
CN112260889A (en) * | 2020-09-28 | 2021-01-22 | 中孚安全技术有限公司 | Linux-based process flow monitoring method, system and equipment |
CN116094924A (en) * | 2022-07-08 | 2023-05-09 | 荣耀终端有限公司 | Method for updating model and related device |
CN116094924B (en) * | 2022-07-08 | 2023-11-21 | 荣耀终端有限公司 | Method for updating model and related device |
Also Published As
Publication number | Publication date |
---|---|
CN106330584B (en) | 2019-08-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106330584A (en) | Identification method and identification device of business flow | |
US8510830B2 (en) | Method and apparatus for efficient netflow data analysis | |
CN101645806B (en) | Network flow classifying system and network flow classifying method combining DPI and DFI | |
CN102035698B (en) | HTTP tunnel detection method based on decision tree classification algorithm | |
CN102315974B (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
KR101295708B1 (en) | Apparatus for capturing traffic and apparatus, system and method for analyzing traffic | |
Dusi et al. | Quantifying the accuracy of the ground truth associated with Internet traffic traces | |
CN102307123A (en) | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic | |
CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
CN109600317B (en) | Method and device for automatically identifying traffic and extracting application rules | |
WO2011050545A1 (en) | Automatic analysis method for unknown application layer protocols | |
US20060212942A1 (en) | Semantically-aware network intrusion signature generator | |
US20120182891A1 (en) | Packet analysis system and method using hadoop based parallel computation | |
CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
CN110868409A (en) | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint | |
CN104468252A (en) | Intelligent network service identification method based on positive transfer learning | |
CN113794605A (en) | Method, system and device for detecting kernel packet loss based on eBPF | |
CN109275045B (en) | DFI-based mobile terminal encrypted video advertisement traffic identification method | |
CN106789728A (en) | A kind of voip traffic real-time identification method based on NetFPGA | |
CN110011860A (en) | Android application and identification method based on network traffic analysis | |
CN112532614A (en) | Safety monitoring method and system for power grid terminal | |
CN104021348B (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
KR100608541B1 (en) | An apparatus for capturing Internet ProtocolIP packet with sampling and signature searching function, and a method thereof | |
CN110602059B (en) | Method for accurately restoring clear text length fingerprint of TLS protocol encrypted transmission data | |
CN103532779A (en) | Method and system for rapidly positioning packet loss of distribution equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |