CN101577644A - Peer-to-peer network application traffic identification method - Google Patents
Peer-to-peer network application traffic identification method Download PDFInfo
- Publication number
- CN101577644A CN101577644A CNA2009100627303A CN200910062730A CN101577644A CN 101577644 A CN101577644 A CN 101577644A CN A2009100627303 A CNA2009100627303 A CN A2009100627303A CN 200910062730 A CN200910062730 A CN 200910062730A CN 101577644 A CN101577644 A CN 101577644A
- Authority
- CN
- China
- Prior art keywords
- peer
- network
- traffic
- network application
- peer network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a peer-to-peer network application traffic identification method and relates to the application of computer peer-to-peer network. The identification method is mainly applied in an open network environment. The invention adopts a traffic identification method combining deep packet scanning and deep stream scanning to identify the present increasing traffic of peer-to-peer network application, wherein deep stream detection is to mainly compare collected network traffic data with feature codes in a feature library so as to distinguish whether network traffic includes the traffic of peer-to-peer network application; and subsequently the deep stream detection distinguishes whether the network traffic includes the traffic of peer-to-peer network application based on the symmetry of the upstream and downstream traffic of the network traffic data and the linking number between peer nodes and other peer nodes. The identification method has the advantages of effectively expanding the identification range of traffic of peer-to-peer network application, boosting the accuracy rate of identifying the traffic of peer-to-peer network application and consequently guaranteeing the healthy, standardized and ordered development of peer-to-peer network application.
Description
Technical field
The present invention relates to the application of computer network, relate in particular to the application of computer peer-to-peer network, belong to the interleaving techniques application of computer network, Distributed Calculation and pattern recognition, be mainly used in recognition network stream and whether belong to the peer-to-peer network application traffic.
Background technology
Peer-to-peer network (Peer-to-Peer writes a Chinese character in simplified form P2P) is the network configuration thought that does not have Centroid (or central server) in a kind of whole network configuration.The edge resource that it can make full use of internet, i.e. user's computing capability, storage capacity and bandwidth, even the content of hard disc of computer.More and more have a technology that widespread usage is worth as a kind of, peer-to-peer network for the influence of the Internet communication characteristic in future with inestimable.The peer-to-peer network technology all has a wide range of applications in fields such as downloading class application, Streaming Media application, the application of instant message class and voice application.Characteristics such as up-downgoing symmetry, long-range, the cross-domain flow rate that the peer-to-peer network flow presents itself increases make traditional internet network flow rate mode that huge variation take place, the application form in the network has been enriched in the develop rapidly that peer-to-peer network is used on the one hand, has also brought many negative effects but then:
Peer-to-peer network is used the operation to computer network, the influence that management has brought following several aspects: (1) bandwidth occupancy is serious, and flash pressure constantly increases.Peer-to-peer network is used a class that has become flow maximum on the internet and is used, and it takies the network bandwidth between 60%~80%.(2) voice, core business run off.Voice service during peer-to-peer network is used causes very big influence to operator's core business.Its voice call quality can reach the quality of service of main flow traditional telephone service provider.(3) but the influence of value-added service.Peer-to-peer network application is at present mostly used with the killer's level that increases income that free-form provides its service quality to press on towards next step emphasis popularization of operator.
The peer-to-peer network technology has also proposed some brand-new safe problems simultaneously, such as: (1) national information safety problem: anti-government's speech and pornographic information on peer-to-peer network is used are at present spread unchecked.(2) company's Intellectual Property Rights Issues: validated user can utilize the peer-to-peer network application software that the data dissemination of company's internal network is gone out, and enterprise has been caused serious threat.(3) system safety problem: the peer-to-peer network application file is shared does not have the file storage center, make concentrated controllability, the manageability of file-sharing descend, unauthorized in a large number, pirated file is propagated between domestic consumer alternately, give various viruses, network attack, Malware is propagated between each client that hotbed is provided, and has buried huge hidden danger to Cybersecurity Operation.
Peer-to-peer network is applied in when bringing the network development prosperity, also brings contradiction and challenge.The peer-to-peer network application traffic helps rationally utilizing the Internet infrastructure in the recognition network exactly, solves the network bandwidth congested problem that causes because of the peer-to-peer network application traffic; Help the use of user's key business, guarantee for the user provides service quality; Help preventing the propagation of illegal contents in peer-to-peer network is used, ensure peer-to-peer network application health, standard and orderly development, construct a harmonious healthy network environment.
The method that detects traditional flow is based on port, and many peer-to-peer network application and development trend then are to avoid being arrived by the flow detection Equipment Inspection as far as possible, show following feature specifically: (1) dynamically selected port, use variable port.Dynamically selected port generally uses random port or port jumping mode.Use variable port to be meant a default port is set in advance, but allow the user to change this port.(2) other flow that disguises oneself as.Use side slogan 80 transmits its flows on the one hand, on the other hand its message format imitation HTML (Hypertext Markup Language) flow.(3) encrypt application layer data.Adopt encryption technology that the part message is encrypted, feasible detection to its flow becomes difficult unusually.(4) use anonymous peer-to-peer network technology.Anonymous communication is one of means of Information hiding, and purpose is to stop communications analysis as possible, and anonymous communication need use one or more agencies to realize.A large amount of nodes can be as the agency during peer-to-peer network was used, and this just provides advantage for the anonymous communication (anonymous peer-to-peer network application) in the peer-to-peer network application.Traditional detection method has detected multiple peer-to-peer network application traffic mistakenly, is not suitable in the network environment that a large amount of peer-to-peer network application traffics are arranged and uses.
Currently the peer-to-peer network application traffic is detected development trend mainly adopt deep packet inspection method and deep stream detection method, these two kinds of methods cut both ways.Deep packet inspection method easy to understand, upgrading be convenient, it is simple to safeguard, is the most general peer-to-peer network application traffic identification method of utilization at present.Deep packet inspection technical has carried out " degree of depth " to traditional flow detection technology, expansion, when obtaining the packet essential information, application layer protocol head and agreement load to a plurality of related data packets scan, obtain the characteristic information that is deposited with in the application layer, network traffics are carried out meticulous inspection, monitoring and analysis.
The deep stream detection method is paid close attention to the versatility of network flow characteristic, only, obtain type of service, service condition by the isoparametric analysis that distributes of state, network layer and transport layer information, Business Stream duration, average flow speed, byte length to network traffics.For the traditional internet service flow, peer-to-peer network applied business flowmeter reveals following characteristics: high-speed transfer; Data volume is big; Line duration is long; Up-downgoing flow symmetry; The service point is widely distributed.
The state of the art from peer-to-peer network application traffic identification, based on the deep packet inspection method of application data analytical technology since have accuracy height, robustness good, have a classification feature, and it is unencryption mostly that the peer-to-peer network in past is used, and therefore is the main method of peer-to-peer network application traffic identification.But, based on deep packet inspection technical also face such as the performance that how to improve detection algorithm, how to support to enciphered data analysis, how to upgrade problems such as peer-to-peer network application characteristic storehouse.Equally, though have performance height, advantage that extensibility is good based on the deep stream detection method of traffic characteristic, because therefore poor accuracy also faces many difficulties in actual applications.In addition, existing method lacks the Real time identification ability of peer-to-peer network application traffic all based on the off-line data analysis.From essence, belong to heuristic based on the detection of traffic characteristic, and the deep layer data analysis belongs to accurate matching process.If can just might design the Real time identification of a peer-to-peer network application traffic accurately and efficiently algorithm in conjunction with the advantage of these two kinds of methods.How use, set up corresponding analytical model, propose new theoretical frame and be more challenging problem now according to its constant transmission characteristic at the peer-to-peer network of rapid evolution.
Summary of the invention
The objective of the invention is: a kind of peer-to-peer network application traffic identification method is provided.This method adopts the method that deep stream detects and deep-packet detection combines that the network traffics data that collect are detected, wherein: it mainly is that the network traffics data that will collect are contrasted with the condition code in the feature database that deep stream detects, thereby whether the differentiation network traffics have comprised the peer-to-peer network application traffic; Deep stream detects then according to the symmetry of network traffics data uplink and downlink flow and the linking number of peer node and other peer node, whether has comprised the peer-to-peer network application traffic thereby differentiate network traffics.Advantage of the present invention is: expanded the identification range of peer-to-peer network application traffic effectively, improved the accuracy rate of identification peer-to-peer network application traffic.
In order to achieve the above object, the present invention adopts following technical scheme:
A kind of peer-to-peer network application traffic identification method, this recognition methods comprises following steps:
1), obtains the peer-to-peer network application tool and be deposited with the condition code in the protocol header and agreement load the application layer from the code of increasing income, online article, each condition code is used a characteristic information in bag recognition feature storehouse as peer-to-peer network, and all condition codes of collecting just constitute peer-to-peer network and use bag recognition feature storehouse;
2), monitoring and collect the network traffics data of local area network (LAN), the network traffics data that collect are sent to deep-packet detection module and deep stream detection module simultaneously;
3), the deep-packet detection module adopts deep packet inspection method that the application layer protocol head and the agreement load of the network traffics data received are scanned, if the condition code in certain segment data and peer-to-peer network application bag recognition feature storehouse is complementary in the network traffics, think that these network traffics have comprised the peer-to-peer network application traffic, find out the node that sends and receive this segment data, judge that then this node has used the peer-to-peer network application tool, otherwise hand over step 4) to judge;
4), the deep stream detection module adopts the deep stream detection method to discern, if the ratio of the uplink traffic of certain node and downlink traffic is between 0.9 to 1.1 in the network traffics data that collected, and this node is connected with 15 above nodes, judge that then this node has used the peer-to-peer network application tool, otherwise judge that this node does not use the peer-to-peer network application tool.
Wherein: it is open database that peer-to-peer network is used bag recognition feature storehouse, constantly increase characteristic information along with the continuous increase of peer-to-peer network application tool, the characteristic information that makes peer-to-peer network use bag recognition feature storehouse can cover current peer-to-peer network application tool as far as possible.
The invention has the beneficial effects as follows:
1, effectively expands the identification range of peer-to-peer network application traffic, thereby make the application traffic of monitoring peer-to-peer network become possibility.Because the present invention adopts deep-packet detection and deep stream to detect two kinds of method collaborative works, not only can improve the accuracy rate of identification peer-to-peer network application traffic, and can also discern peer-to-peer network some the unknowns, novel, that encrypt effectively and use.
2, ensure peer-to-peer network application health, standard and orderly development.The peer-to-peer network application traffic helps rationally utilizing the Internet infrastructure in the monitor network exactly, solves the network bandwidth congested problem that causes because of the peer-to-peer network application traffic; Help the use of user's key business, make up a harmonious healthy network environment.
3, the application management for peer-to-peer network provides strong instrument.Along with the extensive use of broadband technology and broadband user's continuous increase, obtained using widely to consume agreement and the application technology-peer-to-peer network application that the massive band width resource is a feature, simultaneously, also brought difficulty to network management, and can effectively discern the basis that the peer-to-peer network application traffic is network management, therefore, the present invention can be widely used in a plurality of industry departments.
Embodiment:
Below the present invention is made further explanation and description.
A kind of peer-to-peer network application traffic identification method, this recognition methods comprises following steps:
1), obtains the peer-to-peer network application tool and be deposited with the condition code in the protocol header and agreement load the application layer from the code of increasing income, online article, each condition code is used a characteristic information in bag recognition feature storehouse as peer-to-peer network, and all condition codes of collecting just constitute peer-to-peer network and use bag recognition feature storehouse;
Different peer-to-peer network is used all it self interaction protocol, carrying some feature strings in the protocol header of these interaction protocols and the agreement load, for example: the eDonkey2000 of P2P agreement is carrying the character string of 0xe319010000 and 0xc53f010000, the present invention claims 0xe319010000 and 0xc53f010000 to be " condition code ", and for example: the Fasttrack of P2P agreement is carrying " condition code " " Get/.hash " and 0x270000002980, the BitTorrent of P2P agreement is carrying " condition code " " 0x13BittorrenProtocol ", the Gnutella of P2P agreement is carrying " condition code " " GNUT ", " GIV " and " GND ", the interaction protocol that various peer-to-peer networks are used with and " condition code " can be from from the code of increasing income, various approach such as online article obtain, each condition code is used a characteristic information in bag recognition feature storehouse as peer-to-peer network, and all condition codes of collecting just constitute peer-to-peer network and use bag recognition feature storehouse.Therefore, as long as in network traffics, detect these " condition codes ", just can determine substantially that these network traffics are peer-to-peer network flows.Because the continuous increase of peer-to-peer network application tool, peer-to-peer network is used bag recognition feature storehouse also just to be needed constantly to increase its corresponding " condition code ", and the characteristic information that makes peer-to-peer network use bag recognition feature storehouse can cover current peer-to-peer network application tool as far as possible;
2), monitoring and collect the network traffics data of local area network (LAN), the network traffics data that collect are sent to deep-packet detection module and deep stream detection module simultaneously;
The deep-packet detection module is can performing step 3) computer software of function;
The deep stream detection module is can performing step 4) computer software of function;
3), the deep-packet detection module adopts deep packet inspection method that the application layer protocol head and the agreement load of the network traffics data received are scanned, if the condition code in certain segment data and peer-to-peer network application bag recognition feature storehouse is complementary in the network traffics, think that these network traffics have comprised the peer-to-peer network application traffic, find out the node that sends and receive this segment data, judge that then this node has used the peer-to-peer network application tool, otherwise hand over step 4) to judge;
So-called condition code is complementary, and the character string that is meant certain segment data in the network traffics is identical with some condition codes that peer-to-peer network is used in the bag recognition feature storehouse.
4), the deep stream detection module adopts the deep stream detection method to discern, if the ratio of the uplink traffic of certain node and downlink traffic is between 0.9 to 1.1 in the network traffics data that collected, and this node is connected with 15 above nodes, judge that then this node has used the peer-to-peer network application tool, otherwise judge that this node does not use the peer-to-peer network application tool.
Claims (1)
1, a kind of peer-to-peer network application traffic identification method is characterized in that, this recognition methods comprises following steps:
1), obtains the peer-to-peer network application tool and be deposited with the condition code in the protocol header and agreement load the application layer from the code of increasing income, online article, each condition code is used a characteristic information in bag recognition feature storehouse as peer-to-peer network, and all condition codes of collecting just constitute peer-to-peer network and use bag recognition feature storehouse;
2), monitoring and collect the network traffics data of local area network (LAN), the network traffics data that collect are sent to deep-packet detection module and deep stream detection module simultaneously;
3), the deep-packet detection module adopts deep packet inspection method that the application layer protocol head and the agreement load of the network traffics data received are scanned, if the condition code in certain segment data and peer-to-peer network application bag recognition feature storehouse is complementary in the network traffics, think that these network traffics have comprised the peer-to-peer network application traffic, find out the node that sends and receive this segment data, judge that then this node has used the peer-to-peer network application tool, otherwise hand over step 4) to judge;
4), the deep stream detection module adopts the deep stream detection method to discern, if the ratio of the uplink traffic of certain node and downlink traffic is between 0.9 to 1.1 in the network traffics data that collected, and this node is connected with 15 above nodes, judge that then this node has used the peer-to-peer network application tool, otherwise judge that this node does not use the peer-to-peer network application tool.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100627303A CN101577644B (en) | 2009-06-16 | 2009-06-16 | Peer-to-peer network application traffic identification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100627303A CN101577644B (en) | 2009-06-16 | 2009-06-16 | Peer-to-peer network application traffic identification method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101577644A true CN101577644A (en) | 2009-11-11 |
| CN101577644B CN101577644B (en) | 2011-06-01 |
Family
ID=41272438
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100627303A Expired - Fee Related CN101577644B (en) | 2009-06-16 | 2009-06-16 | Peer-to-peer network application traffic identification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101577644B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045347A (en) * | 2010-11-30 | 2011-05-04 | 华为技术有限公司 | Method and device for identifying protocol |
| CN101741908B (en) * | 2009-12-25 | 2012-07-11 | 青岛朗讯科技通讯设备有限公司 | Identification method for application layer protocol characteristic |
| CN102664904A (en) * | 2012-05-16 | 2012-09-12 | 东南大学 | Hidden file transfer service positioning method in passive mode |
| US8825884B2 (en) | 2010-11-30 | 2014-09-02 | Huawei Technologies Co., Ltd. | Method and device for protocol identification |
| WO2014190603A1 (en) * | 2013-05-30 | 2014-12-04 | 烽火通信科技股份有限公司 | Service flow perception system and method for combining flow detection with packet detection in sdn network |
| CN104243521A (en) * | 2013-06-19 | 2014-12-24 | 北京思普崚技术有限公司 | Method for conducting P2P network identification through deep packet inspection technology |
| CN112398813A (en) * | 2020-10-23 | 2021-02-23 | 无锡宏创盛安科技有限公司 | Interactive application protocol identification method |
-
2009
- 2009-06-16 CN CN2009100627303A patent/CN101577644B/en not_active Expired - Fee Related
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741908B (en) * | 2009-12-25 | 2012-07-11 | 青岛朗讯科技通讯设备有限公司 | Identification method for application layer protocol characteristic |
| CN102045347A (en) * | 2010-11-30 | 2011-05-04 | 华为技术有限公司 | Method and device for identifying protocol |
| WO2012071854A1 (en) * | 2010-11-30 | 2012-06-07 | 华为技术有限公司 | Method and apparatus for protocol identification |
| CN102045347B (en) * | 2010-11-30 | 2013-08-07 | 华为技术有限公司 | Method and device for identifying protocol |
| US8825884B2 (en) | 2010-11-30 | 2014-09-02 | Huawei Technologies Co., Ltd. | Method and device for protocol identification |
| CN102664904A (en) * | 2012-05-16 | 2012-09-12 | 东南大学 | Hidden file transfer service positioning method in passive mode |
| CN102664904B (en) * | 2012-05-16 | 2015-04-15 | 东南大学 | Hidden file transfer service positioning method in passive mode |
| WO2014190603A1 (en) * | 2013-05-30 | 2014-12-04 | 烽火通信科技股份有限公司 | Service flow perception system and method for combining flow detection with packet detection in sdn network |
| CN104243521A (en) * | 2013-06-19 | 2014-12-24 | 北京思普崚技术有限公司 | Method for conducting P2P network identification through deep packet inspection technology |
| CN104243521B (en) * | 2013-06-19 | 2017-06-09 | 北京思普崚技术有限公司 | A kind of method that P2P Network Recognitions are carried out using deep packet inspection technical |
| CN112398813A (en) * | 2020-10-23 | 2021-02-23 | 无锡宏创盛安科技有限公司 | Interactive application protocol identification method |
| CN112398813B (en) * | 2020-10-23 | 2022-05-31 | 无锡宏创盛安科技有限公司 | Interactive application protocol identification method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101577644B (en) | 2011-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101577644B (en) | Peer-to-peer network application traffic identification method | |
| Chen et al. | An effective conversation‐based botnet detection method | |
| Madhukar et al. | A longitudinal study of P2P traffic classification | |
| CN102271068B (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
| CN103916379B (en) | A kind of CC attack recognition method and system based on high frequency statistics | |
| Cai et al. | Detecting HTTP botnet with clustering network traffic | |
| CN109561051A (en) | Content distributing network safety detection method and system | |
| CN106375157A (en) | Phase-space-reconstruction-based network flow correlation method | |
| CN106330611A (en) | Anonymous protocol classification method based on statistical feature classification | |
| Limmer et al. | Improving the performance of intrusion detection using dialog-based payload aggregation | |
| Lei et al. | Extracting Low‐Rate DDoS Attack Characteristics: The Case of Multipath TCP‐Based Communication Networks | |
| Wu et al. | I-CIFA: An improved collusive interest flooding attack in named data networking | |
| Hurley et al. | Host-based P2P flow identification and use in real-time | |
| Reddy et al. | Heuristic-based real-time p2p traffic identification | |
| CN101854366A (en) | Peer-to-peer network flow-rate identification method and device | |
| CN101510878A (en) | Method, device and equipment for monitoring peer-to-peer network | |
| CN114465787B (en) | Internet of things encryption flow monitoring method based on DPI | |
| Gou et al. | Discovering abnormal behaviors via HTTP header fields measurement | |
| Piraisoody et al. | Classification of applications in HTTP tunnels | |
| CN108347447B (en) | P2P botnet detection method and system based on periodic communication behavior analysis | |
| Kong et al. | A method of detecting the abnormal encrypted traffic based on machine learning and Behavior characteristics | |
| Yoon et al. | Header signature maintenance for Internet traffic identification | |
| Zhigang et al. | P2P Botnets detection based on user behavior sociality and traffic entropy function | |
| Cao et al. | A cross-plane cooperative DDoS detection and defense mechanism in software-defined networking | |
| Li et al. | HMC: a novel mechanism for identifying encrypted P2P thunder traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110601 Termination date: 20170616 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |