CN107948022A - A kind of recognition methods of peer-to-peer network flow and identification device - Google Patents
A kind of recognition methods of peer-to-peer network flow and identification device Download PDFInfo
- Publication number
- CN107948022A CN107948022A CN201810024787.3A CN201810024787A CN107948022A CN 107948022 A CN107948022 A CN 107948022A CN 201810024787 A CN201810024787 A CN 201810024787A CN 107948022 A CN107948022 A CN 107948022A
- Authority
- CN
- China
- Prior art keywords
- message
- source
- address
- peer
- session stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0888—Throughput
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Recognition methods and identification device, this method the invention discloses a kind of peer-to-peer network flow include:Obtain the message amount of the affiliated session stream of object message;If message amount is more than preset first threshold value, obtain the first ratio of the message amount of the affiliated session stream first direction of object message and the message amount of the session stream second direction, and the second ratio of the data volume of the session stream first direction and the data volume of the session stream second direction;If the first ratio is more than default second threshold and the second ratio is more than default 3rd threshold value, the source IP address collection of peer network resources request behavior known to acquisition;If source IP address collection includes the source IP address of object message, and the time of corresponding storage and the difference of current time are less than or equal to preset time threshold together with the source IP address, and the flow of the affiliated session stream of object message is determined as peer-to-peer network flow.This method is used accurately to identify the flow of the encryption affiliated session stream of message whether for P2P flows.
Description
Technical field
The present invention relates to peer-to-peer network flow identification technology field, more particularly to a kind of recognition methods of peer-to-peer network flow
And identification device.
Background technology
At present, peer-to-peer network (Peer-to-Peer, P2P) is a variety of due to having the advantages that, such as resource occupation is low, and resource is common
Enjoy rate height and resource utilization height etc. so that the ratio that peer-to-peer network flow occupies in network traffics is increasing.But with
The increase that peer-to-peer network flow takes network bandwidth, while carrys out larger burden to Netowrk tape.Based on this, to peer-to-peer network flow
Identification, and further management is more and more important.
In the prior art, generally use deep message detects (Deep Packet Inspection, DPI) method to equity
Network traffics are identified, but such a method None- identified encryption message.To encrypting message, it is special that generally use is based on stream statistics
Property recognition methods to encryption message belonging to session stream carry out statistical analysis so that whether the flow for identifying the session stream is pair
Etc. network traffics, but this method easily misidentifies, and the accuracy of identification is relatively low.
So the recognition methods of existing peer-to-peer network flow, can not accurately identify the flow of encryption message, applicability compared with
Difference.
The content of the invention
Recognition methods and identification device the present invention provides a kind of peer-to-peer network flow, to solve existing peer-to-peer network
The problem of recognition methods of flow, can not accurately identify the flow of encryption message, and applicability is poor.
In a first aspect, the present invention provides a kind of recognition methods of peer-to-peer network flow, which includes:Obtain mesh
Mark the message amount of the affiliated session stream of message;If the message amount is more than preset first threshold value, the object message is obtained
The message amount of affiliated session stream first direction and the first of the message amount of the affiliated session stream second direction of the object message
Ratio, and the data volume of the affiliated session stream first direction of the object message and the affiliated session stream second party of the object message
To data volume the second ratio;If first ratio is more than default second threshold and second ratio is more than default the
Three threshold values, the source IP address collection of peer network resources request behavior known to acquisition;If the source IP address is concentrated comprising described
The source IP address of object message, and the time of corresponding storage and the difference of current time are less than or wait together with the source IP address
In preset time threshold, the flow of the affiliated session stream of the object message is determined as peer-to-peer network flow.
Further, which further includes:The application behavioural characteristic that message to be detected is carried and known applications behavior
The application behavioural characteristic included in feature set is matched, according to matched result determine the message to be detected it is corresponding known to
Using behavior;If there is no with the corresponding known applications behavior of message to be detected, the message to be detected is determined
For object message.
Further, which further includes:If the corresponding known applications behavior of the message to be detected is asymmetrical
Network resource request behavior, is determined as asymmetrical network traffics by the flow of the affiliated session stream of message to be detected, and described
The application identities of the corresponding known applications behavior of the message to be detected are added on the affiliated session stream of message to be detected.
Further, which further includes:If the corresponding known applications behavior of the message to be detected is peer-to-peer network
Network resource request behavior, the source IP address of the message to be detected and current time are corresponded to and stored to the known peer-to-peer network
The source IP address of resource request behavior is concentrated.
Further, which further includes:If the source IP address concentrates the source IP not comprising the object message
Address, or the source IP address concentrate the source IP address comprising the object message and the corresponding storage together with the source IP address
Time and the difference of current time be more than preset time threshold, the flow of the affiliated session stream of the object message is determined as non-
Peer-to-peer network flow.
Second aspect, present invention also offers a kind of identification device of peer-to-peer network flow, which includes:Message
Quantity acquisition module, for obtaining the message amount of the affiliated session stream of object message;Ratio acquisition module, if for the report
Literary quantity is more than preset first threshold value, obtains the message amount of the affiliated session stream first direction of the object message and the target
First ratio of the message amount of the affiliated session stream second direction of message, and the affiliated session stream first direction of the object message
Data volume and the affiliated session stream second direction of the object message data volume the second ratio;Source IP address collection obtains mould
Block, if being more than default 3rd threshold value more than default second threshold and second ratio for first ratio, obtains
Know the source IP address collection of peer network resources request behavior;First flow determining module, if concentrated for the source IP address
Include the source IP address of the object message, and the difference of the time of corresponding storage and current time together with the source IP address
Less than or equal to preset time threshold, the flow of the affiliated session stream of the object message is determined as peer-to-peer network flow.
Further, which further includes:Known applications behavior determining module, is answered for carry message to be detected
Concentrate the application behavioural characteristic included to be matched with behavioural characteristic with known applications behavioural characteristic, determined according to matched result
The corresponding known applications behavior of the message to be detected;Object message determining module, for if there is no with it is described to be detected
The corresponding known applications behavior of message, is determined as object message by the message to be detected.
Further, which further includes:Second flow determining module, if corresponding for the message to be detected
Known applications behavior is non-peer network resources request behavior, the flow of the affiliated session stream of message to be detected is determined as asymmetrical
Network traffics, and add the corresponding known applications behavior of the message to be detected on the affiliated session stream of message to be detected
Application identities.
Further, which further includes:Memory module, if for the corresponding known applications of the message to be detected
Behavior is peer network resources request behavior, and the source IP address of the message to be detected and current time are corresponded to and stored to described
The source IP address of known peer network resources request behavior is concentrated.
Further, which further includes:3rd flow determining module, is not wrapped if concentrated for the source IP address
Source IP address containing the object message, or the source IP address concentrate comprising the object message source IP address and with this
The time of corresponding storage and the difference of current time are more than preset time threshold to source IP address together, by belonging to the object message
The flow of session stream is determined as asymmetrical network traffics.
The technical solution that the embodiment of the present invention provides can include the following benefits:The present invention provides a kind of equity
The recognition methods of network traffics and identification device.In the recognition methods, the identification device of peer-to-peer network flow is received by analyzing
To the affiliated session stream of message on message amount, the message amount transmitted in the both direction of the affiliated session stream of the message transmitted
Ratio, the affiliated session stream of the message both direction on the source IP address of the ratio of data volume that transmits and the message with
Whether the relation between the source IP address collection of known peer network resources request behavior meets corresponding setting condition, so that it is determined that
Whether the flow of the affiliated session stream of the message is peer-to-peer network flow, and for encrypting message, whole identification process will not be by message
Encrypted influence, whether the flow that can accurately identify the affiliated session stream of outgoing packet is peer-to-peer network flow, and applicability is more preferable;
In addition, the recognition methods, in the message that first can also be received the identification device of peer-to-peer network flow with known applications behavior
Corresponding message filter goes out, and can subsequently reduce the misrecognition of peer-to-peer network flow, improves the accurate of peer-to-peer network flow identification
Degree.
Brief description of the drawings
In order to illustrate more clearly of technical scheme, letter will be made to attached drawing needed in the embodiment below
Singly introduce, it should be apparent that, for those of ordinary skills, without having to pay creative labor,
Other attached drawings can also be obtained according to these attached drawings.
Fig. 1 is a kind of structure diagram of the identifying system of peer-to-peer network flow provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of the recognition methods of peer-to-peer network flow provided in an embodiment of the present invention;
Fig. 3 is a kind of structure diagram of the identification device of peer-to-peer network flow provided in an embodiment of the present invention.
Embodiment
According to background technology, the recognition methods of existing peer-to-peer network flow, there are None- identified encryption message or
The shortcomings that accuracy of identification encryption message is relatively low.In order to overcome this shortcoming, the present invention provides a kind of peer-to-peer network flow
Recognition methods and identification device.
Below in conjunction with the accompanying drawings, recognition methods and the identification device of peer-to-peer network flow provided by the invention is discussed in detail.
When needing that the peer-to-peer network flow in network traffics is identified, usually between user terminal and server
The identification device of peer-to-peer network flow is connected in communication network, so as to the net to the communication network between user terminal and server
Network flow is identified.Based on this, before the recognition methods of peer-to-peer network flow provided by the invention and identification device is introduced,
A kind of identifying system of peer-to-peer network flow is introduced first, and it is provided in an embodiment of the present invention right to implement using the identifying system
Etc. each step of the recognition methods of network traffics.
Referring to Fig. 1, Fig. 1 is illustrated that a kind of structure of the identifying system of peer-to-peer network flow provided in an embodiment of the present invention
Block diagram.According to Fig. 1, which includes:The identification device 3 of user terminal 1, server 2 and peer-to-peer network flow, its
In, the identification device 3 of peer-to-peer network flow is connected in series in the communication network between user terminal 1 and server 2, and user is whole
End 1 sends to the message of server 2 identification device 3 that can pass through peer-to-peer network flow, and server 2 is sent to the user terminal 1
Message also can pass through peer-to-peer network flow identification device 3, can be to user using the identification device 3 of peer-to-peer network flow
The network traffics of communication network between terminal 1 and server 2 are identified.
Referring to Fig. 2, Fig. 2 is illustrated that a kind of flow of the recognition methods of peer-to-peer network flow provided in an embodiment of the present invention
Schematic diagram, the recognition methods be used for peer-to-peer network flow identification device (such as the peer-to-peer network flow shown in Fig. 1 identification dress
3) side is put, is included the following steps:
Step 101, the message amount for obtaining the affiliated session stream of object message.
In some optional embodiments, any one message that the identification device of peer-to-peer network flow receives can be with
As object message.The affiliated session stream of object message refers to user terminal (such as the user terminal 1 shown in Fig. 1) and service
Once complete session interaction process between device (such as the server 2 shown in Fig. 1), is made of, mesh a series of mutual messages
Mark message is a message in a series of this mutual message, and the message amount of the affiliated session stream of object message is exactly that this is a series of
The sum of mutual message.
In some other optional embodiment, before the message amount of the affiliated session stream of object message is obtained, that is, hold
Before row step 101, which further includes:The application behavioural characteristic that message to be detected carries is obtained, this is applied into behavior
Feature concentrates the application behavioural characteristic included to be matched with known applications behavioural characteristic, is treated according to determining matched result
The corresponding known applications behavior of detection messages;If it is known that using behavioural characteristic concentrate be not present using behavioural characteristic with it is to be detected
Message carry the characteristic signature file to match using behavioural characteristic, that is, match it is unsuccessful, illustrate there is no with it is described to be checked
The corresponding known applications behavior of text is observed and predicted, then the message to be detected is determined as object message.Determined using such a mode
Object message, message sieve corresponding with known applications behavior in the message that the identification device of peer-to-peer network flow can be received
Select, can subsequently reduce the misrecognition of peer-to-peer network flow, improve the accuracy of peer-to-peer network flow identification.
Wherein, message to be detected refers to the message that the identification device of peer-to-peer network flow receives, peer-to-peer network flow
Any one message for receiving of identification device can be used as message to be detected.Known applications behavior refers to should known in some
Operation behavior, such as certain known shopping website is accessed, by certain known download software download data, and log in certain public affairs
Know that chat software etc. belongs to known applications behavior.Known applications behavioural characteristic collection refers to the characteristic signature text of known applications behavior
The set of part, wherein, include using behavioural characteristic in each characteristic signature file in the set and apply behavior special with this
Levy the title of corresponding known applications behavior.The mark using behavior is referred to using behavioural characteristic, is each application behavior area
Not with the mark of other application behavior.For example, accessing certain known shopping website, this can be with using the application behavioural characteristic of behavior
For the domain name of the known shopping website.
Further, it is possible to which known applications behavioural characteristic collection is pre-stored within the identification device of peer-to-peer network flow, make
Used time is directly transferred from the identification device of peer-to-peer network flow.Known applications behavioural characteristic collection can certainly be stored
In other storage devices, it will not enumerate herein.
If step 102, the message amount are more than preset first threshold value, the affiliated session stream of the object message is obtained
First ratio of the message amount in one direction and the message amount of the affiliated session stream second direction of the object message, and it is described
The data volume of the affiliated session stream first direction of object message and the data volume of the affiliated session stream second direction of the object message
Second ratio.
Wherein, the affiliated session stream first direction of object message can be by the direction of user terminal to server, can also
It is by the direction of server to user terminal.Preset first threshold value can be set according to actual needs.
When the affiliated session stream first direction of object message is the direction by user terminal to server, belonging to object message
Session stream second direction is by the direction of server to user terminal.The message amount of the affiliated session stream first direction of object message
Refer to that user terminal is sent to the sum of the message of server, the affiliated session stream of object message in the affiliated session stream of the object message
The message amount of second direction refers to the sum of the message that server is sent to the user terminal in the affiliated session stream of the object message.
The data volume of the affiliated session stream first direction of object message refers to that user terminal is sent to clothes in the affiliated session stream of the object message
The data volume of business device, the data volume of the affiliated session stream second direction of object message refer to service in the affiliated session stream of the object message
The data volume that device is sent to the user terminal.
When the affiliated session stream first direction of object message is the direction by server to user terminal, belonging to object message
Session stream second direction is by the direction of user terminal to server.The message amount of the affiliated session stream first direction of object message
Refer to the sum of the message that server is sent to the user terminal in the affiliated session stream of the object message, the affiliated session stream of object message
The message amount of second direction refers to that user terminal is sent to the sum of the message of server in the affiliated session stream of the object message.
The data volume of the affiliated session stream first direction of object message refers to that server is sent to user in the affiliated session stream of the object message
The data volume of terminal, the data volume of the affiliated session stream second direction of object message refer to user in the affiliated session stream of the object message
Terminal is sent to the data volume of server.
If step 103, first ratio are more than default second threshold and second ratio is more than default 3rd threshold
Value, the source IP address collection of peer network resources request behavior known to acquisition.
It is known that peer network resources request behavior refers to by some known download software download datas.It is known
The source IP address collection of peer network resources request behavior is the set of source IP address storage file, each source IP address in the set
The time of storage is corresponded in storage file comprising a source IP address and together with the source IP address, wherein, the source IP address
For by the source IP address of certain known user terminal for downloading software download data, storage is corresponded to together with the source IP address
Time refers to storing the source IP address into the storage time into the source IP address storage file.Default second threshold and default the
Three threshold values can be set according to actual needs.
If step 104, the source IP address concentrate the source IP address for including the object message, and with the source IP
The time of corresponding storage and the difference of current time are less than or equal to preset time threshold together for location, by belonging to the object message
The flow of session stream is determined as peer-to-peer network flow.
When it is implemented, parsing the source IP address of object message first, peer network resources request is gone known to inquiry afterwards
For source IP address concentrate whether there is the source IP address storage file comprising the source IP address, if it is known that peer network resources
The source IP address of request behavior, which is concentrated, has the source IP address storage file comprising the source IP address, and peer-to-peer network known to explanation provides
The source IP address of source request behavior, which is concentrated, includes the source IP address, then determines the time included in the source IP address storage file again
Whether it is less than or equal to preset time threshold with the difference of current time, if the time included in the source IP address storage file
It is less than or equal to preset time threshold with the difference of current time, then the flow of the affiliated session stream of object message is determined as equity
Network traffics.Wherein, preset time threshold can be set according to actual needs.
Further, after the flow of the affiliated session stream of object message is determined as peer-to-peer network flow, the recognition methods
Further include:P2P flow identifier is added on the affiliated session stream of object message.
In some other optional embodiment, which further includes:If it is known that peer network resources request row
For source IP address concentrate source IP address storage file there is no the source IP address comprising the object message, it is right known to explanation
Source IP address etc. network resource request behavior concentrates the source IP address not comprising the object message, or known peer-to-peer network
The source IP address of resource request behavior concentrates the source IP address storage file that there is the source IP address comprising the object message, but
The time included in the source IP address storage file and the difference of current time are more than preset time threshold, peer-to-peer network known to explanation
The source IP address of network resource request behavior is concentrated the source IP address comprising the object message and is corresponded to together with the source IP address
The time of storage and the difference of current time are more than preset time threshold, then the flow of the affiliated session stream of the object message is true
It is set to asymmetrical network traffics, and non-P2P flow identifier is added on the affiliated session stream of the object message.
In some other optional embodiment, which further includes:If it is known that being concentrated using behavioural characteristic, deposit
Applying behavioural characteristic and the characteristic signature file to match using behavioural characteristic of message to be detected carrying, and this feature label
The title of the known applications behavior included in name file is the title of some asymmetrical network resource request behavior, is treated described in explanation
The corresponding known applications behavior of detection messages is non-peer network resources request behavior, then by the affiliated session stream of message to be detected
Flow is determined as asymmetrical network traffics, and adds the message pair to be detected on the affiliated session stream of message to be detected
The application identities for the known applications behavior answered.The application identities can be the corresponding Apply Names of known applications behavior, such as visit
Ask certain known shopping website this using the corresponding Apply Names of behavior be the known shopping website title.
In some other optional embodiment, which further includes:If it is known that being concentrated using behavioural characteristic, deposit
Applying behavioural characteristic and the characteristic signature file to match using behavioural characteristic of message to be detected carrying, and this feature label
The title of known applications behavior included in name file is the title of some known peer network resources request behavior, described in explanation
The corresponding known applications behavior of message to be detected is peer network resources request behavior, then parses the source IP of the message to be detected
Address, the source IP address of the message to be detected and current time are corresponded to and stored to the known peer network resources request row
For source IP address concentrate, and the flow of the affiliated session stream of message to be detected is determined as peer-to-peer network flow, is treated described
P2P flow identifier is added on the affiliated session stream of detection messages.
In the recognition methods of peer-to-peer network flow provided in an embodiment of the present invention, the identification device of peer-to-peer network flow passes through
Analyze the message amount transmitted on the affiliated session stream of message that receives, transmit in the both direction of the affiliated session stream of the message
The ratio of data volume transmitted in the both direction of the affiliated session stream of the ratio of message amount, the message and the source of the message
Whether the relation between IP address and the source IP address collection of known peer network resources request behavior meets corresponding setting condition,
So that it is determined that whether the flow of the affiliated session stream of the message is peer-to-peer network flow, for encrypting message, whole identification process is not
It can be influenced by message encryption, whether the flow that can accurately identify the affiliated session stream of outgoing packet is peer-to-peer network flow, is fitted
It is more preferable with property;In addition, the recognition methods, in the message that first can also be received the identification device of peer-to-peer network flow with it is known
Go out using the corresponding message filter of behavior, can subsequently reduce the misrecognition of peer-to-peer network flow, improve peer-to-peer network flow and know
Other accuracy.
Corresponding with the recognition methods of peer-to-peer network flow provided by the invention, present invention also offers a kind of peer-to-peer network
The identification device of flow.
Referring to Fig. 3, Fig. 3 is illustrated that a kind of structure of the identification device of peer-to-peer network flow provided in an embodiment of the present invention
Block diagram.According to Fig. 3, which includes:Message amount acquisition module 301, for obtaining the affiliated session of object message
The message amount of stream;Ratio acquisition module 302, if being more than preset first threshold value for the message amount, obtains the mesh
Mark the message amount of the affiliated session stream first direction of message and the message amount of the affiliated session stream second direction of the object message
The first ratio, and the data volume of the affiliated session stream first direction of the object message and the affiliated session stream of the object message
Second ratio of the data volume of second direction;Source IP address collection acquisition module 303, if be more than for first ratio default
Second threshold and second ratio are more than default 3rd threshold value, the source IP address of peer network resources request behavior known to acquisition
Collection;First flow determining module 304, if the source IP address for including the object message is concentrated for the source IP address, and
And the time of corresponding storage and the difference of current time are less than or equal to preset time threshold together with the source IP address, by described in
The flow of the affiliated session stream of object message is determined as peer-to-peer network flow.
Further, which further includes:Known applications behavior determining module 305, for message to be detected to be carried
Concentrate the application behavioural characteristic included to be matched using behavioural characteristic and known applications behavioural characteristic, according to matched result
Determine the corresponding known applications behavior of the message to be detected;Object message determining module 306, for if there is no with it is described
The corresponding known applications behavior of message to be detected, is determined as object message by the message to be detected.
Further, which further includes:Second flow determining module 307, if for the message pair to be detected
The known applications behavior answered is non-peer network resources request behavior, the flow of the affiliated session stream of message to be detected is determined as non-
Peer-to-peer network flow, and add the corresponding known applications of the message to be detected on the affiliated session stream of message to be detected
The application identities of behavior.
Further, which further includes:Memory module 308, if corresponding known for the message to be detected
Peer network resources request behavior using behavior, the source IP address of the message to be detected and current time are corresponded to store to
The source IP address of the known peer network resources request behavior is concentrated.
Further, which further includes:3rd flow determining module 309, if concentrated for the source IP address
Source IP address not comprising the object message, or the source IP address concentrate comprising the object message source IP address and
It is more than preset time threshold with the time of corresponding storage together with the source IP address and the difference of current time, by the object message
The flow of affiliated session stream is determined as asymmetrical network traffics.
Above-mentioned peer-to-peer network flow can be implemented using the identification device of peer-to-peer network flow provided in an embodiment of the present invention
Recognition methods in each step, and obtain identical beneficial effect.Using the identification device of the peer-to-peer network flow to encryption
Message carries out flow identification, and whole identification process will not be influenced by message encryption, can accurately identify meeting belonging to outgoing packet
Whether the flow of words stream is peer-to-peer network flow, and applicability is more preferable;In addition, the identification device, the report that will first can also be received
Message filter corresponding with known applications behavior goes out in text, can subsequently reduce the misrecognition of peer-to-peer network flow, improves equity
The accuracy of network traffics identification.
In the specific implementation, the present invention also provides a kind of computer-readable storage medium, wherein, which can store
There is program, which may include the part in each embodiment of the recognition methods of peer-to-peer network flow provided by the invention when performing
Or Overall Steps.The storage medium can be magnetic disc, CD, read-only memory (English:Read-only memory,
Referred to as:ROM) or random access memory is (English:Random access memory, referred to as:RAM) etc..
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software
The mode of general hardware platform realize.Based on such understanding, the technical solution in the embodiment of the present invention substantially or
Say that the part to contribute to the prior art can be embodied in the form of software product, which can deposit
Storage is in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are used so that computer equipment (can be with
Be personal computer, server, either network equipment etc.) perform some part institutes of each embodiment of the present invention or embodiment
The method stated.
In this specification between each embodiment identical similar part mutually referring to.Especially for peer-to-peer network
For the identification device embodiment of flow, since it is substantially similar to embodiment of the method, so description is fairly simple, correlation
Place is referring to the explanation in embodiment of the method.
Invention described above embodiment is not intended to limit the scope of the present invention..
Claims (10)
- A kind of 1. recognition methods of peer-to-peer network flow, it is characterised in that including:Obtain the message amount of the affiliated session stream of object message;If the message amount is more than preset first threshold value, the message of the affiliated session stream first direction of the object message is obtained First ratio of quantity and the message amount of the affiliated session stream second direction of the object message, and belonging to the object message Second ratio of the data volume of session stream first direction and the data volume of the affiliated session stream second direction of the object message;It is right known to acquisition if first ratio is more than default second threshold and second ratio is more than default 3rd threshold value Etc. the source IP address collection of network resource request behavior;If the source IP address concentrates the source IP address for including the object message, and correspondence is deposited together with the source IP address The time of storage and the difference of current time are less than or equal to preset time threshold, by the flow of the affiliated session stream of the object message It is determined as peer-to-peer network flow.
- 2. recognition methods as claimed in claim 1, it is characterised in that the recognition methods further includes:By the application behavioural characteristic that being concentrated using behavioural characteristic and known applications behavioural characteristic of carrying of message to be detected includes into Row matching, the corresponding known applications behavior of the message to be detected is determined according to matched result;If there is no with the corresponding known applications behavior of message to be detected, the message to be detected is determined as target Message.
- 3. recognition methods as claimed in claim 2, it is characterised in that the recognition methods further includes:To be checked observed and predicted if described The corresponding known applications behavior of text is non-peer network resources request behavior, and the flow of the affiliated session stream of message to be detected is determined For asymmetrical network traffics, and it is corresponding known to add on the affiliated session stream of message to be detected the message to be detected Using the application identities of behavior.
- 4. recognition methods as claimed in claim 2, it is characterised in that the recognition methods further includes:To be checked observed and predicted if described The corresponding known applications behavior of text is peer network resources request behavior, by the source IP address of the message to be detected and it is current when Between corresponding store to the source IP address of the known peer network resources request behavior concentrate.
- 5. recognition methods as claimed in claim 1, it is characterised in that the recognition methods further includes:If the source IP address The source IP address not comprising the object message is concentrated, or the source IP address is with concentrating the source IP comprising the object message The location and time of corresponding storage and the difference of current time are more than preset time threshold together with the source IP address, by the target The flow of the affiliated session stream of message is determined as asymmetrical network traffics.
- A kind of 6. identification device of peer-to-peer network flow, it is characterised in that including:Message amount acquisition module, for obtaining the message amount of the affiliated session stream of object message;Ratio acquisition module, if being more than preset first threshold value for the message amount, obtains meeting belonging to the object message First ratio of the message amount and the message amount of the affiliated session stream second direction of the object message of words stream first direction, with And the number of the data volume of the affiliated session stream first direction of object message and the affiliated session stream second direction of the object message According to the second ratio of amount;Source IP address collection acquisition module, if be more than for first ratio more than default second threshold and second ratio Default 3rd threshold value, the source IP address collection of peer network resources request behavior known to acquisition;First flow determining module, if the source IP address for including the object message is concentrated for the source IP address, and It is less than or equal to preset time threshold with the time of corresponding storage together with the source IP address and the difference of current time, by the mesh The flow of the mark affiliated session stream of message is determined as peer-to-peer network flow.
- 7. identification device as claimed in claim 6, it is characterised in that the identification device further includes:Known applications behavior determining module, for application behavioural characteristic and the known applications behavioural characteristic for carrying message to be detected Concentrate the application behavioural characteristic included to be matched, the corresponding known applications of the message to be detected are determined according to matched result Behavior;Object message determining module, for if there is no with the corresponding known applications behavior of message to be detected, by institute State message to be detected and be determined as object message.
- 8. identification device as claimed in claim 7, it is characterised in that the identification device further includes:Second flow determining module, If it is non-peer network resources request behavior for the corresponding known applications behavior of the message to be detected, by message to be detected The flow of affiliated session stream is determined as asymmetrical network traffics, and on the affiliated session stream of message to be detected described in addition The application identities of the corresponding known applications behavior of message to be detected.
- 9. identification device as claimed in claim 7, it is characterised in that the identification device further includes:Memory module, if for The corresponding known applications behavior of the message to be detected is peer network resources request behavior, by the source IP of the message to be detected Address and current time are corresponded to store to the source IP address of the known peer network resources request behavior and concentrated.
- 10. identification device as claimed in claim 6, it is characterised in that the identification device further includes:3rd flow determines mould Block, if concentrating the source IP address not comprising the object message, or the source IP address to concentrate for the source IP address Source IP address comprising the object message and time of corresponding storage and the difference of current time are big together with the source IP address In preset time threshold, the flow of the affiliated session stream of the object message is determined as asymmetrical network traffics.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810024787.3A CN107948022B (en) | 2018-01-11 | 2018-01-11 | Identification method and identification device for peer-to-peer network traffic |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810024787.3A CN107948022B (en) | 2018-01-11 | 2018-01-11 | Identification method and identification device for peer-to-peer network traffic |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107948022A true CN107948022A (en) | 2018-04-20 |
CN107948022B CN107948022B (en) | 2021-04-30 |
Family
ID=61938485
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810024787.3A Active CN107948022B (en) | 2018-01-11 | 2018-01-11 | Identification method and identification device for peer-to-peer network traffic |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107948022B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111200520A (en) * | 2019-12-27 | 2020-05-26 | 咪咕文化科技有限公司 | Network monitoring method, server and computer readable storage medium |
CN112272123A (en) * | 2020-10-16 | 2021-01-26 | 北京锐安科技有限公司 | Network traffic analysis method and device, electronic equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101383829A (en) * | 2008-10-17 | 2009-03-11 | 杭州华三通信技术有限公司 | Stream recognition method and bandwidth management device |
CN101505276A (en) * | 2009-03-23 | 2009-08-12 | 杭州华三通信技术有限公司 | Network application flow recognition method and apparatus and network application flow management apparatus |
CN103457803A (en) * | 2013-09-10 | 2013-12-18 | 杭州华三通信技术有限公司 | Device and method for recognizing P2P flow |
CN103746768A (en) * | 2013-10-08 | 2014-04-23 | 北京神州绿盟信息安全科技股份有限公司 | Data packet identification method and equipment thereof |
CN103873320A (en) * | 2013-12-27 | 2014-06-18 | 北京天融信科技有限公司 | Encrypted flow rate recognizing method and device |
KR20170048767A (en) * | 2015-10-27 | 2017-05-10 | 삼성에스디에스 주식회사 | Apparatus for generating barcode using homomorphic encryption and Method thereof |
-
2018
- 2018-01-11 CN CN201810024787.3A patent/CN107948022B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101383829A (en) * | 2008-10-17 | 2009-03-11 | 杭州华三通信技术有限公司 | Stream recognition method and bandwidth management device |
CN101505276A (en) * | 2009-03-23 | 2009-08-12 | 杭州华三通信技术有限公司 | Network application flow recognition method and apparatus and network application flow management apparatus |
CN103457803A (en) * | 2013-09-10 | 2013-12-18 | 杭州华三通信技术有限公司 | Device and method for recognizing P2P flow |
CN103746768A (en) * | 2013-10-08 | 2014-04-23 | 北京神州绿盟信息安全科技股份有限公司 | Data packet identification method and equipment thereof |
CN103873320A (en) * | 2013-12-27 | 2014-06-18 | 北京天融信科技有限公司 | Encrypted flow rate recognizing method and device |
KR20170048767A (en) * | 2015-10-27 | 2017-05-10 | 삼성에스디에스 주식회사 | Apparatus for generating barcode using homomorphic encryption and Method thereof |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111200520A (en) * | 2019-12-27 | 2020-05-26 | 咪咕文化科技有限公司 | Network monitoring method, server and computer readable storage medium |
CN112272123A (en) * | 2020-10-16 | 2021-01-26 | 北京锐安科技有限公司 | Network traffic analysis method and device, electronic equipment and storage medium |
CN112272123B (en) * | 2020-10-16 | 2022-04-15 | 北京锐安科技有限公司 | Network traffic analysis method, system, device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN107948022B (en) | 2021-04-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107360159B (en) | A kind of method and device of the abnormal encryption flow of identification | |
CN104640114B (en) | A kind of verification method and device of access request | |
WO2018121331A1 (en) | Attack request determination method, apparatus and server | |
CN102624700B (en) | Based on method for identifying ID and the system of customizing messages | |
CN107251528B (en) | Method and apparatus for providing data originating within a service provider network | |
CN105228140B (en) | A kind of data access method and device | |
CN105321108A (en) | System and method for creating a list of shared information on a peer-to-peer network | |
US9042863B2 (en) | Service classification of web traffic | |
CN104822156B (en) | A kind of method and device of user behavior analysis | |
KR20070083389A (en) | Interferring server state in a stateless communication protocol | |
CN108390955A (en) | Domain Name acquisition method, Website access method and server | |
CN108881354A (en) | A kind of pushed information storage method, device, server and computer storage medium | |
CN111222019B (en) | Feature extraction method and device | |
CN103535011A (en) | Routing method, device, and system in content delivery network (CDN) | |
CN104994016A (en) | Method and apparatus for packet classification | |
CN103888539A (en) | P2P cache guiding method and device and P2P cache system | |
CN108989438A (en) | Implementation method, the device and system of data distribution network | |
US20120047248A1 (en) | Method and System for Monitoring Flows in Network Traffic | |
CN107948022A (en) | A kind of recognition methods of peer-to-peer network flow and identification device | |
CN107864189A (en) | A kind of application layer traffic load-balancing method based on DPI | |
CN104468771B (en) | The determination method and device in geographical location | |
CN106716974A (en) | Access distribution method, device and system | |
CN112822208A (en) | Internet of things equipment identification method and system based on block chain | |
CN101854366A (en) | Peer-to-peer network flow-rate identification method and device | |
CN108366136B (en) | Domain name resolution method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |