CN101605067A - Network behavior active analysis diagnostic method - Google Patents
Network behavior active analysis diagnostic method Download PDFInfo
- Publication number
- CN101605067A CN101605067A CNA2009100315119A CN200910031511A CN101605067A CN 101605067 A CN101605067 A CN 101605067A CN A2009100315119 A CNA2009100315119 A CN A2009100315119A CN 200910031511 A CN200910031511 A CN 200910031511A CN 101605067 A CN101605067 A CN 101605067A
- Authority
- CN
- China
- Prior art keywords
- analysis
- message
- feature
- protocol
- agreement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a kind of network behavior active analysis diagnostic method, at first, the message Preliminary detection is mated message and known protocol storehouse, rejects known protocol massages; Then, unknown message protocol analysis: to the message of the unknown, designated port, Ip, period information are extracted the automatic analysis process of agreement with message and are analyzed; At last, analysis result output, the automatic protocol analysis process carries out the establishment of DPI and DFI model to specifying message, and analysis result is exported.Can carry out analysis and judgement to the agreement of the unknown based on the inventive method, being combined on the prior protocols analytical model is useful replenishing, can carry out the active analysis diagnosis to network condition and emerging network application and other network behaviors of user's interest of burst, avoid the hysteresis quality of passive tracking.
Description
Technical field
The present invention relates to a kind of network behavior active analysis diagnostic method, be applicable to open network application scene.
Background technology
Present procotol recognition technology has mostly broken away from traditional " five-tuple " coupling, is based upon on the analysis foundation of application layer content.And application is the most general in the application layer analysis, is exactly these two kinds of technology of DPI (DeepPacket Inspection, deep-packet detection) and DFI (Deep Flow Inspection, deep stream detects).
The DPI technology is on the basis of analyzing packet header, increased analysis to application layer, be a kind of flow detection and recognition technology based on the application layer message, when the network data newspaper is flowed through utilization DPI equipment, equipment splits according to 7 layer protocols automatically, and take different processing methods according to different agreements in application layer, except general analysis, the part agreement needs the DPI equipment self to safeguard that the protocol state machine of simplifying uses identification and flow detection.According to this thinking, the DPI technology is divided into two classes:
The one, the recognition technology of feature string: different agreements is suitable for different interactive modes, these modes generally all have its characteristic, the specific port of the general use of early stage agreement, the part agreement is also used the interactive mode of fixing command word or oneself regulation, and these can find characteristic of correspondence in the data communication message.Based on the recognition technology of feature string, basic thought is based upon based on these features, seeks the corresponding relation of handling message and feature, uses the purpose of controlling thereby reach identification.
Two are based on the mutual recognition technology of application: a part of agreement has been used the mode of control channel and data channel combination, and promptly data message separates with the control message, at this time just control message and data message need be combined the relation that just can find correspondence.Have some simply not find corresponding relation from one or two message, but can find some features from data mutual, such as length, the fixedly variation of corresponding relation etc. also can be discerned.
DFI is a kind of based on application type Feature Recognition technology, and different being applied in embodies different features on the network behavior.For example, general p2p has data message length longer, and Session Time is long, features such as frequency height.DFI analyzes the message length of data flow by setting up the application characteristic model, and the relations such as temporal frequency feature of transmission rate, bag transmission are searched.By with relatively judging of DFI model be what application.
At present similar amalgamation gateway product mostly has the control and the analytic function of network behavior, has all used the technology of DFI and DPI, can analyze hundreds of application and controls.Product also all compares number of protocols when competition as a crucial index.But this method has a defective, is exactly that this mode depends on passive image data and analyzes, and the method for this passive type has a significant defective: no matter carry out upgrade maintenance in which way, always have hysteresis quality.Current new network application emerges in an endless stream, and passive maintaining method can't the fast adaptation current demand, so need be based upon the protocal analysis technology on the active mode.
Summary of the invention
The objective of the invention is to overcome the deficiency that prior art exists, a kind of network behavior active analysis diagnostic method is provided.
Purpose of the present invention is achieved through the following technical solutions:
Network behavior active analysis diagnostic method, characteristics are: may further comprise the steps---
1. the message Preliminary detection is mated message and known protocol storehouse, rejects known protocol massages; Only need analyze, if desired, can also take sample mode to analyze a part Unidentified agreement;
2. unknown message protocol analysis: to the message of the unknown, designated port, Ip, period information are extracted the automatic analysis process of agreement with message and are analyzed;
Unknown protocol is classified, the unknown protocol data that special object is initiated are analyzed;
3. analysis result output, the automatic protocol analysis process carries out the establishment of DPI and DFI model to specifying message, and analysis result is exported.
Further, above-mentioned network behavior active analysis diagnostic method, wherein, the automatic protocol analysis process carries out the establishment of DPI and DFI model to specifying message, promptly enters DPI and DFI pattern matching flow process, carries out modeling for feature string or feature flow; For feature string, carry out pattern matching study, analyze classification for feature string, if can extract the character string feature, then agreement study finishes, and adds in the protocal analysis storehouse; For the situation that feature string can't be analyzed, enter the network behavior analysis module, size and the transmission feature that wraps extracted, the analytic statistics feature, analysis finishes, and adds network behavior and analyzes the storehouse.
Substantive distinguishing features and obvious improvement that technical solution of the present invention is outstanding are mainly reflected in:
The present invention combines the mainstream technology of current agreement identification, and passive agreement recognition technology and protocal analysis technology are initiatively combined, and better adapts to the requirement of network applications evolve.Can carry out analysis and judgement to the agreement of the unknown based on the inventive method, being combined on the prior protocols analytical model is useful replenishing, can carry out the active analysis diagnosis to network condition and emerging network application and other network behaviors of user's interest of burst, avoid the hysteresis quality of passive tracking.
Description of drawings
Below in conjunction with accompanying drawing technical solution of the present invention is described further:
Fig. 1: active protocols is analyzed the schematic flow sheet that message is handled.
The implication of each Reference numeral sees the following form among the figure:
| Reference numeral | Implication | Reference numeral | Implication | Reference numeral | Implication |
| 1 | Message | 11 | Basic agreement is analyzed | 3 | The active protocols analytic unit |
| 12 | Automatically DPI analyzes | 13 | Automatically DFI analyzes | 14 | Analysis result output |
Embodiment
Active protocols analysis module of the present invention comprises basic agreement analysis, unknown message protocol analysis, analysis result output three big steps.Message through the basic agreement analysis was analyzed if be not identified as known applications, can selectively send to message unknown message analysis module, and the protocol characteristic in the message analysis module searching message also returns the result.
The method that network data is automatically analyzed, analysis certain protocol data that can be initiatively, and corresponding analysis result is provided.Detailed process is: at first, the message Preliminary detection is mated message and known protocol storehouse, rejects known protocol massages; Only need analyze, if desired, can also take sample mode to analyze a part Unidentified agreement; Then, unknown message protocol analysis: to the message of the unknown, designated port, Ip, period information are extracted the automatic analysis process of agreement with message and are analyzed; Unknown protocol is classified, the unknown protocol data that special object is initiated are analyzed; At last, analysis result output, the automatic protocol analysis process carries out the establishment of DPI and DFI model to specifying message, and analysis result is exported; Wherein, the automatic protocol analysis process carries out the establishment of DPI and DFI model to specifying message, promptly enters DPI and DFI pattern matching flow process, carries out modeling for feature string or feature flow; For feature string, carry out pattern matching study, analyze classification for feature string, if can extract the character string feature, then agreement study finishes, and adds in the protocal analysis storehouse; For the situation that feature string can't be analyzed, enter the network behavior analysis module, size and the transmission feature that wraps extracted, the analytic statistics feature, analysis finishes, and adds network behavior and analyzes the storehouse.Be a storehouse of dynamically expanding, can accomplish inherent filtration the known protocol that does not need to analyze.Be the process of a convergence, when the agreement of analyzing is comprehensive more, then the workload of Fen Xiing is more little, and the result is accurate more.
Fig. 1 has illustrated a concise and to the point message to handle the path, network message 1 carries out anticipation by basic network protocal analysis 11, message for the unknown, specifying message to enter active protocols analytic unit 3 according to conditions such as user's interest main frame, port or periods analyzes automatically, comprising DPI analysis 12 and DFI analysis 13 automatically automatically, initiatively DPI is according to the treaty shopping feature string, and the DFI model is sought the stream feature; Export 14 parts at analysis result then the result is carried out the legitimacy judgement, if the requirement that protocol compliant is analyzed and and prior protocols analyze the storehouse not significantly conflict issue as analysis result, this result can be used in real time, and directly judges whether to reach the purpose of identifying and diagnosing.
The present invention is to using the mode that agreement is analyzed dynamically and controlled, and in conjunction with the result that the feature extraction and the behavioral statistics of agreement are initiatively analyzed, dynamic the abnormal behaviour of current network behavior is diagnosed and controlled.
Can carry out analysis and judgement to the agreement of the unknown based on the inventive method, being combined on the prior protocols analytical model is useful replenishing, can carry out the active analysis diagnosis to network condition and emerging network application and other network behaviors of user's interest of burst, avoid the hysteresis quality of passive tracking.
Below only be concrete exemplary applications of the present invention, protection scope of the present invention is not constituted any limitation.All employing equivalents or equivalence are replaced and the technical scheme of formation, all drop within the rights protection scope of the present invention.
Claims (2)
1. network behavior active analysis diagnostic method is characterized in that: may further comprise the steps---
1. the message Preliminary detection is mated message and known protocol storehouse, rejects known protocol massages;
2. unknown message protocol analysis: to the message of the unknown, designated port, Ip, period information are extracted the automatic analysis process of agreement with message and are analyzed;
3. analysis result output, the automatic protocol analysis process carries out the establishment of DPI and DFI model to specifying message, and analysis result is exported.
2. network behavior active analysis diagnostic method according to claim 1, it is characterized in that: step 3. automatic protocol analysis process is carried out the establishment of DPI and DFI model to specifying message, promptly enter DPI and DFI pattern matching flow process, carry out modeling for feature string or feature flow; For feature string, carry out pattern matching study, analyze classification for feature string, if extract the character string feature, then agreement study finishes, and adds in the protocal analysis storehouse; For the situation that feature string can't be analyzed, enter the network behavior analysis module, size and the transmission feature that wraps extracted, the analytic statistics feature, analysis finishes, and adds network behavior and analyzes the storehouse.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100315119A CN101605067B (en) | 2009-04-22 | 2009-04-22 | Network behaviour active analyzing and diagnosing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100315119A CN101605067B (en) | 2009-04-22 | 2009-04-22 | Network behaviour active analyzing and diagnosing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101605067A true CN101605067A (en) | 2009-12-16 |
| CN101605067B CN101605067B (en) | 2011-09-21 |
Family
ID=41470627
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100315119A Active CN101605067B (en) | 2009-04-22 | 2009-04-22 | Network behaviour active analyzing and diagnosing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101605067B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025623A (en) * | 2010-12-07 | 2011-04-20 | 苏州迈科网络安全技术股份有限公司 | Intelligent network flow control method |
| CN101741744B (en) * | 2009-12-17 | 2011-12-14 | 东南大学 | Network flow identification method |
| CN102347949A (en) * | 2011-09-28 | 2012-02-08 | 上海西默通信技术有限公司 | Application protocol analysis method based on DPI (Distributed Protocol Interface) |
| CN101764754B (en) * | 2009-12-28 | 2012-07-25 | 东南大学 | Sample acquiring method in business identifying system based on DPI and DFI |
| CN102710504A (en) * | 2012-05-16 | 2012-10-03 | 华为技术有限公司 | Application identification method and application identification device |
| CN102868638A (en) * | 2012-08-16 | 2013-01-09 | 苏州迈科网络安全技术股份有限公司 | Method and system for dynamically regulating bandwidth |
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN104468252A (en) * | 2013-09-23 | 2015-03-25 | 重庆康拜因科技有限公司 | Intelligent network service identification method based on positive transfer learning |
| CN106603278A (en) * | 2016-11-29 | 2017-04-26 | 任子行网络技术股份有限公司 | Network application audit management method based on audit data management model and apparatus thereof |
| CN107404459A (en) * | 2016-05-19 | 2017-11-28 | 华为技术有限公司 | Obtain the method and the network equipment of the fingerprint characteristic of network attack message |
| CN107819646A (en) * | 2017-10-23 | 2018-03-20 | 国网冀北电力有限公司信息通信分公司 | A kind of net flow assorted system and method for distributed transmission |
| CN110445750A (en) * | 2019-06-18 | 2019-11-12 | 国家计算机网络与信息安全管理中心 | A kind of car networking protocol traffic recognition methods and device |
| CN110519257A (en) * | 2019-08-22 | 2019-11-29 | 北京天融信网络安全技术有限公司 | A kind of processing method and processing device of the network information |
| CN110958160A (en) * | 2019-11-25 | 2020-04-03 | 睿哲科技股份有限公司 | Website detection method, device and system and computer readable storage medium |
| CN111865724A (en) * | 2020-07-28 | 2020-10-30 | 公安部第三研究所 | Information acquisition control implementation method for video monitoring equipment |
| CN114640611A (en) * | 2022-03-09 | 2022-06-17 | 西安电子科技大学 | Unknown heterogeneous industrial protocol detection and identification method, system, equipment and medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100542176C (en) * | 2006-11-24 | 2009-09-16 | 杭州华三通信技术有限公司 | The analysis and processing method of packet content and system |
| CN101060492B (en) * | 2007-05-29 | 2010-08-11 | 杭州华三通信技术有限公司 | Talk detection method and talk detection system |
| CN101035111B (en) * | 2007-04-13 | 2010-10-13 | 北京启明星辰信息技术股份有限公司 | Intelligent protocol parsing method and device |
-
2009
- 2009-04-22 CN CN2009100315119A patent/CN101605067B/en active Active
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741744B (en) * | 2009-12-17 | 2011-12-14 | 东南大学 | Network flow identification method |
| CN101764754B (en) * | 2009-12-28 | 2012-07-25 | 东南大学 | Sample acquiring method in business identifying system based on DPI and DFI |
| CN102025623B (en) * | 2010-12-07 | 2013-03-20 | 苏州迈科网络安全技术股份有限公司 | Intelligent network flow control method |
| CN102025623A (en) * | 2010-12-07 | 2011-04-20 | 苏州迈科网络安全技术股份有限公司 | Intelligent network flow control method |
| CN102347949A (en) * | 2011-09-28 | 2012-02-08 | 上海西默通信技术有限公司 | Application protocol analysis method based on DPI (Distributed Protocol Interface) |
| CN102347949B (en) * | 2011-09-28 | 2014-07-02 | 上海西默通信技术有限公司 | Application protocol analysis method based on DPI (Distributed Protocol Interface) |
| CN102710504A (en) * | 2012-05-16 | 2012-10-03 | 华为技术有限公司 | Application identification method and application identification device |
| CN102868638A (en) * | 2012-08-16 | 2013-01-09 | 苏州迈科网络安全技术股份有限公司 | Method and system for dynamically regulating bandwidth |
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN104468252A (en) * | 2013-09-23 | 2015-03-25 | 重庆康拜因科技有限公司 | Intelligent network service identification method based on positive transfer learning |
| CN107404459B (en) * | 2016-05-19 | 2020-09-04 | 华为技术有限公司 | Method for acquiring fingerprint characteristics of network attack message and network equipment |
| CN107404459A (en) * | 2016-05-19 | 2017-11-28 | 华为技术有限公司 | Obtain the method and the network equipment of the fingerprint characteristic of network attack message |
| CN106603278A (en) * | 2016-11-29 | 2017-04-26 | 任子行网络技术股份有限公司 | Network application audit management method based on audit data management model and apparatus thereof |
| CN107819646A (en) * | 2017-10-23 | 2018-03-20 | 国网冀北电力有限公司信息通信分公司 | A kind of net flow assorted system and method for distributed transmission |
| CN110445750A (en) * | 2019-06-18 | 2019-11-12 | 国家计算机网络与信息安全管理中心 | A kind of car networking protocol traffic recognition methods and device |
| CN110519257A (en) * | 2019-08-22 | 2019-11-29 | 北京天融信网络安全技术有限公司 | A kind of processing method and processing device of the network information |
| CN110519257B (en) * | 2019-08-22 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Network information processing method and device |
| CN110958160A (en) * | 2019-11-25 | 2020-04-03 | 睿哲科技股份有限公司 | Website detection method, device and system and computer readable storage medium |
| CN111865724A (en) * | 2020-07-28 | 2020-10-30 | 公安部第三研究所 | Information acquisition control implementation method for video monitoring equipment |
| CN111865724B (en) * | 2020-07-28 | 2022-02-08 | 公安部第三研究所 | Information acquisition control implementation method for video monitoring equipment |
| CN114640611A (en) * | 2022-03-09 | 2022-06-17 | 西安电子科技大学 | Unknown heterogeneous industrial protocol detection and identification method, system, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101605067B (en) | 2011-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101605067B (en) | Network behaviour active analyzing and diagnosing method | |
| CN102315974B (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
| CN104320304B (en) | A kind of core network user flow application recognition methods of the multimode fusion easily extended | |
| CN101645806B (en) | Network flow classifying system and network flow classifying method combining DPI and DFI | |
| CN101741744B (en) | Network flow identification method | |
| CN102420701B (en) | Method for extracting internet service flow characteristics | |
| CN102045363B (en) | Establishment, identification control method and device for network flow characteristic identification rule | |
| CN102164049B (en) | Universal identification method for encrypted flow | |
| CN106921637A (en) | The recognition methods of the application message in network traffics and device | |
| CN107623754B (en) | WiFi acquisition system and method based on authenticity MAC identification | |
| CN110768933A (en) | Network flow application identification method, system and equipment and storage medium | |
| CN103023670A (en) | Message service type identifying method and message service type identifying device based on data processing installation (DPI) | |
| CN103905261A (en) | Protocol characteristic library online updating method and system | |
| CN109768936B (en) | Refined shunting system and shunting method | |
| CN109495508A (en) | Firewall configuration method based on service access data | |
| CN102624878B (en) | Method and system for identifying P2P (peer-to-peer) protocol on basis of DNS (domain name server) protocol | |
| CN105302885A (en) | Full-text data extraction method and device | |
| CN105847250A (en) | VoIP stream media multi-dimensional information steganography real time detection method | |
| CN111586075B (en) | Hidden channel detection method based on multi-scale stream analysis technology | |
| CN109660656A (en) | A kind of intelligent terminal method for identifying application program | |
| CN111294342A (en) | Method and system for detecting DDos attack in software defined network | |
| Dudin et al. | Resource allocation with automated QoE assessment in 5G/B5G wireless systems | |
| CN113283498A (en) | VPN flow rapid identification method facing high-speed network | |
| CN112073988A (en) | Detection method for hidden camera in local area network | |
| CN111654486A (en) | Server equipment judgment and identification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |