CN107948022A - A kind of recognition methods of peer-to-peer network flow and identification device - Google Patents

A kind of recognition methods of peer-to-peer network flow and identification device Download PDF

Info

Publication number
CN107948022A
CN107948022A CN201810024787.3A CN201810024787A CN107948022A CN 107948022 A CN107948022 A CN 107948022A CN 201810024787 A CN201810024787 A CN 201810024787A CN 107948022 A CN107948022 A CN 107948022A
Authority
CN
China
Prior art keywords
message
source
address
peer
session stream
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810024787.3A
Other languages
Chinese (zh)
Other versions
CN107948022B (en
Inventor
肖庆伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing An Polytron Technologies Inc
Original Assignee
Beijing An Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing An Polytron Technologies Inc filed Critical Beijing An Polytron Technologies Inc
Priority to CN201810024787.3A priority Critical patent/CN107948022B/en
Publication of CN107948022A publication Critical patent/CN107948022A/en
Application granted granted Critical
Publication of CN107948022B publication Critical patent/CN107948022B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0888Throughput
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Recognition methods and identification device, this method the invention discloses a kind of peer-to-peer network flow include:Obtain the message amount of the affiliated session stream of object message;If message amount is more than preset first threshold value, obtain the first ratio of the message amount of the affiliated session stream first direction of object message and the message amount of the session stream second direction, and the second ratio of the data volume of the session stream first direction and the data volume of the session stream second direction;If the first ratio is more than default second threshold and the second ratio is more than default 3rd threshold value, the source IP address collection of peer network resources request behavior known to acquisition;If source IP address collection includes the source IP address of object message, and the time of corresponding storage and the difference of current time are less than or equal to preset time threshold together with the source IP address, and the flow of the affiliated session stream of object message is determined as peer-to-peer network flow.This method is used accurately to identify the flow of the encryption affiliated session stream of message whether for P2P flows.

Description

A kind of recognition methods of peer-to-peer network flow and identification device
Technical field
The present invention relates to peer-to-peer network flow identification technology field, more particularly to a kind of recognition methods of peer-to-peer network flow And identification device.
Background technology
At present, peer-to-peer network (Peer-to-Peer, P2P) is a variety of due to having the advantages that, such as resource occupation is low, and resource is common Enjoy rate height and resource utilization height etc. so that the ratio that peer-to-peer network flow occupies in network traffics is increasing.But with The increase that peer-to-peer network flow takes network bandwidth, while carrys out larger burden to Netowrk tape.Based on this, to peer-to-peer network flow Identification, and further management is more and more important.
In the prior art, generally use deep message detects (Deep Packet Inspection, DPI) method to equity Network traffics are identified, but such a method None- identified encryption message.To encrypting message, it is special that generally use is based on stream statistics Property recognition methods to encryption message belonging to session stream carry out statistical analysis so that whether the flow for identifying the session stream is pair Etc. network traffics, but this method easily misidentifies, and the accuracy of identification is relatively low.
So the recognition methods of existing peer-to-peer network flow, can not accurately identify the flow of encryption message, applicability compared with Difference.
The content of the invention
Recognition methods and identification device the present invention provides a kind of peer-to-peer network flow, to solve existing peer-to-peer network The problem of recognition methods of flow, can not accurately identify the flow of encryption message, and applicability is poor.
In a first aspect, the present invention provides a kind of recognition methods of peer-to-peer network flow, which includes:Obtain mesh Mark the message amount of the affiliated session stream of message;If the message amount is more than preset first threshold value, the object message is obtained The message amount of affiliated session stream first direction and the first of the message amount of the affiliated session stream second direction of the object message Ratio, and the data volume of the affiliated session stream first direction of the object message and the affiliated session stream second party of the object message To data volume the second ratio;If first ratio is more than default second threshold and second ratio is more than default the Three threshold values, the source IP address collection of peer network resources request behavior known to acquisition;If the source IP address is concentrated comprising described The source IP address of object message, and the time of corresponding storage and the difference of current time are less than or wait together with the source IP address In preset time threshold, the flow of the affiliated session stream of the object message is determined as peer-to-peer network flow.
Further, which further includes:The application behavioural characteristic that message to be detected is carried and known applications behavior The application behavioural characteristic included in feature set is matched, according to matched result determine the message to be detected it is corresponding known to Using behavior;If there is no with the corresponding known applications behavior of message to be detected, the message to be detected is determined For object message.
Further, which further includes:If the corresponding known applications behavior of the message to be detected is asymmetrical Network resource request behavior, is determined as asymmetrical network traffics by the flow of the affiliated session stream of message to be detected, and described The application identities of the corresponding known applications behavior of the message to be detected are added on the affiliated session stream of message to be detected.
Further, which further includes:If the corresponding known applications behavior of the message to be detected is peer-to-peer network Network resource request behavior, the source IP address of the message to be detected and current time are corresponded to and stored to the known peer-to-peer network The source IP address of resource request behavior is concentrated.
Further, which further includes:If the source IP address concentrates the source IP not comprising the object message Address, or the source IP address concentrate the source IP address comprising the object message and the corresponding storage together with the source IP address Time and the difference of current time be more than preset time threshold, the flow of the affiliated session stream of the object message is determined as non- Peer-to-peer network flow.
Second aspect, present invention also offers a kind of identification device of peer-to-peer network flow, which includes:Message Quantity acquisition module, for obtaining the message amount of the affiliated session stream of object message;Ratio acquisition module, if for the report Literary quantity is more than preset first threshold value, obtains the message amount of the affiliated session stream first direction of the object message and the target First ratio of the message amount of the affiliated session stream second direction of message, and the affiliated session stream first direction of the object message Data volume and the affiliated session stream second direction of the object message data volume the second ratio;Source IP address collection obtains mould Block, if being more than default 3rd threshold value more than default second threshold and second ratio for first ratio, obtains Know the source IP address collection of peer network resources request behavior;First flow determining module, if concentrated for the source IP address Include the source IP address of the object message, and the difference of the time of corresponding storage and current time together with the source IP address Less than or equal to preset time threshold, the flow of the affiliated session stream of the object message is determined as peer-to-peer network flow.
Further, which further includes:Known applications behavior determining module, is answered for carry message to be detected Concentrate the application behavioural characteristic included to be matched with behavioural characteristic with known applications behavioural characteristic, determined according to matched result The corresponding known applications behavior of the message to be detected;Object message determining module, for if there is no with it is described to be detected The corresponding known applications behavior of message, is determined as object message by the message to be detected.
Further, which further includes:Second flow determining module, if corresponding for the message to be detected Known applications behavior is non-peer network resources request behavior, the flow of the affiliated session stream of message to be detected is determined as asymmetrical Network traffics, and add the corresponding known applications behavior of the message to be detected on the affiliated session stream of message to be detected Application identities.
Further, which further includes:Memory module, if for the corresponding known applications of the message to be detected Behavior is peer network resources request behavior, and the source IP address of the message to be detected and current time are corresponded to and stored to described The source IP address of known peer network resources request behavior is concentrated.
Further, which further includes:3rd flow determining module, is not wrapped if concentrated for the source IP address Source IP address containing the object message, or the source IP address concentrate comprising the object message source IP address and with this The time of corresponding storage and the difference of current time are more than preset time threshold to source IP address together, by belonging to the object message The flow of session stream is determined as asymmetrical network traffics.
The technical solution that the embodiment of the present invention provides can include the following benefits:The present invention provides a kind of equity The recognition methods of network traffics and identification device.In the recognition methods, the identification device of peer-to-peer network flow is received by analyzing To the affiliated session stream of message on message amount, the message amount transmitted in the both direction of the affiliated session stream of the message transmitted Ratio, the affiliated session stream of the message both direction on the source IP address of the ratio of data volume that transmits and the message with Whether the relation between the source IP address collection of known peer network resources request behavior meets corresponding setting condition, so that it is determined that Whether the flow of the affiliated session stream of the message is peer-to-peer network flow, and for encrypting message, whole identification process will not be by message Encrypted influence, whether the flow that can accurately identify the affiliated session stream of outgoing packet is peer-to-peer network flow, and applicability is more preferable; In addition, the recognition methods, in the message that first can also be received the identification device of peer-to-peer network flow with known applications behavior Corresponding message filter goes out, and can subsequently reduce the misrecognition of peer-to-peer network flow, improves the accurate of peer-to-peer network flow identification Degree.
Brief description of the drawings
In order to illustrate more clearly of technical scheme, letter will be made to attached drawing needed in the embodiment below Singly introduce, it should be apparent that, for those of ordinary skills, without having to pay creative labor, Other attached drawings can also be obtained according to these attached drawings.
Fig. 1 is a kind of structure diagram of the identifying system of peer-to-peer network flow provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of the recognition methods of peer-to-peer network flow provided in an embodiment of the present invention;
Fig. 3 is a kind of structure diagram of the identification device of peer-to-peer network flow provided in an embodiment of the present invention.
Embodiment
According to background technology, the recognition methods of existing peer-to-peer network flow, there are None- identified encryption message or The shortcomings that accuracy of identification encryption message is relatively low.In order to overcome this shortcoming, the present invention provides a kind of peer-to-peer network flow Recognition methods and identification device.
Below in conjunction with the accompanying drawings, recognition methods and the identification device of peer-to-peer network flow provided by the invention is discussed in detail.
When needing that the peer-to-peer network flow in network traffics is identified, usually between user terminal and server The identification device of peer-to-peer network flow is connected in communication network, so as to the net to the communication network between user terminal and server Network flow is identified.Based on this, before the recognition methods of peer-to-peer network flow provided by the invention and identification device is introduced, A kind of identifying system of peer-to-peer network flow is introduced first, and it is provided in an embodiment of the present invention right to implement using the identifying system Etc. each step of the recognition methods of network traffics.
Referring to Fig. 1, Fig. 1 is illustrated that a kind of structure of the identifying system of peer-to-peer network flow provided in an embodiment of the present invention Block diagram.According to Fig. 1, which includes:The identification device 3 of user terminal 1, server 2 and peer-to-peer network flow, its In, the identification device 3 of peer-to-peer network flow is connected in series in the communication network between user terminal 1 and server 2, and user is whole End 1 sends to the message of server 2 identification device 3 that can pass through peer-to-peer network flow, and server 2 is sent to the user terminal 1 Message also can pass through peer-to-peer network flow identification device 3, can be to user using the identification device 3 of peer-to-peer network flow The network traffics of communication network between terminal 1 and server 2 are identified.
Referring to Fig. 2, Fig. 2 is illustrated that a kind of flow of the recognition methods of peer-to-peer network flow provided in an embodiment of the present invention Schematic diagram, the recognition methods be used for peer-to-peer network flow identification device (such as the peer-to-peer network flow shown in Fig. 1 identification dress 3) side is put, is included the following steps:
Step 101, the message amount for obtaining the affiliated session stream of object message.
In some optional embodiments, any one message that the identification device of peer-to-peer network flow receives can be with As object message.The affiliated session stream of object message refers to user terminal (such as the user terminal 1 shown in Fig. 1) and service Once complete session interaction process between device (such as the server 2 shown in Fig. 1), is made of, mesh a series of mutual messages Mark message is a message in a series of this mutual message, and the message amount of the affiliated session stream of object message is exactly that this is a series of The sum of mutual message.
In some other optional embodiment, before the message amount of the affiliated session stream of object message is obtained, that is, hold Before row step 101, which further includes:The application behavioural characteristic that message to be detected carries is obtained, this is applied into behavior Feature concentrates the application behavioural characteristic included to be matched with known applications behavioural characteristic, is treated according to determining matched result The corresponding known applications behavior of detection messages;If it is known that using behavioural characteristic concentrate be not present using behavioural characteristic with it is to be detected Message carry the characteristic signature file to match using behavioural characteristic, that is, match it is unsuccessful, illustrate there is no with it is described to be checked The corresponding known applications behavior of text is observed and predicted, then the message to be detected is determined as object message.Determined using such a mode Object message, message sieve corresponding with known applications behavior in the message that the identification device of peer-to-peer network flow can be received Select, can subsequently reduce the misrecognition of peer-to-peer network flow, improve the accuracy of peer-to-peer network flow identification.
Wherein, message to be detected refers to the message that the identification device of peer-to-peer network flow receives, peer-to-peer network flow Any one message for receiving of identification device can be used as message to be detected.Known applications behavior refers to should known in some Operation behavior, such as certain known shopping website is accessed, by certain known download software download data, and log in certain public affairs Know that chat software etc. belongs to known applications behavior.Known applications behavioural characteristic collection refers to the characteristic signature text of known applications behavior The set of part, wherein, include using behavioural characteristic in each characteristic signature file in the set and apply behavior special with this Levy the title of corresponding known applications behavior.The mark using behavior is referred to using behavioural characteristic, is each application behavior area Not with the mark of other application behavior.For example, accessing certain known shopping website, this can be with using the application behavioural characteristic of behavior For the domain name of the known shopping website.
Further, it is possible to which known applications behavioural characteristic collection is pre-stored within the identification device of peer-to-peer network flow, make Used time is directly transferred from the identification device of peer-to-peer network flow.Known applications behavioural characteristic collection can certainly be stored In other storage devices, it will not enumerate herein.
If step 102, the message amount are more than preset first threshold value, the affiliated session stream of the object message is obtained First ratio of the message amount in one direction and the message amount of the affiliated session stream second direction of the object message, and it is described The data volume of the affiliated session stream first direction of object message and the data volume of the affiliated session stream second direction of the object message Second ratio.
Wherein, the affiliated session stream first direction of object message can be by the direction of user terminal to server, can also It is by the direction of server to user terminal.Preset first threshold value can be set according to actual needs.
When the affiliated session stream first direction of object message is the direction by user terminal to server, belonging to object message Session stream second direction is by the direction of server to user terminal.The message amount of the affiliated session stream first direction of object message Refer to that user terminal is sent to the sum of the message of server, the affiliated session stream of object message in the affiliated session stream of the object message The message amount of second direction refers to the sum of the message that server is sent to the user terminal in the affiliated session stream of the object message. The data volume of the affiliated session stream first direction of object message refers to that user terminal is sent to clothes in the affiliated session stream of the object message The data volume of business device, the data volume of the affiliated session stream second direction of object message refer to service in the affiliated session stream of the object message The data volume that device is sent to the user terminal.
When the affiliated session stream first direction of object message is the direction by server to user terminal, belonging to object message Session stream second direction is by the direction of user terminal to server.The message amount of the affiliated session stream first direction of object message Refer to the sum of the message that server is sent to the user terminal in the affiliated session stream of the object message, the affiliated session stream of object message The message amount of second direction refers to that user terminal is sent to the sum of the message of server in the affiliated session stream of the object message. The data volume of the affiliated session stream first direction of object message refers to that server is sent to user in the affiliated session stream of the object message The data volume of terminal, the data volume of the affiliated session stream second direction of object message refer to user in the affiliated session stream of the object message Terminal is sent to the data volume of server.
If step 103, first ratio are more than default second threshold and second ratio is more than default 3rd threshold Value, the source IP address collection of peer network resources request behavior known to acquisition.
It is known that peer network resources request behavior refers to by some known download software download datas.It is known The source IP address collection of peer network resources request behavior is the set of source IP address storage file, each source IP address in the set The time of storage is corresponded in storage file comprising a source IP address and together with the source IP address, wherein, the source IP address For by the source IP address of certain known user terminal for downloading software download data, storage is corresponded to together with the source IP address Time refers to storing the source IP address into the storage time into the source IP address storage file.Default second threshold and default the Three threshold values can be set according to actual needs.
If step 104, the source IP address concentrate the source IP address for including the object message, and with the source IP The time of corresponding storage and the difference of current time are less than or equal to preset time threshold together for location, by belonging to the object message The flow of session stream is determined as peer-to-peer network flow.
When it is implemented, parsing the source IP address of object message first, peer network resources request is gone known to inquiry afterwards For source IP address concentrate whether there is the source IP address storage file comprising the source IP address, if it is known that peer network resources The source IP address of request behavior, which is concentrated, has the source IP address storage file comprising the source IP address, and peer-to-peer network known to explanation provides The source IP address of source request behavior, which is concentrated, includes the source IP address, then determines the time included in the source IP address storage file again Whether it is less than or equal to preset time threshold with the difference of current time, if the time included in the source IP address storage file It is less than or equal to preset time threshold with the difference of current time, then the flow of the affiliated session stream of object message is determined as equity Network traffics.Wherein, preset time threshold can be set according to actual needs.
Further, after the flow of the affiliated session stream of object message is determined as peer-to-peer network flow, the recognition methods Further include:P2P flow identifier is added on the affiliated session stream of object message.
In some other optional embodiment, which further includes:If it is known that peer network resources request row For source IP address concentrate source IP address storage file there is no the source IP address comprising the object message, it is right known to explanation Source IP address etc. network resource request behavior concentrates the source IP address not comprising the object message, or known peer-to-peer network The source IP address of resource request behavior concentrates the source IP address storage file that there is the source IP address comprising the object message, but The time included in the source IP address storage file and the difference of current time are more than preset time threshold, peer-to-peer network known to explanation The source IP address of network resource request behavior is concentrated the source IP address comprising the object message and is corresponded to together with the source IP address The time of storage and the difference of current time are more than preset time threshold, then the flow of the affiliated session stream of the object message is true It is set to asymmetrical network traffics, and non-P2P flow identifier is added on the affiliated session stream of the object message.
In some other optional embodiment, which further includes:If it is known that being concentrated using behavioural characteristic, deposit Applying behavioural characteristic and the characteristic signature file to match using behavioural characteristic of message to be detected carrying, and this feature label The title of the known applications behavior included in name file is the title of some asymmetrical network resource request behavior, is treated described in explanation The corresponding known applications behavior of detection messages is non-peer network resources request behavior, then by the affiliated session stream of message to be detected Flow is determined as asymmetrical network traffics, and adds the message pair to be detected on the affiliated session stream of message to be detected The application identities for the known applications behavior answered.The application identities can be the corresponding Apply Names of known applications behavior, such as visit Ask certain known shopping website this using the corresponding Apply Names of behavior be the known shopping website title.
In some other optional embodiment, which further includes:If it is known that being concentrated using behavioural characteristic, deposit Applying behavioural characteristic and the characteristic signature file to match using behavioural characteristic of message to be detected carrying, and this feature label The title of known applications behavior included in name file is the title of some known peer network resources request behavior, described in explanation The corresponding known applications behavior of message to be detected is peer network resources request behavior, then parses the source IP of the message to be detected Address, the source IP address of the message to be detected and current time are corresponded to and stored to the known peer network resources request row For source IP address concentrate, and the flow of the affiliated session stream of message to be detected is determined as peer-to-peer network flow, is treated described P2P flow identifier is added on the affiliated session stream of detection messages.
In the recognition methods of peer-to-peer network flow provided in an embodiment of the present invention, the identification device of peer-to-peer network flow passes through Analyze the message amount transmitted on the affiliated session stream of message that receives, transmit in the both direction of the affiliated session stream of the message The ratio of data volume transmitted in the both direction of the affiliated session stream of the ratio of message amount, the message and the source of the message Whether the relation between IP address and the source IP address collection of known peer network resources request behavior meets corresponding setting condition, So that it is determined that whether the flow of the affiliated session stream of the message is peer-to-peer network flow, for encrypting message, whole identification process is not It can be influenced by message encryption, whether the flow that can accurately identify the affiliated session stream of outgoing packet is peer-to-peer network flow, is fitted It is more preferable with property;In addition, the recognition methods, in the message that first can also be received the identification device of peer-to-peer network flow with it is known Go out using the corresponding message filter of behavior, can subsequently reduce the misrecognition of peer-to-peer network flow, improve peer-to-peer network flow and know Other accuracy.
Corresponding with the recognition methods of peer-to-peer network flow provided by the invention, present invention also offers a kind of peer-to-peer network The identification device of flow.
Referring to Fig. 3, Fig. 3 is illustrated that a kind of structure of the identification device of peer-to-peer network flow provided in an embodiment of the present invention Block diagram.According to Fig. 3, which includes:Message amount acquisition module 301, for obtaining the affiliated session of object message The message amount of stream;Ratio acquisition module 302, if being more than preset first threshold value for the message amount, obtains the mesh Mark the message amount of the affiliated session stream first direction of message and the message amount of the affiliated session stream second direction of the object message The first ratio, and the data volume of the affiliated session stream first direction of the object message and the affiliated session stream of the object message Second ratio of the data volume of second direction;Source IP address collection acquisition module 303, if be more than for first ratio default Second threshold and second ratio are more than default 3rd threshold value, the source IP address of peer network resources request behavior known to acquisition Collection;First flow determining module 304, if the source IP address for including the object message is concentrated for the source IP address, and And the time of corresponding storage and the difference of current time are less than or equal to preset time threshold together with the source IP address, by described in The flow of the affiliated session stream of object message is determined as peer-to-peer network flow.
Further, which further includes:Known applications behavior determining module 305, for message to be detected to be carried Concentrate the application behavioural characteristic included to be matched using behavioural characteristic and known applications behavioural characteristic, according to matched result Determine the corresponding known applications behavior of the message to be detected;Object message determining module 306, for if there is no with it is described The corresponding known applications behavior of message to be detected, is determined as object message by the message to be detected.
Further, which further includes:Second flow determining module 307, if for the message pair to be detected The known applications behavior answered is non-peer network resources request behavior, the flow of the affiliated session stream of message to be detected is determined as non- Peer-to-peer network flow, and add the corresponding known applications of the message to be detected on the affiliated session stream of message to be detected The application identities of behavior.
Further, which further includes:Memory module 308, if corresponding known for the message to be detected Peer network resources request behavior using behavior, the source IP address of the message to be detected and current time are corresponded to store to The source IP address of the known peer network resources request behavior is concentrated.
Further, which further includes:3rd flow determining module 309, if concentrated for the source IP address Source IP address not comprising the object message, or the source IP address concentrate comprising the object message source IP address and It is more than preset time threshold with the time of corresponding storage together with the source IP address and the difference of current time, by the object message The flow of affiliated session stream is determined as asymmetrical network traffics.
Above-mentioned peer-to-peer network flow can be implemented using the identification device of peer-to-peer network flow provided in an embodiment of the present invention Recognition methods in each step, and obtain identical beneficial effect.Using the identification device of the peer-to-peer network flow to encryption Message carries out flow identification, and whole identification process will not be influenced by message encryption, can accurately identify meeting belonging to outgoing packet Whether the flow of words stream is peer-to-peer network flow, and applicability is more preferable;In addition, the identification device, the report that will first can also be received Message filter corresponding with known applications behavior goes out in text, can subsequently reduce the misrecognition of peer-to-peer network flow, improves equity The accuracy of network traffics identification.
In the specific implementation, the present invention also provides a kind of computer-readable storage medium, wherein, which can store There is program, which may include the part in each embodiment of the recognition methods of peer-to-peer network flow provided by the invention when performing Or Overall Steps.The storage medium can be magnetic disc, CD, read-only memory (English:Read-only memory, Referred to as:ROM) or random access memory is (English:Random access memory, referred to as:RAM) etc..
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software The mode of general hardware platform realize.Based on such understanding, the technical solution in the embodiment of the present invention substantially or Say that the part to contribute to the prior art can be embodied in the form of software product, which can deposit Storage is in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are used so that computer equipment (can be with Be personal computer, server, either network equipment etc.) perform some part institutes of each embodiment of the present invention or embodiment The method stated.
In this specification between each embodiment identical similar part mutually referring to.Especially for peer-to-peer network For the identification device embodiment of flow, since it is substantially similar to embodiment of the method, so description is fairly simple, correlation Place is referring to the explanation in embodiment of the method.
Invention described above embodiment is not intended to limit the scope of the present invention..

Claims (10)

  1. A kind of 1. recognition methods of peer-to-peer network flow, it is characterised in that including:
    Obtain the message amount of the affiliated session stream of object message;
    If the message amount is more than preset first threshold value, the message of the affiliated session stream first direction of the object message is obtained First ratio of quantity and the message amount of the affiliated session stream second direction of the object message, and belonging to the object message Second ratio of the data volume of session stream first direction and the data volume of the affiliated session stream second direction of the object message;
    It is right known to acquisition if first ratio is more than default second threshold and second ratio is more than default 3rd threshold value Etc. the source IP address collection of network resource request behavior;
    If the source IP address concentrates the source IP address for including the object message, and correspondence is deposited together with the source IP address The time of storage and the difference of current time are less than or equal to preset time threshold, by the flow of the affiliated session stream of the object message It is determined as peer-to-peer network flow.
  2. 2. recognition methods as claimed in claim 1, it is characterised in that the recognition methods further includes:
    By the application behavioural characteristic that being concentrated using behavioural characteristic and known applications behavioural characteristic of carrying of message to be detected includes into Row matching, the corresponding known applications behavior of the message to be detected is determined according to matched result;
    If there is no with the corresponding known applications behavior of message to be detected, the message to be detected is determined as target Message.
  3. 3. recognition methods as claimed in claim 2, it is characterised in that the recognition methods further includes:To be checked observed and predicted if described The corresponding known applications behavior of text is non-peer network resources request behavior, and the flow of the affiliated session stream of message to be detected is determined For asymmetrical network traffics, and it is corresponding known to add on the affiliated session stream of message to be detected the message to be detected Using the application identities of behavior.
  4. 4. recognition methods as claimed in claim 2, it is characterised in that the recognition methods further includes:To be checked observed and predicted if described The corresponding known applications behavior of text is peer network resources request behavior, by the source IP address of the message to be detected and it is current when Between corresponding store to the source IP address of the known peer network resources request behavior concentrate.
  5. 5. recognition methods as claimed in claim 1, it is characterised in that the recognition methods further includes:If the source IP address The source IP address not comprising the object message is concentrated, or the source IP address is with concentrating the source IP comprising the object message The location and time of corresponding storage and the difference of current time are more than preset time threshold together with the source IP address, by the target The flow of the affiliated session stream of message is determined as asymmetrical network traffics.
  6. A kind of 6. identification device of peer-to-peer network flow, it is characterised in that including:
    Message amount acquisition module, for obtaining the message amount of the affiliated session stream of object message;
    Ratio acquisition module, if being more than preset first threshold value for the message amount, obtains meeting belonging to the object message First ratio of the message amount and the message amount of the affiliated session stream second direction of the object message of words stream first direction, with And the number of the data volume of the affiliated session stream first direction of object message and the affiliated session stream second direction of the object message According to the second ratio of amount;
    Source IP address collection acquisition module, if be more than for first ratio more than default second threshold and second ratio Default 3rd threshold value, the source IP address collection of peer network resources request behavior known to acquisition;
    First flow determining module, if the source IP address for including the object message is concentrated for the source IP address, and It is less than or equal to preset time threshold with the time of corresponding storage together with the source IP address and the difference of current time, by the mesh The flow of the mark affiliated session stream of message is determined as peer-to-peer network flow.
  7. 7. identification device as claimed in claim 6, it is characterised in that the identification device further includes:
    Known applications behavior determining module, for application behavioural characteristic and the known applications behavioural characteristic for carrying message to be detected Concentrate the application behavioural characteristic included to be matched, the corresponding known applications of the message to be detected are determined according to matched result Behavior;
    Object message determining module, for if there is no with the corresponding known applications behavior of message to be detected, by institute State message to be detected and be determined as object message.
  8. 8. identification device as claimed in claim 7, it is characterised in that the identification device further includes:Second flow determining module, If it is non-peer network resources request behavior for the corresponding known applications behavior of the message to be detected, by message to be detected The flow of affiliated session stream is determined as asymmetrical network traffics, and on the affiliated session stream of message to be detected described in addition The application identities of the corresponding known applications behavior of message to be detected.
  9. 9. identification device as claimed in claim 7, it is characterised in that the identification device further includes:Memory module, if for The corresponding known applications behavior of the message to be detected is peer network resources request behavior, by the source IP of the message to be detected Address and current time are corresponded to store to the source IP address of the known peer network resources request behavior and concentrated.
  10. 10. identification device as claimed in claim 6, it is characterised in that the identification device further includes:3rd flow determines mould Block, if concentrating the source IP address not comprising the object message, or the source IP address to concentrate for the source IP address Source IP address comprising the object message and time of corresponding storage and the difference of current time are big together with the source IP address In preset time threshold, the flow of the affiliated session stream of the object message is determined as asymmetrical network traffics.
CN201810024787.3A 2018-01-11 2018-01-11 Identification method and identification device for peer-to-peer network traffic Active CN107948022B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810024787.3A CN107948022B (en) 2018-01-11 2018-01-11 Identification method and identification device for peer-to-peer network traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810024787.3A CN107948022B (en) 2018-01-11 2018-01-11 Identification method and identification device for peer-to-peer network traffic

Publications (2)

Publication Number Publication Date
CN107948022A true CN107948022A (en) 2018-04-20
CN107948022B CN107948022B (en) 2021-04-30

Family

ID=61938485

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810024787.3A Active CN107948022B (en) 2018-01-11 2018-01-11 Identification method and identification device for peer-to-peer network traffic

Country Status (1)

Country Link
CN (1) CN107948022B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200520A (en) * 2019-12-27 2020-05-26 咪咕文化科技有限公司 Network monitoring method, server and computer readable storage medium
CN112272123A (en) * 2020-10-16 2021-01-26 北京锐安科技有限公司 Network traffic analysis method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383829A (en) * 2008-10-17 2009-03-11 杭州华三通信技术有限公司 Stream recognition method and bandwidth management device
CN101505276A (en) * 2009-03-23 2009-08-12 杭州华三通信技术有限公司 Network application flow recognition method and apparatus and network application flow management apparatus
CN103457803A (en) * 2013-09-10 2013-12-18 杭州华三通信技术有限公司 Device and method for recognizing P2P flow
CN103746768A (en) * 2013-10-08 2014-04-23 北京神州绿盟信息安全科技股份有限公司 Data packet identification method and equipment thereof
CN103873320A (en) * 2013-12-27 2014-06-18 北京天融信科技有限公司 Encrypted flow rate recognizing method and device
KR20170048767A (en) * 2015-10-27 2017-05-10 삼성에스디에스 주식회사 Apparatus for generating barcode using homomorphic encryption and Method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383829A (en) * 2008-10-17 2009-03-11 杭州华三通信技术有限公司 Stream recognition method and bandwidth management device
CN101505276A (en) * 2009-03-23 2009-08-12 杭州华三通信技术有限公司 Network application flow recognition method and apparatus and network application flow management apparatus
CN103457803A (en) * 2013-09-10 2013-12-18 杭州华三通信技术有限公司 Device and method for recognizing P2P flow
CN103746768A (en) * 2013-10-08 2014-04-23 北京神州绿盟信息安全科技股份有限公司 Data packet identification method and equipment thereof
CN103873320A (en) * 2013-12-27 2014-06-18 北京天融信科技有限公司 Encrypted flow rate recognizing method and device
KR20170048767A (en) * 2015-10-27 2017-05-10 삼성에스디에스 주식회사 Apparatus for generating barcode using homomorphic encryption and Method thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200520A (en) * 2019-12-27 2020-05-26 咪咕文化科技有限公司 Network monitoring method, server and computer readable storage medium
CN112272123A (en) * 2020-10-16 2021-01-26 北京锐安科技有限公司 Network traffic analysis method and device, electronic equipment and storage medium
CN112272123B (en) * 2020-10-16 2022-04-15 北京锐安科技有限公司 Network traffic analysis method, system, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN107948022B (en) 2021-04-30

Similar Documents

Publication Publication Date Title
CN107360159B (en) A kind of method and device of the abnormal encryption flow of identification
CN104640114B (en) A kind of verification method and device of access request
WO2018121331A1 (en) Attack request determination method, apparatus and server
CN102624700B (en) Based on method for identifying ID and the system of customizing messages
CN107251528B (en) Method and apparatus for providing data originating within a service provider network
CN105228140B (en) A kind of data access method and device
CN105321108A (en) System and method for creating a list of shared information on a peer-to-peer network
US9042863B2 (en) Service classification of web traffic
CN104822156B (en) A kind of method and device of user behavior analysis
KR20070083389A (en) Interferring server state in a stateless communication protocol
CN108390955A (en) Domain Name acquisition method, Website access method and server
CN108881354A (en) A kind of pushed information storage method, device, server and computer storage medium
CN111222019B (en) Feature extraction method and device
CN103535011A (en) Routing method, device, and system in content delivery network (CDN)
CN104994016A (en) Method and apparatus for packet classification
CN103888539A (en) P2P cache guiding method and device and P2P cache system
CN108989438A (en) Implementation method, the device and system of data distribution network
US20120047248A1 (en) Method and System for Monitoring Flows in Network Traffic
CN107948022A (en) A kind of recognition methods of peer-to-peer network flow and identification device
CN107864189A (en) A kind of application layer traffic load-balancing method based on DPI
CN104468771B (en) The determination method and device in geographical location
CN106716974A (en) Access distribution method, device and system
CN112822208A (en) Internet of things equipment identification method and system based on block chain
CN101854366A (en) Peer-to-peer network flow-rate identification method and device
CN108366136B (en) Domain name resolution method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant