CN109547414A - Fixed length message format reverse method based on bright light effect - Google Patents

Fixed length message format reverse method based on bright light effect Download PDF

Info

Publication number
CN109547414A
CN109547414A CN201811268875.4A CN201811268875A CN109547414A CN 109547414 A CN109547414 A CN 109547414A CN 201811268875 A CN201811268875 A CN 201811268875A CN 109547414 A CN109547414 A CN 109547414A
Authority
CN
China
Prior art keywords
message
fixed
length
byte
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811268875.4A
Other languages
Chinese (zh)
Other versions
CN109547414B (en
Inventor
刘琰
高李政
罗军勇
朱玛
左青松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201811268875.4A priority Critical patent/CN109547414B/en
Publication of CN109547414A publication Critical patent/CN109547414A/en
Application granted granted Critical
Publication of CN109547414B publication Critical patent/CN109547414B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Communication Control (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of fixed length message format reverse method based on bright light effect.This method comprises: step 1, judging the field types of all fixed-length fields in fixed length message m, the field type includes synchronization field and asynchronous domain;If all fixed-length fields are synchronization field in step 2, the fixed length message m, the domain border sequence of each fixed-length field of fixed length message is determined according to the first domain Boundary Recognition rule;If the fixed-length field in step 3, the fixed length message m includes asynchronous domain, the domain border sequence of each fixed-length field of fixed length message is determined according to the second domain Boundary Recognition rule.Inspiration of the present invention by building bright light effect, fixed length message is analogized into building, byte in message is analogized to the window of building, the identical continuum of two message values is analogized into bright light region, in conjunction with influence of the field type to bright light effect of fixed length message, different domain Boundary Recognition rules is formulated different types of fixed length message, can effectively solve the problem that the problem of fixed-length field Boundary Recognition.

Description

Fixed length message format reverse method based on bright light effect
Technical field
The present invention relates to technical field of network security, more particularly to the fixed length message format based on bright light effect is inversely square Method.
Background technique
Fixed length message format is a kind of common application protocol message format, in many application protocols comprising fixed length message or Fixed length section.Since the Information Compression of f format is high, it is difficult to carry out feature extraction and signature analysis to it, therefore also be difficult to pair It is reverse that it carries out format.
2004, the think of that gene order compares in bioinformatics was utilized in PI (Protocol Informatics) project It is reverse that format is carried out to message presumably.This method is suitable for there are in the message of feature-rich field, such as legacy protocol classification Text message.Depending on long message Information Compression it is higher, feature field is unobvious, therefore PI is to the reverse effect of fixed length message Fruit is limited.2006, the Cui etc. of Microsoft proposed the reverse Discoverer algorithm of message format.The algorithm disappears to fixed length When breath progress format is reverse, simply assign each of message byte as an individual domain, there is certain one-sidedness. ASAP and ProDecoder is reverse to fixed length message progress format using the N-gram method in natural language subject distillation.However Method based on N-gram is only not less than N to length and the apparent message of feature field is effective, to the reverse result of fixed length message It is undesirable.ProGraph is reverse using graph theory and the correlation technique of information theory progress agreement, analysis granularity of this method to message It is too small, and be generally associated with the proviso that assuming that the value of the not same area in message exists, there is certain one-sidedness.In short, by High in the Information Compression of fixed length message, feature field is unobvious.Therefore, the above fixed length message lattice based on feature field analysis Formula reversal technique effect is limited.
In addition, some researchers consider, think of reverse to fixed length message progress format by the method for Binary analysis Think to be briefly summarized are as follows: observe application program to the treatment process of message, so that it is determined that message by Binary analysis technology In each domain the information such as size, position, semanteme.Agreement reversal technique accuracy based on Binary analysis is high, obtains result Compare abundant.However the agreement reversal technique based on Binary analysis needs to obtain the application program of agreement, and application program It obtains relatively difficult, and there are problems that software protection.Meanwhile the agreement reversal technique based on Binary analysis is difficult to accomplish automatically Change.
Summary of the invention
For the deficiency in existing fixed length message format reversal technique, the present invention provides a kind of to be determined based on bright light effect Long message reverse method.By establishing mapping relations between building and fixed length message, each domain in fixed length message will be speculated Border issue be converted into probability statistics problem, improve the reverse accuracy of fixed length message format.
The present invention provides a kind of fixed length message format reverse method based on bright light effect, this method comprises:
Step 1, the field type for judging all fixed-length fields in fixed length message m, the field type includes synchronization field and asynchronous domain;
If all fixed-length fields are synchronization field in step 2, the fixed length message m, according to the first domain Boundary Recognition rule Determine the domain border sequence of each fixed-length field of fixed length message;
If the fixed-length field in step 3, the fixed length message m includes asynchronous domain, really according to the second domain Boundary Recognition rule The domain border sequence of each fixed-length field of fixed length message.
Further, the first domain Boundary Recognition rule specifically includes:
Any two message segment m in step 21, acquisition fixed length message miAnd mj
Step 22 defines message segment miAnd mjThe value for the byte that middle offset is k is respectively mikAnd mjk, repeat to compare mik And mjkValue until comparison result tend towards stability, k be not more than fixed length message m length;
Step 23, according to comparison result, the border sequence in bright light region in fixed length message m is determined, by the bright light region Border sequence of the border sequence as all fixed-length fields in the fixed length message m, the bright light region refer to it is primary relatively in Message section composed by the byte of value continuous phase etc..
Further, the second domain Boundary Recognition rule specifically includes:
Step 31, the memory module for determining fixed-length field in fixed length message m, the memory module include big end storage and small End storage;
The value type of each byte, determines in fixed length message m according to statistical result in step 32, statistics fixed length message m Be always on region and normal dark areas, the region that is always on refers to the message area composed by the unique byte of value in fixed length message m Between, the normal dark areas refers to the message section composed by byte of the value type for 256 in fixed length message m;
Step 33, basis are always on region and normal dark areas and fixed length message m are divided into N number of message blocks, and N is just greater than 1 Integer;
Step 34 is directed to message blocks n, if the length l of message blocks n is 1, using the message blocks n as a fixed-length field;
If the length l of step 35, message blocks n are greater than 1, defining message blocks n includes message sequence n1,...,nl, to message sequence The sub- message n of any two in columniAnd njIn offset be x value nixAnd njxIt is compared;
If the fixed-length field in message blocks n is big end storage, the first modulation frequency f that offset in the message blocks n is x is countedx s, and The first modulation frequency f for being x to offset according to the first default correction rulex sIt is corrected;
If the fixed-length field in message blocks n is small end storage, counting the last modulation frequency that offset is x in the message blocks n is fx e, and be f according to the last modulation frequency that the second default correction rule is x to offsetx eIt is corrected;
Wherein, the first modulation frequency refer to offset be the byte of x be bright light region beginning boundary frequency, the end lamp frequency Rate refer to offset be the byte of x be bright light region end boundary frequency, the bright light region refer to it is primary relatively in value connect Continue message section composed by equal byte, n=1,2 ... ..., N, 0≤x≤l-1;
Step 36 determines maximum first modulation frequency in all first modulation frequencies counted on or in all last modulation frequenciesOr Maximum end modulation frequency
Step 37, with maximum first modulation frequencyOr maximum last modulation frequencyOn the basis of, it is obtained according to default screening conditions It can be as the x of the end boundary of the beginning boundary or domain in domain.
Further, the described first default correction rule specifically includes: when meeting the first correcting condition, deviating as x's First modulation frequency fx sAdd 1;
First correcting condition includes:
The byte that offset is x is the beginning boundary and n of message blocksix=njx;Or
Offset is that the byte of x is not the beginning boundary of message blocks, and has ni(x-1)≠nj(x-1)With nix=njxIt sets up simultaneously;
The second default correction rule specifically includes: when meeting the second correcting condition, deviating the last modulation frequency f for xx e Add 1;
Second correcting condition includes:
The byte that offset is x is the end boundary of message blocks and meets nix=njx;Or
Offset is that the byte of x is not the end boundary of message blocks, and nix=njxWith ni(x+1)≠nj(x+1)It sets up simultaneously;
Further, the default screening conditions specifically include:
When first modulation frequencyWhen meeting inequality (1), then the byte for x will be deviated as the beginning boundary of fixed-length field;
When last modulation frequencyWhen meeting inequality (2), then the byte for x will be deviated as the end boundary of fixed-length field;
WhenWithWhen being all satisfied above-mentioned condition, compareWithSize, ifThe byte for x will then be deviated Beginning boundary as some fixed-length field in fixed length message m;IfThe byte for x will then be deviated as in fixed length message m The end boundary of some fixed-length field, wherein β is preset threshold.
Beneficial effects of the present invention:
Fixed length message format reverse method provided by the invention based on bright light effect, can effectively solve the problem that fixed-length field boundary The problem of identification.Since fixed length information compressibility is high, feature extraction is difficult, effect of the existing method to fixed-length field Boundary Recognition Fruit is generally poor.Fixed length message is analogized to building by the present invention, and each byte in message is analogized to the window of building, The identical continuum of two message values is analogized into bright light region, and combines the field type of fixed length message to bright light effect It influences, different domain Boundary Recognition rules is formulated for different types of fixed length message (ideal message and non-ideal message), with And the boundary candidate sequence of fixed-length field under big small end memory module is respectively obtained by counting first lamp probability and last lamp probability.Root again According to certain rule, real domain boundary is filtered out from these boundary candidates.The results show effect of the invention is obvious It is better than other methods, more domain boundary can be accurately identified.The present invention also inversely provides for fixed-length field message format simultaneously A kind of completely new feasible thinking is conducive to the reverse further development of fixed-length field message format.
Detailed description of the invention
Fig. 1 is the schematic diagram of the bright light effect of building provided in an embodiment of the present invention;
Fig. 2 is the schematic diagram provided in an embodiment of the present invention that the bright light effect of building is mapped to fixed length message;
Fig. 3 is the flow diagram in the bright light region of fixed length message provided in an embodiment of the present invention;
Fig. 4 is that the process of the fixed length message format reverse method provided in an embodiment of the present invention based on bright light effect is illustrated Figure;
Fig. 5 is the schematic diagram of the bright light probability in ideal message provided in an embodiment of the present invention;
Fig. 6 is the signal that big end memory module and small end memory module is respectively adopted in fixed-length field provided in an embodiment of the present invention Figure;
Fig. 7 is the schematic diagram for being always on region of SMB message header provided in an embodiment of the present invention;
Fig. 8 is the schematic diagram of the normal dark areas of DHCP protocol stem provided in an embodiment of the present invention;
Fig. 9 is value type provided in an embodiment of the present invention, the relation schematic diagram of value uniformity and bright light probability;
Figure 10 is the relation schematic diagram of bright light probability provided in an embodiment of the present invention and first lamp probability;
Figure 11 is showing for bright light probability when fixed-length field provided in an embodiment of the present invention is stored using small end and last lamp probability It is intended to;
Figure 12 is the schematic diagram of the identification field of SMB message header provided in an embodiment of the present invention;
Figure 13 is the schematic diagram of the identification field of BitTorrent message header provided in an embodiment of the present invention;
Figure 14 is the schematic diagram of the normal dark areas in DNS message provided in an embodiment of the present invention;
Figure 15 is the schematic diagram that basis provided in an embodiment of the present invention is always on region and normal dark areas carries out message piecemeal;
Figure 16 is the schematic diagram of SMB message header value Species distributing provided in an embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached in the embodiment of the present invention Figure, technical solution in the embodiment of the present invention are explicitly described, it is clear that described embodiment is a part of the invention Embodiment, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making wound Every other embodiment obtained under the premise of the property made labour, shall fall within the protection scope of the present invention.
Provided technical solution for a better understanding of the present invention, first below to being related in embodiment provided by the invention And the technical term arrived makees specific introduce.
Fixed-length field refers to the fixed domain of length.The value of fixed-length field may be numerical value, it is also possible to byte arrays, Ke Yitong One is considered as numeric type.Position and sequence of the fixed-length field in fixed length message (or fixed length section) are fixed, and semanteme is determined by its position.
Fixed length message refers to the message being made of fixed-length field.Fixed length message is not the fixed message of length, but one kind disappears It ceases type (level-one type).Although fixed length message is not equal to the fixed message of length, in most cases fixed length message Length be it is fixed, only when, there are when expansible field, message-length is possible to change, this hair in fixed length message It is bright not consider the case where there are expansible fields in fixed length message.
Fixed length section refers to the section being made of fixed-length field.For the ease of message parsing, fixed length section is usually located at message header.It is fixed The format reverse method of long section and the format reverse method of fixed length message are identical.
The reverse essence of fixed length message format: the reverse key of fixed length message format is to speculate each fixed length in fixed length message The boundary in domain.The boundary of fixed-length field refers to initial position and end position of the fixed-length field in fixed length message, is referred to as starting Boundary and end boundary.Since the length and sequence of fixed-length field are fixed, the beginning boundary and end boundary of fixed-length field are apart from fixed length The offset of message header is also fixed.If the beginning boundary of fixed-length field is bs(i), end boundary be(i), wherein s and e divides Not Biao Shi starting and ending, i indicates serial number of the fixed-length field in fixed length message, and i >=1, bs(i) and be(i) value is respectively The offset of fixed length message header with a distance from offset and the last byte of the first character pitch of fixed-length field from fixed length message header. The beginning boundary of first fixed-length field is b in fixed length messages(1), if bs(1)=0.Due to the fixed-length field head and the tail in fixed length message Connect, therefore equation be(i)+1=bs (i+1) is set up, according to the equation it is found that the beginning boundary by fixed-length field may infer that The end boundary of fixed-length field;Vice versa.Therefore, the reverse core of fixed length message format may be summarized to be: speculate fixed-length field Beginning boundary sequence or end boundary sequence.
Bright light effect: how under the premise of not entering a building, thus it is speculated that wherein each room beginning boundary (or End boundary)? assuming that there are several fan windows in each room, and the position of window and quantity can characterize the position in room and big It is small.As shown in Figure 1: when daytime, without apparent difference between window;And at night, due to certain room bright lights, Mou Xiefang Between not bright light, cause light and shade between window different.The region of continuous several fan bright light window compositions of same layer is known as " bright light Region ".Bright light region may include one or more rooms, since the bright of all windows is secretly consistent in each room, because The beginning boundary in the beginning boundary in this bright light region necessarily some room, the end boundary also necessarily end in some room Boundary.Since daily bright light region may be different, the beginning boundary (end boundary) in daily bright light region is counted, when record day When number is enough, border sequence will be stablized.At this point, each boundary in sequence has just corresponded in each room in building Initial line circle (end boundary).Above-mentioned principle is known as " the bright light effect " of building by the present invention, utilizes " bright light effect " can be The boundary in wherein every room is speculated in the case where not entering building.
As shown in Figures 2 and 3: building is made of room, and each room includes several windows;Message is made of domain, often A domain includes several bytes.The present invention carries out following concept mapping first: fixed length message is mapped as one layer of building;By fixed-length field It is mapped as room;Byte is mapped as window.
In " bright light effect ", a window only has two states, i.e., bright or dark;And the value of a byte has 256 kinds, Therefore byte value can not be mapped directly into window state.
The bright light region of fixed length message: any two fixed length message is set as miAnd mjIf being deviated in described two fixed length message Value for the byte of k is respectively mikAnd mjk, by mikWith mjkWhether it is equal be mapped as window state, wherein by mik=mjkMapping For bright light, by mik≠mjkIt is mapped as not bright light, message section composed by the byte of value continuous phase etc. in primary compare is claimed For " the bright light region " of fixed length message.
Bright light probability: it in any two fixed length message of same protocol, deviates and claims for the equal probability of the byte value of x For the bright light probability of x.
What bright light probability was portrayed is the byte of same offset a possibility that value is equal in different fixed length message.Bright light is general The size of rate is influenced by two kinds of factors: value type and value uniformity.Value type refers to that the byte of same offset disappears all The number of value type in breath;Value uniformity refers to the uniformity coefficient that byte value is distributed in each value type.
For more intuitive the two influence factors of elaboration, specific example is as shown in table 1.Jth, j+1 and j+ in table 1 2 rows respectively indicate value of the byte of same offset in different fixed length message, i-th, i+1 ..., i+5 column respectively indicate it is same A message segment in fixed length message, the corresponding byte value of number in table.6 message segments are listed in table 1, each The length of message segment is 3.
Different byte value examples in 1 message of table
Value most species may be 256 kinds, and minimum is a kind.As shown in Table 1: offset is the value of the byte of j in table 1 There are three types of type is total, respectively 2,3,4.The value for the byte that the value type for the byte that offset is j in table 1 and offset are j+1 Type is identical, and is all 2,3,4, however deviates the byte value for being j and concentrate on 2, and the value for deviating the byte for j+1 then compares Uniformly.
6 message segments in table 1 are compared two-by-two, the total degree compared is 15 times.As shown in table 2, it deviates and is J, the identical number of byte value of j+1, j+2 are respectively 6,3,0, are analyzed the result are as follows: firstly, byte j+1 and j+2 Distribution of the value in each type it is all relatively uniform, however since the value type of j+1 is less, the identical number of value More than j+2;Secondly, byte j is equal with the value type of j+1, but the distribution of the value of j+1 is more uniform, therefore value is identical Number it is less.
The identical number of difference byte value in 2 message of table
Byte offset Value same number
j 6
j+1 3
j+2 0
From Tables 1 and 2: value type and influence of the value uniformity to bright light probability are as follows: first, value type gets over More, bright light probability is smaller, and vice versa.The second, value is more uniform, and bright light probability is smaller, and vice versa.
Fig. 4 is that the process of the fixed length message format reverse method provided in an embodiment of the present invention based on bright light effect is illustrated Figure.As shown in figure 4, method includes the following steps:
S101, the field type for judging all fixed-length fields in fixed length message m, the field type includes synchronization field and asynchronous domain;
If all fixed-length fields are synchronization field in S102, the fixed length message m, really according to the first domain Boundary Recognition rule The domain border sequence of each fixed-length field of fixed length message;
If the fixed-length field in S103, the fixed length message m includes asynchronous domain, determined according to the second domain Boundary Recognition rule The domain border sequence of each fixed-length field of fixed length message.
Specifically, it is the fixed-length field for meeting the following conditions that the present invention, which defines synchronization field: if any one byte in first, domain Value fix, the value of other bytes is also fixed;If the value variation of any one byte second, in domain, other bytes Value also changes.Defined from synchronization field: the situation of change of each byte value is synchronous in synchronization field.Synchronization field is one The special fixed-length field of kind, length are that 1 or the unique fixed-length field of value can be considered as synchronization field.When the fixed-length field of composition fixed length message When being all synchronization field, which is referred to as ideal message.
It is defined referring to synchronization field it is found that asynchronous domain refers to the fixed-length field in asynchronous domain.Referring to ideal message definition it is found that packet The fixed length message for including asynchronous domain is non-ideal message.
In synchronization field, the bright light probability of each byte is equal, and bright light opportunity is consistent.When the fixed-length field of composition message is same When walking domain, i.e., when fixed length message is ideal message, utilize " bright light effect " principle that can speculate the boundary in domain.
In asynchronous domain, the bright light probability of each byte is different, and bright light opportunity is different.Therefore, when fixed length message is non-ideal When message, the boundary in " bright light region " may with the non-overlapping margins of fixed-length field, simply by the boundary conduct in " bright light region " The boundary of fixed-length field necessarily will appear mistake.
As shown in the above, the fixed length message format reverse method provided by the invention based on bright light effect, it is right first The field type of each fixed-length field is judged in fixed length message, determines that fixed length message is ideal message or non-ideal message;Then, if Fixed length message is ideal message, then it is reverse to carry out message format according to the first domain Boundary Recognition rule;If fixed length message is unreasonably Think message, then it is reverse to carry out message format according to the second domain Boundary Recognition rule.
On the basis of the above embodiments, the first domain Boundary Recognition rule specifically includes:
Any two message segment m in S1021, acquisition fixed length message miAnd mj
S1022, message segment m is definediAnd mjThe value for the byte that middle offset is k is respectively mikAnd mjk, repeat to compare mik And mjkValue until comparison result tend towards stability, k be not more than fixed length message m length;
S1023, according to comparison result, the border sequence in bright light region in fixed length message m is determined, by the bright light region Border sequence of the border sequence as all fixed-length fields in the fixed length message m, the bright light region refers to be taken in primary compare It is worth message section composed by the byte of continuous phase etc..
Specifically, in the above-described embodiments it is stated that, according to synchronization field define: the bright light of each byte is general in synchronization field Rate is equal, and bright light opportunity is consistent, utilizes " bright light effect " principle that can speculate the boundary in domain.It is as shown in Figure 5 to be made of 4 domains Length be 14 ideal message bright light probability.When the domain for forming message is synchronization field, step S1021 to step S1023 can be briefly described are as follows: compared two-by-two message, count the boundary in " bright light region ".When statistics number is enough When, the border sequence in " bright light region " will be stablized, and the border sequence in " bright light region " is the side in all domains in message at this time Boundary's sequence.
On the basis of the various embodiments described above, the second domain Boundary Recognition rule is specifically included:
S1031, the memory module for determining fixed-length field in fixed length message m, the memory module include big end storage and small End storage;
Specifically, the memory module in domain refers to the storage order of high-low-position in domain.Similar to the storage of data in memory The memory module of mode, domain can be divided into following two: big end memory module and small end memory module.Wherein, big end stores mould Formula refers to the upper byte in domain close to message header, and low byte is close to message trailer.Small end memory module refers to the upper byte in domain Close to message trailer, low byte is close to message header.Storage such as Fig. 6 of big small end memory module logarithm " 0x12345678 " It is shown.
Since the fixed-length field of composition fixed length message is usually asynchronous domain, the memory module in domain also can be inverse to message format To impacting, it is necessary to analyze respectively big small end memory module.
The value type of each byte, determines in fixed length message m according to statistical result in S1032, statistics fixed length message m It is always on region and normal dark areas, the region that is always on refers to the message section composed by the unique byte of value in fixed length message m, The normal dark areas refers to the message section composed by byte of the value type for 256 in fixed length message m;
Specifically, being always on region specifies the unique region of value in long message to show as being always in " bright light effect ", this Invention, which is called, is always on region.Can be divided by being always on region by two kinds: the first is that theoretical value is unique: agreement provides certain in message The value in a domain is unique, then in the case where not considering message mistake, the value in the domain is always unique.Such as four before SMB message The value of a byte always " 0xFF534D42 ", therefore forms and as shown in Figure 7 is always on region.Second for practical value only One: certain domains can take multiple values, however in actual experimental data, value may be unique;Further, since numeric type domain High-order value number is less, and when experimental data is not abundant, high-order value may also be unique.
It is relatively common in the message to be always on region.Be always on region inversely has two aspects to influence on format.On the one hand, it is always on area The last lamp probability of forerunner's byte in domain is 0, and the first lamp probability of subsequent byte is 0, can not judge whether the two positions are domain Boundary.On the other hand, the boundary for " being always on region " is generally also the boundary in domain, and is always on region and is easier to identify.
Often dark areas refers to if the value type of each byte is 256 kinds in some region, the bright light of each byte Probability is smaller, and whole region is shown as often secretly in " bright light effect ", and the present invention is called normal dark areas.It is as inclined in originated in Fig. 8 Moving is 4, and the region that length is 4 is the normal dark areas of dhcp message stem, which is the Transaction ID of DHCP Domain.
Normal dark areas is relatively common in the message.Normal dark areas inversely has two aspects to influence on format.On the one hand, " super number Value type domain " bright light probability is smaller, and first lamp probability and last lamp probability are also smaller;And on the other hand, the boundary of normal dark areas is generally also It is the boundary in domain, and its feature is obvious, identification is relatively easy to.
S1033, basis are always on region and normal dark areas and fixed length message m are divided into N number of message blocks, and N is just whole greater than 1 Number;
Specifically, in step S1032 in statistical message each byte value type, be then always on area in message After domain and normal dark areas are identified, as shown in figure 14, message is divided into multiple disappear using region and normal dark areas is always on Cease block.If the length of message blocks is 1, as a domain, such as step S1034.If the length of message blocks is greater than 1, Then continue following operation, such as step S1035 to step S1037.
S1034, it is directed to message blocks n, if the length l of message blocks n is 1, using the message blocks n as a fixed-length field;
Specifically, other than the message blocks for being 1 using length are as a fixed-length field, it is contemplated that be always on region and normal dark space The particularity in domain makees following regulation:
There are no less than three continuous ASCII printable characters if be always in region, this is always on region and is likely to certain It is regarded an individual domain by the identification field of a agreement, the present invention.If the value for being always on each byte in region is not 0, and continuous text character is not present, each byte being always in region is regarded a domain by the present invention.If data volume very In situation abundant, it is 0 that some, which is always on each byte in region, then what this was always on that region is likely in message pre- writes down characters It is regarded a complete domain by section, the present invention.Such as the value in first domain of SMB message header is " 0xFF534D42 ", In " 0x534D42 " corresponding ASCII text be " SMB ", such as Figure 12;The value in second domain is corresponding in BitTorrent message ASCII text be " BitTorrent protocol ", such as Figure 13.
Normal dark areas is usually a numeric type domain or a part in the numeric type domain.When data volume is relatively abundanter, Normal dark areas can always cover entire domain.Therefore normal dark areas is regarded a complete domain by the present invention.As shown in figure 14, example If first domain in DNS message is the domain " Transaction ID ", the length is 2.The present invention is from DARPA data concentration filter 260,000 DNS message out, when message number is 130,000, the value type of first character section is in " Transaction ID " 172 kinds, the value type of second byte is 256 kinds, i.e., normal dark areas only includes low byte;When message number increases to 26 At ten thousand, the value type of first character section is also added to 256 kinds.
If the length l of S1035, message blocks n are greater than 1, defining message blocks n includes message sequence n1,...,nl, to message sequence The sub- message n of any two in columniAnd njIn offset be x value nixAnd njxIt is compared;If the fixed-length field in message blocks n For big end storage, the first modulation frequency f that offset in the message blocks n is x is countedx s, and according to the first default correction rule to offset For the first modulation frequency f of xx sIt is corrected;If the fixed-length field in message blocks n is small end storage, counts and deviated in the message blocks n It is f for the last modulation frequency of xx e, and be f according to the last modulation frequency that the second default correction rule is x to offsetx eIt is corrected;Its In, it is described head modulation frequency refer to offset be x byte be bright light region beginning boundary frequency, it is described end modulation frequency refer to that offset is The byte of x is the frequency of the end boundary in bright light region, and the bright light region refers to the word of value continuous phase etc. in primary compare Message section composed by saving, n=1,2 ... ..., N, 0≤x≤l-1;
Specifically, since step S1034 has carried out concrete regulation to the domain Boundary Recognition for being always on region and normal dark areas, It therefore in this step does not include to being always on region and normal dark areas is compared.Asynchronous domain is numeric type domain, and is counted There are the difference of high-low-position in value type domain.Digit is higher, and value type is fewer, and value is more concentrated, therefore bright light probability is also bigger.When When the domain for forming message is asynchronous domain, it is assumed that message is big end mode, value type, the value uniformity of each byte in message It is as shown in Figure 9 with the relationship of bright light probability.The bright light probability in domain shows the ladder-like feature successively decreased with the reduction of digit.By There are the domains that length is 1 in message, and the bright light probability of domain end boundary is likely larger than the bright light of the next field beginning boundary Probability, therefore this feature is insufficient as the foundation of domain Boundary Recognition.
On the basis of this feature, another key concept of the invention is introduced: first lamp probability.It is following fixed to carry out first Justice:
A.x indicates the byte that offset is x in message, and x >=1.
B.L (x) indicates this event of x bright light,Indicating x not bright light, p (L (x)) indicates the bright light probability of x,Indicate the probability of x not bright light, and
C. defining SL (x) is event " beginning boundary that x is some ' bright light region ' ".
On the basis of defined above, first lamp probability refers in any two message of same protocol, deviates the byte for x It is the probability of the beginning boundary in some " bright light region ".
The first lamp probability that x is indicated with p (SL (x)), then haveThat is the first lamp probability of x Equal to the probability of x-1 not bright light and x bright light.By formulaIt is found that the size of first lamp probability And two kinds of factors in relation to: the first, related with the size of p (L (x)), when p (L (x-1) | L (x)) is determined, p (L (x)) is bigger, p (SL (x)) is bigger.The second, related with the size of p (L (x-1) | L (x)), when p (L (x)) is determined, p (L (x-1) | L (x)) more Small, p (SL (x)) is bigger.Wherein, the size of p (L (x-1) | L (x)) is analyzed, is divided into two kinds of situations:
The first situation: x and x-1 belongs to the same domain.Since the lower bright light probability of digit is smaller, if digit is lower Byte bright light, then the higher byte of digit is likely to bright light, thus p (L (x-1) | L (x)) it is usually larger.
Second situation: x is the start boundary in some domain, and x-1 is the end boundary of the previous field.Since x-1 and x belong to Different domains, correlation is weaker, and the bright light probability of x-1 is smaller, thus p (L (x-1) | L (x)) it is usually smaller.
The present invention speculates the distribution of first lamp probability on the basis of Fig. 9 and above-mentioned analysis, as shown in Figure 10.It can see Out, there is the phenomenon that sharpening at the beginning boundary in domain in first lamp probability, and the boundary sharpening that the present invention is called first lamp probability is special Sign.The beginning boundary in domain can be speculated using this feature.
The case where having been analyzed when message is big end storage above.And when message is that small end stores, it is general referring to first lamp Rate definition, such as gives a definition to last lamp probability.
Last lamp probability: in any two message of same protocol, the knot that the byte for x is some " bright light region " is deviated The probability on beam boundary.
Defining EL (x) is event " end boundary that x is some ' bright light region ' ", then p (EL (x)) isxLast lamp probability, AndI.e. last lamp probability indicates x bright light and the probability of x+1 not bright light.Referring to first lamp probability With the relationship analysis method of bright light probability, thus it is speculated that bright light probability and the relationship of last lamp probability are as shown in figure 11.Therefore when message is When small end stores, identification feature of the last lamp probability as domain end boundary can use.
S1036, maximum first modulation frequency is determined in all first modulation frequencies counted on or in all last modulation frequenciesOr most Big end modulation frequency
S1037, with maximum first modulation frequencyOr maximum last modulation frequencyOn the basis of, energy is obtained according to default screening conditions Enough as domain beginning boundary or domain end boundary x.
On the basis of the various embodiments described above, the first default correction rule is specifically included: when meeting the first calibration bars When part, the first modulation frequency f for x is deviatedx sAdd 1;Wherein, first correcting condition include: offset be x byte be message blocks Beginning boundary and nix=njx;Or the byte that offset is x is not the beginning boundary of message blocks, and has ni(x-1)≠nj(x-1)With nix =njxIt sets up simultaneously;
The second default correction rule specifically includes: when meeting the second correcting condition, deviating the last modulation frequency f for xx e Add 1;Wherein, second correcting condition includes: and deviates the byte for being x to be the end boundary of message blocks and meet nix=njx;Or Person's offset is that the byte of x is not the end boundary of message blocks, and nix=njxWith ni(x+1)≠nj(x+1)It sets up simultaneously;
The default screening conditions specifically include: when first modulation frequencyWhen meeting inequality (1), then the word for x will be deviated Save the beginning boundary as fixed-length field;
When last modulation frequencyWhen meeting inequality (2), then will deviate the byte for x is the end boundary as fixed-length field;
WhenWithWhen being all satisfied above-mentioned condition, compareWithSize, ifThe byte for x will then be deviated Beginning boundary as some fixed-length field in fixed length message m;IfThe byte for x will then be deviated as in fixed length message m The end boundary of some fixed-length field, wherein β is preset threshold.
Below by specific experiment to the fixed length message format reverse method provided by the invention based on bright light effect Validity is verified.
1. experimental data and parameter
This chapter experimental data is mainly under the conditions of Darpa data set, campus network data, telecom operation quotient data and single machine It is obtained after filtering, duplicate removal using in the data of Wireshark capture.
The experimental data of this section is DNS message, SMB message.Two kinds of message are all mixing class message, and there are fixed length for stem Section, the present invention intercept its fixed length section and test.Experimental data description is as shown in table 3.Experiment parameter is that frequency selects parameter beta, β=15 are arranged in the present invention based on experience value.
The reverse experimental data description of 3 fixed length message format of table
Number Protocol name Fixed length segment length Data volume Message number
1 DNS 12 40.9MB 266337
2 SMB 32 13.7MB 72739
2. analysis of experimental results
2.1 DNS message
DNS message header is fixed length section, and length 12 includes 6 fixed-length fields.Wherein the length in each domain, position etc. are believed Breath is as shown in table 4.The value type of each byte in fixed length section is counted, the results are shown in Table 10.It can from table 5 Out, there are a normal dark areas and four to be always on region in fixed length section.The beginning boundary of normal dark areas is 0, length 2, judgement It is a domain, which is correct.Beginning boundary and the length for being always on region are as shown in table 6, and according to judgment criteria, this four A region that is always on all is taken as individual domain, however the judgement is wrong.There is the reason of mistake are as follows: this four are always on region Respectively correspond the upper byte in the domain of serial number 3 to 6.The value in these domains determines the number of parameter section.For example, working as When the value in the domain Questions is 2, corresponding Questions parameter has 2.Assuming that the length of each parameter is 10, if wherein The upper byte in some domain is not 0, then the length of DNS message at least should be 256*10+12=2572.And actual DNS message Length at most only has several hundred bytes, therefore, the value of upper byte always 0.Using be always on region and normal dark areas to message into Row piecemeal, for the message blocks for being 1 using each length as a domain, then the DNS message blocks obtained are as shown in table 7.Statistical length is big The first modulation frequency of each byte and last modulation frequency in 1 message blocks, the results are shown in Table 8.
The information of fixed-length field in 4 DNS message of table
Number Title Start offset Length
1 Transaction ID 0 2
2 Flags 2 2
3 Questions 4 2
4 Answer RRs 6 2
5 Authority RRs 8 2
6 Additional RRs 10 2
The value Species distributing of 5 DNS message header of table
Message offset 0 1 2 3 4 5 6 7 8 9 10 11
Value type 256 256 8 8 1 2 1 3 1 2 1 3
Region is always in 6 DNS message of table
Beginning boundary 4 6 8 10
Length 1 1 1 1
The beginning boundary and length of 7 DNS message blocks of table
Number 1 2 3 4 5
Beginning boundary 2 5 7 9 11
Length 2 1 1 1 1
The first modulation frequency of each byte and last modulation frequency in 8 DNS message blocks of table
Message offset 2 3
First modulation frequency 735756888 108146724
Last modulation frequency 3070741 816345523
As shown in Table 8And haveTherefore it selects partially It moves 2 and is used as beginning boundary, offset 3 is used as end boundary, i.e., only one domain in the message blocks, the judgement are correct.AndIt is to be made of due to the domain Flags multiple Flag bitwise, and between each Flag and height is not present The difference of position, therefore boundary sharpening phenomenon is unobvious.
2.2 SMB message
SMB message header is fixed length section, and it includes 14 domains, wherein the information in each domain such as 9 institute of table that length, which is 32 bytes, Show.It is always on region and normal dark areas and message is divided into two message blocks, as shown in table 10.
The value type of each byte in fixed length section is counted, as a result as shown in figure 16.As seen from Figure 16, SMB message Fixed length section include one be always on region and two normal dark areas.It is always in the value in region that there are continuous ASCII text words It accords with " SMB ", therefore as a complete domain;Two normal dark areas respectively correspond in message the domain Signature and The domain Multiplex ID.It is correct to the judgement for being always on region and normal dark areas.
Count the first modulation frequency of each byte in two message blocksWith last modulation frequencyAnd it calculatesAnd It is as shown in table 11 to obtain result.Highlighted item is blackened in table 11 as maximum first modulation frequency and maximum last modulation frequency.According to sieve The beginning boundary sequence and end boundary sequence in the domain for selecting condition to obtain are as shown in table 12.Initial line has been converted by end boundary Boundary, then the beginning boundary sequence speculated and practical beginning boundary sequence are as shown in table 13.
The information of fixed-length field in 9 SMB message of table
The beginning boundary and length of 10 SMB message blocks of table
Number 1 2
Beginning boundary 4 22
Length 10 8
The description of 11 SMB message blocks experimental result of table
The border sequence that table 12 is obtained according to screening conditions
Beginning boundary sequence 4,5,6,10,11,12,22,28
End boundary sequence 7,8,9,13,23,25,29
13 actual sequence of table and experimental series
Actual sequence 4,5,6,7,9,10,12,22,24,26,28
Experimental series 4,5,6,8,9,10,11,12,22,24,26,28
As shown in table 13, there are different (blackening protrusion) at two for experimental result and actual sequence.The 4th first is played initial line There is mistake in the identification on boundary.Secondly, having had more beginning boundary 11 in experimental result.The corresponding domain of the latter is the domain Flags2, by Multiple Flag compositions bitwise, and the difference between each Flag and there is no high-low-position, therefore boundary sharpening is not Obviously.Although the domain Flags2 is split as the domain that two length are 1, subsequent message will not actually be parsed and be generated It influences.
3. experimental summary
The present invention has carried out format to DNS message and SMB message and has inversely tested, and is analyzed result, experiment knot Fruit demonstrates the correctness of the fixed length message format reverse method based on bright light effect.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (5)

1. a kind of fixed length message format reverse method based on bright light effect characterized by comprising
Step 1, the field type for judging all fixed-length fields in fixed length message m, the field type includes synchronization field and asynchronous domain;
If all fixed-length fields are synchronization field in step 2, the fixed length message m, determined according to the first domain Boundary Recognition rule The domain border sequence of each fixed-length field of fixed length message;
If the fixed-length field in step 3, the fixed length message m includes asynchronous domain, it is fixed to determine according to the second domain Boundary Recognition rule The domain border sequence of each fixed-length field of long message.
2. the method according to claim 1, wherein the first domain Boundary Recognition rule specifically includes:
Any two message segment m in step 21, acquisition fixed length message miAnd mj
Step 22 defines message segment miAnd mjThe value for the byte that middle offset is k is respectively mikAnd mjk, repeat to compare mikAnd mjk Value until comparison result tend towards stability, k be not more than fixed length message m length;
Step 23, according to comparison result, the border sequence in bright light region in fixed length message m is determined, by the side in the bright light region Border sequence of boundary's sequence as all fixed-length fields in the fixed length message m, the bright light region refer to the value in primary compare Message section composed by the byte of continuous phase etc..
3. the method according to claim 1, wherein the second domain Boundary Recognition rule specifically includes:
Step 31, the memory module for determining fixed-length field in fixed length message m, the memory module include that big end storage and small end are deposited Storage;
The value type of each byte, determines normal in fixed length message m according to statistical result in step 32, statistics fixed length message m Bright area and normal dark areas, the region that is always on refer to message section composed by the unique byte of value, institute in fixed length message m State message section composed by the byte that normal dark areas refers to that value type is 256 in fixed length message m;
Step 33, basis are always on region and normal dark areas and fixed length message m are divided into N number of message blocks, and N is the positive integer greater than 1;
Step 34 is directed to message blocks n, if the length l of message blocks n is 1, using the message blocks n as a fixed-length field;
If the length l of step 35, message blocks n are greater than 1, defining message blocks n includes message sequence n1,...,nl, in message sequence The sub- message n of any twoiAnd njIn offset be x value nixAnd njxIt is compared;
If the fixed-length field in message blocks n is big end storage, the first modulation frequency f that offset in the message blocks n is x is countedx s, and according to The first modulation frequency f that first default correction rule is x to offsetx sIt is corrected;
If the fixed-length field in message blocks n is small end storage, counting the last modulation frequency that offset is x in the message blocks n is fx e, and It is f according to the last modulation frequency that the second default correction rule is x to offsetx eIt is corrected;
Wherein, the first modulation frequency refer to offset be the byte of x be bright light region beginning boundary frequency, the end modulation frequency refers to Offset is the frequency that the byte of x is the end boundary in bright light region, and the bright light region refers to the value continuous phase in primary compare Deng byte composed by message section, n=1,2 ... ..., N, 0≤x≤l-1;
Step 36 determines maximum first modulation frequency in all first modulation frequencies counted on or in all last modulation frequenciesOr it is maximum Last modulation frequency
Step 37, with maximum first modulation frequencyOr maximum last modulation frequencyOn the basis of, obtaining according to default screening conditions can The x of the end boundary of beginning boundary or domain as domain.
4. according to the method described in claim 3, it is characterized in that, the first default correction rule specifically includes: working as satisfaction When the first correcting condition, the first modulation frequency f for x is deviatedx sAdd 1;
First correcting condition includes:
The byte that offset is x is the beginning boundary and n of message blocksix=njx;Or
Offset is that the byte of x is not the beginning boundary of message blocks, and has ni(x-1)≠nj(x-1)With nix=njxIt sets up simultaneously;
The second default correction rule specifically includes: when meeting the second correcting condition, deviating the last modulation frequency f for xx eAdd 1;
Second correcting condition includes:
The byte that offset is x is the end boundary of message blocks and meets nix=njx;Or
Offset is that the byte of x is not the end boundary of message blocks, and nix=njxWith ni(x+1)≠nj(x+1)It sets up simultaneously.
5. according to the method described in claim 3, it is characterized in that, the default screening conditions specifically include:
When first modulation frequencyWhen meeting inequality (1), then the byte for x will be deviated as the beginning boundary of fixed-length field;
When last modulation frequencyWhen meeting inequality (2), then the byte for x will be deviated as the end boundary of fixed-length field;
WhenWithWhen being all satisfied above-mentioned condition, compareWithSize, ifThen using the byte deviated as x as The beginning boundary of some fixed-length field in fixed length message m;IfThe byte for x will then be deviated as some in fixed length message m The end boundary of fixed-length field, wherein β is preset threshold.
CN201811268875.4A 2018-10-29 2018-10-29 Fixed-length message format reversing method based on lighting effect Active CN109547414B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811268875.4A CN109547414B (en) 2018-10-29 2018-10-29 Fixed-length message format reversing method based on lighting effect

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811268875.4A CN109547414B (en) 2018-10-29 2018-10-29 Fixed-length message format reversing method based on lighting effect

Publications (2)

Publication Number Publication Date
CN109547414A true CN109547414A (en) 2019-03-29
CN109547414B CN109547414B (en) 2021-04-20

Family

ID=65845836

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811268875.4A Active CN109547414B (en) 2018-10-29 2018-10-29 Fixed-length message format reversing method based on lighting effect

Country Status (1)

Country Link
CN (1) CN109547414B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1168207A (en) * 1995-11-06 1997-12-17 Ntt移动通信网株式会社 System for transmission between base station and exchange of mobile communication using fixed length cell
CN101854330A (en) * 2009-04-02 2010-10-06 上海互联网络交换中心 Method and system for collecting and analyzing network applications of Internet
CN102694723A (en) * 2012-05-16 2012-09-26 华为技术有限公司 Method and device for scheduling quality of service for variable-length messages
CN104023018A (en) * 2014-06-11 2014-09-03 中国联合网络通信集团有限公司 Text protocol reverse resolution method and system
CN105160924A (en) * 2015-08-25 2015-12-16 公安部第三研究所 Video processing-based intelligent signal lamp state detection method and detection system
CN108600195A (en) * 2018-04-04 2018-09-28 国家计算机网络与信息安全管理中心 A kind of quick reverse estimating method of industry control protocol format based on incremental learning

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1168207A (en) * 1995-11-06 1997-12-17 Ntt移动通信网株式会社 System for transmission between base station and exchange of mobile communication using fixed length cell
CN101854330A (en) * 2009-04-02 2010-10-06 上海互联网络交换中心 Method and system for collecting and analyzing network applications of Internet
CN102694723A (en) * 2012-05-16 2012-09-26 华为技术有限公司 Method and device for scheduling quality of service for variable-length messages
CN104023018A (en) * 2014-06-11 2014-09-03 中国联合网络通信集团有限公司 Text protocol reverse resolution method and system
CN105160924A (en) * 2015-08-25 2015-12-16 公安部第三研究所 Video processing-based intelligent signal lamp state detection method and detection system
CN108600195A (en) * 2018-04-04 2018-09-28 国家计算机网络与信息安全管理中心 A kind of quick reverse estimating method of industry control protocol format based on incremental learning

Also Published As

Publication number Publication date
CN109547414B (en) 2021-04-20

Similar Documents

Publication Publication Date Title
Dorogovtsev et al. Size-dependent degree distribution of a scale-free growing network
CN105989076B (en) A kind of data statistical approach and device
WO2017084586A1 (en) Method , system, and device for inferring malicious code rule based on deep learning method
CN102891852B (en) Message analysis-based protocol format automatic inferring method
CN103929326B (en) Communication network transmission class alerts the device and method of united analysis
US20120072380A1 (en) Regular expression matching using tcams for network intrusion detection
CN105827422B (en) A kind of method and device of determining network element alarming incidence relation
CN108833437A (en) One kind being based on flow fingerprint and the matched APT detection method of communication feature
Zhou et al. Mining closed episodes from event sequences efficiently
CN100579133C (en) Method for generating ID symbol
CN103685224A (en) A network invasion detection method
CN113839835B (en) Top-k flow accurate monitoring system based on small flow filtration
Luo et al. Efficient multiset synchronization
CN108055227A (en) WAF unknown attack defence methods based on website self study
CN109547414A (en) Fixed length message format reverse method based on bright light effect
CN111708921B (en) Number selection method, device, equipment and storage medium
CN107124410A (en) Network safety situation feature clustering method based on machine deep learning
CN104023000A (en) Network intrusion detection method
CN110519179B (en) Flow data public feature extraction method for network flow identification
CN113139802B (en) Content charging rule scheduling method, device, storage medium and computer equipment
CN105071984B (en) A kind of net flow assorted and application and identification method of automatic excavating bit granularity feature
Wang et al. Identifying and Evaluating the Internet Opinion Leader Community Through k-clique Clustering.
CN110912794B (en) Approximate matching strategy based on token set
CN116501781B (en) Data rapid statistical method for enhanced prefix tree
KR20150072312A (en) Apparatus and method for analyzing network packet based on big data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant