CN101645778B - Network service flow identification system and identification method thereof - Google Patents
Network service flow identification system and identification method thereof Download PDFInfo
- Publication number
- CN101645778B CN101645778B CN2009100917927A CN200910091792A CN101645778B CN 101645778 B CN101645778 B CN 101645778B CN 2009100917927 A CN2009100917927 A CN 2009100917927A CN 200910091792 A CN200910091792 A CN 200910091792A CN 101645778 B CN101645778 B CN 101645778B
- Authority
- CN
- China
- Prior art keywords
- unit
- plug
- identification
- business
- recognition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network service flow identification system comprising an identification plugin library, a data receiving unit, a registered management unit and a plugin dispatching and integrated identification unit, wherein the identification plugin library comprises a plurality of identification plugins; the data receiving unit is used for receiving a data packet to be identified and connected; the registered management unit is used for maintaining an identification plugin list, and adding or deleting identification plugin items in the identification plugin list; and the plugin dispatching and integrated identification unit is used for calling each identification plugin for identifying the data packet provided by the data receiving unit and comprehensively obtaining the service type of the data packet to be identified and connected according to an identification result of each identification plugin. The invention can identify various service types and is easy to be expanded.
Description
Technical field
The present invention relates to network security and network behavior analysis technical field, specifically, the present invention relates to network service flow identification system and recognition methods thereof.
Background technology
In recent years; Interconnected online operation class of business is on the increase; Especially various appearance based on the P2P protocol service (downloading and Online Video like various P2P) have brought severe problem to network management, and wherein the most outstanding is exactly that network bandwidth resources is by uncontrolled consumption; It is congested to cause network to occur, and causes the business that various real-times have relatively high expectations (like VoIP etc.) can't obtain effective network guarantee.Therefore, divide according to stream, formulate different service support grades and manage and plan, become the key of head it off according to the different pairs of business.For this reason to the recognition technology emerge in multitude of various different business (like WEB, P2P and VOIP etc.), comprise recognition technology, based on the recognition technology of dark bag detection, based on the recognition technology of statistical flow characteristic etc. based on port numbers.
For discerning based on port numbers, the conventional use agreement is employed in the generally acknowledged port numbers of IANA institute registration usually as COM1, and for example www uses 80 ports, and ftp uses 20,21 ports.The use side slogan as the method for Business Stream identification fast and simple, but for the agreement of port numbers is generally acknowledged in dynamic random change port numbers or counterfeit use in order to hide self agreement identity, recognition result is unreliable.
Discern the content that needs testing in depth testing packet load data section based on dark packet inspection technical, further analyze identification services.For the different protocol type, in the load data section, have corresponding feature field, whether mate through judgment data bag content respective field and feature field, can confirm whether this packet belongs to this kind protocol type.Business Stream recognition methods based on the packet payload content can be divided into three levels: (1) is according to one and several load data section characteristic matching; (2) analyse in depth the load data section from semantic angle, must comprise http header like HTTP, the content of data segment need be more checked in the identification of this level, rather than several byte; (3) from the angle of grammer, analyze a plurality of packets of a Business Stream, analyze the agreement behavior, stipulate that like http protocol the GET request back from client must be certain response data packet of server." dark bag inspection " technology very accurately, but owing to need carry out packet is unpacked analysis, need more resources (processor resource and internal memory), efficient is limited, the Business Stream that is inappropriate for HVN and backbone network is discerned.The method can't be discerned encrypted data simultaneously.
Discerning based on statistical flow characteristic is the state-of-the-art technology of Business Stream identification, can solve the traffic identification problem of encrypted data stream.The packet statistical characteristics of the method through analyzing different agreement (like the Business Stream duration, average data packet length, packet blanking time etc.) mated.But the present recognition accuracy of the method is lower, and owing to need the statistical value of mass data bag, so real-time can't satisfy.And at present the protocol type supported of the method is limited, the various application protocol in the real network.
Though, there is above-mentioned multiple business recognition technology in the prior art, these technology are mostly only supported single type of service recognition function, judge promptly whether current business flow is a certain specific type of service.And for the professional identification of polymorphic type; The dark packet inspection technical of general employing in the prior art; Extract the packet content field of current business flow (being current connection); Each bar traffic identification rule of mating all types of business is in order one by one failed up to a certain rule of coupling or to coupling of strictly all rules traversal, thereby draws the type of service of current business flow.The defective of this matching mechanisms comprises: 1, can only discern several kinds of specific types of service, if need add new type of service when supporting according to demand, then need do bigger change, agreement upgrading and poor expandability; 2, ignored the alternative and the correlation of each bar rule, considerable redundant repetitive operation is arranged, matching efficiency is low; 3, for mixed service stream (connect such as including a plurality of TCP, perhaps comprise the mixed service stream that TCP connects and continue UDP stream) identification error (i.e. wrong report) appears easily.
Summary of the invention
Therefore, the purpose of this invention is to provide and a kind ofly can discern multiple business type and network service flow identification system that is easy to expand and recognition methods.
For realizing the foregoing invention purpose, the invention provides a kind of network service flow identification system, comprising:
The identification plugin library, said identification plugin library comprises a plurality of identification plug-in units;
The Data Receiving unit is used to receive the packet of connection to be identified;
The registration management unit is used for safeguarding the tabulation of identification plug-in unit, increases or deletes the identification plug-in unit project in the said identification plug-in unit tabulation; And
Plug-in unit scheduling and comprehensive recognition unit are used to call that the packet of respectively discerning plug-in unit said Data Receiving unit being provided is discerned and comprehensively draw the type of service of current connection to be identified according to recognition result of each identification plug-in unit.
Wherein, said network service flow identification system also comprises the recognition result statistic unit, is used for writing down the distribution of all types of business in data flow.
Wherein, each said identification plug-in unit is used to discern one or more types of service.
Wherein, Said network service flow identification system also comprises the plug-in unit incidence relation library; Be used for writing down mixed service respectively discern plug-in unit corresponding professional incidence relation, said business comprises bottom business and applied business, said incidence relation is that applied business is to the professional relations of dependence of bottom.
Wherein, said identification plug-in unit is the recognition unit that adopts recognition unit based on port numbers, detect based on dark bag or based on the recognition unit of statistical flow characteristic.
The present invention also provides a kind of recognition methods based on above-mentioned network service flow identification system, comprises the steps:
1) registers required identification plug-in unit as required;
2) packet of the current connection to be identified of reception;
3) call respectively respectively discern plug-in unit and according to each identification plug-in unit recognition result comprehensively draw the type of service of current connection to be identified.
Wherein, in the said step 3), comprise following substep:
31) priority of respectively discerning plug-in unit is set in the distribution in data flow according to all types of business;
32) call successively according to priority then and respectively discern plug-in unit;
33) current identification plug-in unit returns a return value according to recognition result, and said return value comprises OK and NO; OK representes the packet and the said current identification plug-in unit coupling of current connection to be identified, and NO representes that the packet of current connection to be identified and said current identification plug-in unit do not match; When the return value of current identification plug-in unit is OK, to the end of identification of current connection to be identified; When the return value of current identification plug-in unit is NO, get back to step 32), call next identification plug-in unit according to priority.
Wherein, said step 31) comprise that also according to the traffic identification result of real-time statistics, the distribution in data flow is upgraded to all types of business, reset according to the distribution of all types of business in data flow after upgrading then and respectively discern the priority of plug-in unit.
Wherein, said step 31) also comprise, force to be set at the priority of the identification plug-in unit that is higher than the professional pairing applied business of this bottom according to the priority of the plug-in unit incidence relation library identification plug-in unit that bottom is professional.
Wherein, said step 33) in, said return value also comprises PENDING and PASS; PENDING representes the Partial Feature and the said current identification plug-in unit coupling of the packet of current connection to be identified, and the more multidata bag that needs said current band identification to connect is further confirmed; PASS is the professional peculiar return value of identification plug-in unit of bottom in the plug-in unit incidence relation, and this return value is represented the packet and the professional identification plug-in unit coupling of this bottom of current connection to be identified; When the return value of current identification plug-in unit is PENDING, current identification plug-in unit will continue the next packet of said current connection to be identified is discerned, and be OK or NO until return value; When the return value of current identification plug-in unit is PASS, in incidence relation library, search and call the identification plug-in unit of the professional pairing applied business of identification plug-in unit of this bottom.
Compared with prior art, the present invention has following technique effect:
1, autgmentability is strong, is easy to upgrading.
2, network-adaptive property is good, can control the sequencing of each type of service identification according to the service distribution situation of on-premise network flexibly.
3, can eliminate redundant operations such as repeating identification, treatment effeciency is improved greatly.
4, can avoid erroneous judgement to mixed service stream.
Description of drawings
Below, specify embodiments of the invention in conjunction with accompanying drawing, wherein:
Fig. 1 shows general structure sketch map of the present invention;
Fig. 2 shows the structural representation of one embodiment of the invention;
Fig. 3 shows the operational flow diagram of one embodiment of the invention;
Fig. 4 shows in the one embodiment of the invention identification process chart to Business Stream;
Fig. 5 shows the measured performance of one embodiment of the invention.
Embodiment
Below in conjunction with specific embodiment the present invention is done to describe further.
The invention provides a kind of network service flow identification system, its general structure is as shown in Figure 1, comprises management and dispatching unit and a plurality of identification plug-in unit.
Fig. 2 shows one embodiment of the present of invention, and management and dispatching unit described in this embodiment comprises Data Receiving unit, registration management unit and plug-in unit scheduling and comprehensive recognition unit (can with reference to figure 2).
The Data Receiving unit is used to receive the packet of connection to be identified, and described packet is offered said plug-in unit scheduling and comprehensive recognition unit.
The registration management unit is used for safeguarding the tabulation of identification plug-in unit, can in the tabulation of identification plug-in unit, increase or deletion identification plug-in unit project, to reach the purpose of plug-in management.Said registration management unit also comprises a plurality of identification card i/fs unit, is used to connect said identification plug-in unit.In order to realize the registration and unregistration of identification plug-in unit more easily, in the present embodiment, discern plug-in unit and discern the functional interface that the card i/f unit is equipped with three correspondences for every pair: register initialization, cancellation and traffic identification interface.All identification plug-in units all are kept in the identification plugin library, and each identification plug-in unit has unique ID, can be according to the needs of system configuration, and the ID through the identification plug-in unit registers and calls corresponding identification plug-in unit.
Plug-in unit scheduling and comprehensive recognition unit are used for calling respectively according to certain scheduling strategy respectively to be discerned plug-in unit said packet is discerned; And receive the recognition result respectively discern plug-in unit and returned, and then comprehensively draw the type of service of current connection to be identified according to recognition result of each identification plug-in unit.
Each identification plug-in unit is used to discern certain or certain several specific types of service, and in the present embodiment, the return value of identification plug-in unit has two kinds: OK and NO.OK representes the packet institute loaded service business of this identification plug-in unit representative just, and promptly packet and this identification plug-in unit matees fully, and NO representes that packet institute loaded service is not the business of this identification plug-in unit representative, and promptly packet and this identification plug-in unit does not match.Plug-in unit scheduling and comprehensive recognition unit are used to be recorded as traffic identification unit and the return value thereof that this connection of identification is called for each connection is provided with an associated plug-in table.Like this, plug-in unit scheduling and comprehensive recognition unit can carry out comprehensive matching according to the business and the corresponding return value of each traffic identification plug-in unit representative, draw current connection to be identified institute loaded service type.
In order to improve recognition efficiency, plug-in unit scheduling and comprehensive recognition unit need call according to certain scheduling strategy in regular turn respectively discerns plug-in unit.In the present embodiment, can set the order of calling of respectively discerning plug-in unit through user interface section by the user.This way is comparatively simple on software and hardware is realized, but owing to need artificial input, work efficiency is lower.Therefore, in another embodiment, said plug-in unit scheduling and comprehensive recognition unit adopt the scheduling strategy based on priority mechanism.Among this embodiment, also comprise a recognition result statistic unit, be used to add up the recognition result of the connection of one period or some, and the number of times (being each professional distribution situation in the data flow) that writes down each type of service respectively and occurred.Can the pairing identification plug-in unit of the great type of service of data flow accounting preferentially be discerned according to each professional distribution situation in the data flow in the network environment of reality like this, with reduce packet in the identification frequency of each plug-in unit to improve the efficient of system.For this reason, this embodiment is provided with a priority according to the type of service of being discerned for each traffic identification plug-in unit.When they are called, carry out according to priority order from high to low.In invoked procedure, in case there is the traffic identification plug-in unit to return OK, then accomplish this identifying, return NO and then continue to call next traffic identification plug-in unit.And the final recognition result of each connection will be stored in the recognition result statistical form.Plug-in unit scheduling and comprehensive recognition unit upgrade the priority of plug-in unit dynamically according to the result of current statistics, to adapt to the sudden and centrality of Business Stream in the different type network.
In addition, in the network service of reality, also there is mixed service stream (connect such as including a plurality of TCP, perhaps comprise the mixed service stream that TCP connects and continue UDP stream),, also need introduces scheduling strategy based on competition mechanism for fear of wrong report.
In the mixed service stream, generally comprise bottom business and applied business.For example most P2P class software; Their communication process at first is one section http communication (being that bottom is professional); Be only P2P agreement (being applied business) then; And the network service flow identification system of previous embodiment is on the basis that is based upon with the unit of being connected to, and this just means and connects at this so and just can not discern once more it before overtime in case a connection has been carried out qualitative.Therefore if the priority of HTTP plug-in unit is higher than BT, will to be mistaken as be that HTTP uses to a BT business so, thereby cause erroneous judgement.
Therefore, in a new embodiment, increase a plug-in unit incidence relation library, be used for writing down mixed service respectively discern plug-in unit the incidence relation of corresponding type of service.In the plug-in unit incidence relation library, all identification plug-in units can be divided into two types, and one type is the professional pairing identification plug-in unit of bottom, and one type is the pairing identification plug-in unit of applied business.Said incidence relation is meant the corresponding relation (particularly, this corresponding relation is meant that applied business is to the professional relations of dependence of bottom) of professional pairing identification plug-in unit of bottom and the pairing identification plug-in unit of applied business.Simultaneously; For the return value of the recognition result of the plug-in unit that relates to above-mentioned incidence relation has increased newtype a: PASS; Though this plug-in unit of expression has been discerned the packet loaded service; But still do not withdraw from identifying, might use the corresponding plug-in unit of applied business of this agreement to discern but continue to give following those.At first a packet is confirmed such as the HTTP plug-in unit; But can not finish this identifying this moment at once; But return PASS, plug-in unit scheduling and comprehensive recognition unit are given those applied business based on http protocol with packet (like BT, plug-in unit THUNDER) are continued identification then.So just avoided erroneous judgement to mixed service stream.
It should be noted that scheduling of plug-in unit among the present invention and comprehensive recognition unit promptly can adopt separately based on the scheduling strategy of priority mechanism or based on the scheduling strategy of competition mechanism, also can adopt above-mentioned two kinds of strategies simultaneously.When the scheduling strategy that adopts based on competition mechanism, it is noted that the priority of the identification plug-in unit that bottom is professional should be higher than the identification plug-in unit priority of applied business.
Further; In said scheduling strategy based on competition mechanism; For fear of to can not identification services infinitely handling; The Network recognition system is set a upper limit to the identification frequency of each connection, does not also have definite result in case the identification of a connection has been surpassed this upper limit, just abandons identification.Simultaneously,,, also can produce unnecessary disposal of Redundancy, therefore can increase newtype a: PENDING for the plug-in unit return value if packet all passes through all plug-in units at every turn even consider in identification frequency and surpass in the identification in limited time.PENDING representes can't judge now that the type of service of this connection is that this plug-in unit can be discerned, and perhaps the professional Partial Feature of this data packet matched this plug-in unit representative needs more data further to confirm.This return value can be noted by the Network recognition system; Like this when the new data packets of same connection arrives; Can be fed to those plug-in units that once returned PENDING and handle with regard to only sending out; Discerned (being that return value is OK) by some plug-in units up to this business, perhaps negated (being that return value is NO) by all plug-in units, perhaps the number of times to the identification of this connection surpasses the upper limit that sets.
Introduce the business recognition method of the preferred embodiment of a comprehensive priority and competition mechanism scheduling strategy below in detail.Among this embodiment, the return value of identification plug-in unit has four kinds:
OK, expression packet institute loaded service is the business of this plug-in unit knowledge representative just, so this connects the type of service that identification types is the plug-in unit that returns OK, the packet that belongs to this connection is no longer accomplished the operation of each plug-in unit identification;
NO, expression packet institute loaded service is not the business that this plug-in unit is known representative, the packet of further identification services is carried out in this connection will skip this plug-in unit;
PENDING, expression can't judge that now the type of service of this connection is that this plug-in unit can be discerned, perhaps the Partial Feature of this data packet matched this plug-in unit representative business needs more data further to confirm.
PASS; Though this plug-in unit of expression has been discerned the packet loaded service; But do not withdraw from identifying, might use the professional corresponding plug-in unit of this agreement to discern, be masked as PENDING so will be masked as the correlation type plug-in unit of the type of service of PASS but continue to give those.
Accompanying drawing 3 shows in the Network recognition system of this preferred embodiment the traffic identification flow process of data flow, and this flow process comprises the following steps.
Step 301 network manager can and use each network flow managing system demand of this framework according to the on-premise network situation, formulates the traffic identification type through user interface.
Step 302 system is according to user configuration information, inquires about corresponding plug-in unit to the identification plugin library, through calling the registration function of plug-in unit itself, with each plug-in registration in the registration management unit.Registration process comprises: initialization plug-in registration table, write down each plugin information, and like plugin name, plug-in unit ID, identification services type, priority initial value.
Step 303 is according to package types, each plug-in unit priority of plug-in unit dependence lab setting.
Step 304 initialization connection status table, recognition result statistical form, associated plug-in table.Wherein the connection status table comprises connection ID, connects status recognition, identification types.Connect status recognition and have three kinds: NOT YET representes the still unidentified type of service that goes out; SUCCESS representes to identify the type of this connection, and the type of service that is identified is in the identification types field store; FAIL representes the unidentified type of service that goes out this connection, and the pairing identification types of FAIL is UNKNOWN.
Step 305 is for current connection, and system calls each plug-in unit in regular turn according to priority and carries out traffic identification, and concrete identifying will combine accompanying drawing 4 to specify hereinafter.
Step 306 is upgraded traffic identification statistical form as a result according to the recognition result of each plug-in unit.
Step 307 then gets into step 308, otherwise gets back to step 305 if the recognition result statistical form shows the service distribution ordering of this on-premise network to change, and continues the identification next one and connects.
Step 308 is upgraded each plug-in unit priority according to each professional distribution sorting of recognition result statistical form, limits not contradiction of this priority setting and plug-in unit dependence storehouse simultaneously, gets back to step 305 then.
Introduce the concrete traffic identification handling process in the step 305 below in conjunction with accompanying drawing 4.
Step 401 receives a new data packets.
Step 402 is inquired about the connection under this packet in the connection status table.
Step 403 then shows it is new a connection if do not find affiliated connection, continues step 404, if search corresponding connection, then continues step 406.
Step 404 is created the new item that connects at the connection status table, and connection status is NOT YET, and type of service is UNKNOWN.
Step 405 is created new clauses and subclauses at the associated plug-in table for this connects, and initially the return type of all plug-in units is PENDING.This initial methods can make first packet of new connection mate to all traffic identification plug-in units.
Step 406 is judged the status recognition of this connection, if SUCCEED or FAIL show that this connection identifies type of service or can not discern corresponding service.Finish so this connects identification work, this packet is not carried out the coupling work of each plug-in unit, execution in step 418 then.If NOT is YET, then continue execution in step 407.
If step 407 has reached the identification frequency upper limit of this connection, show matching treatment, the traffic identification failure through the top n packet of this connection.Then execution in step 408, judge the identification services type of this connection.Otherwise, this packet is carried out business coupling, execution in step 411 with each plug-in unit.
This connects corresponding associated plug-in list item step 408 traversal, is the plug-in unit of PASS if there is return type, execution in step 409.Not having return type is the plug-in unit of PASS, and then execution in step 410.
Step 409 with return type be the type of service of plug-in unit of PASS as the final identification services type of this connection, the status recognition that this connection is set is SUCCESS.Execution in step 418 then.
The status recognition that step 410 is provided with this connection is FAIL, and type of service is UNKNOWN.Execution in step 418 then.
Return type is the applied business plug-in unit of PENDING in the associated plug-in table of this connection correspondence of step 411 search, calls the recognition function of these plug-in units successively.
The applied business plug-in unit that step 412 is called is discerned the return value that draws the traffic identification result to this packet.If return value is NO, execution in step 413, if return value is PENDING, execution in step 414, if return value is PASS, execution in step 415, if return value is OK, execution in step 416.
Step 413 is changed to NO with this plug-in unit attribute in the associated in correspondence plug-in unit list item, continues step 417.
Step 414 is changed to PENDING with this plug-in unit attribute in the associated in correspondence plug-in unit list item, continues step 417.
Step 415 is changed to PASS with this plug-in unit attribute in the associated in correspondence plug-in unit list item, and concerns at plug-in unit and to search the plug-in unit that plug-in unit therewith has dependence in the dependence table, its attribute is changed to PENDING, execution in step 417.
Step 416 status recognition with this connection is changed to SUCCESS, and type of service is the type of service of this plug-in unit.Execution in step 418 then.
Step 417 is called the plug-in unit that next attribute is PENDING, gets back to step 412.
Step 418 is exported the type of service of current stream, finishes identifying, skip to 401 continue next connection (or packet) identification.
In addition, what need to replenish is, in the present embodiment, said identification plug-in unit promptly can realize through the recognition technology based on port numbers, also can realize through the recognition technology that detects based on dark bag or based on the recognition technology of statistical flow characteristic.Said identification card i/f unit is the interface of simultaneously compatible above-mentioned three kinds of recognition technologies.
As shown in Figure 5, at lower Hardware configuration (CPU:P42.0G, internal memory: 512MB, network interface card: IntelEPRO100*2), can accomplish Business Stream identification with very high performance through the recognition methods that above-mentioned preferred embodiment provides.Specifically, under the situation of 10 professional plug-in units, real time business stream recognition performance can reach 92Mbps, under the situation of 50 traffic identification plug-in units, still can reach 89.2Mbps.Measured result shows that the present invention has very high efficient; And; Plugin Mechanism of the present invention, scheduling mechanism and priority mechanism have well been optimized the process of multi-service identification; Therefore reduced the redundant operation in the multi-service identifying, even under the situation that needs the identification services type to roll up, the present invention still can keep very high performance.
Above-described specific embodiment has carried out detailed explanation to the object of the invention, technical scheme and beneficial effect.The foregoing that it should be understood that is merely specific embodiment of the present invention, is not limited to the present invention.All within spirit of the present invention and principle, any modification of being made, be equal to replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (7)
1. network service flow identification system comprises:
The identification plugin library, said identification plugin library comprises a plurality of identification plug-in units, each said identification plug-in unit is used to discern one or more particular traffic type;
The Data Receiving unit is used to receive the packet of connection to be identified;
The registration management unit is used for safeguarding the tabulation of identification plug-in unit, increases or deletes the identification plug-in unit project in the said identification plug-in unit tabulation;
Plug-in unit scheduling and comprehensive recognition unit are used to call that the packet of respectively discerning plug-in unit said Data Receiving unit being provided is discerned and comprehensively draw the type of service of current connection to be identified according to recognition result of each identification plug-in unit; Scheduling of said plug-in unit and comprehensive recognition unit according to all types of business the distribution in data flow set the priority of respectively discerning plug-in unit, the pairing identification plug-in unit of type of service that accounting is great in the data flow is preferentially discerned; And
The recognition result statistic unit is used for writing down the distribution of all types of business in data flow.
2. network service flow identification system according to claim 1; It is characterized in that; Said network service flow identification system also comprises the plug-in unit incidence relation library; Be used for writing down mixed service respectively discern plug-in unit corresponding professional incidence relation, said business comprises bottom business and applied business, said incidence relation is that applied business is to the professional relations of dependence of bottom.
3. network service flow identification system according to claim 1 is characterized in that, said identification plug-in unit is the recognition unit that adopts recognition unit based on port numbers, detect based on dark bag or based on the recognition unit of statistical flow characteristic.
4. network service flow identification system according to claim 3 is characterized in that, said identification plug-in unit is the recognition unit that adopts recognition unit based on port numbers, detect based on dark bag or based on the recognition unit of statistical flow characteristic.
5. a recognition methods that utilizes the described network service flow identification system of claim 1 comprises the following steps:
1) the required identification plug-in unit of registration;
2) packet of the current connection to be identified of reception;
3) call respectively respectively discern plug-in unit to step 2) described in packet discern and according to each identification plug-in unit recognition result comprehensively draw the type of service of current connection to be identified; Said step 3) comprises following substep:
31) priority of respectively discerning plug-in unit is set in the distribution in data flow according to all types of business;
32) call successively according to priority then and respectively discern plug-in unit;
33) current identification plug-in unit returns a return value according to recognition result, and said return value comprises OK and NO; OK representes the packet and the said current identification plug-in unit coupling of current connection to be identified, and NO representes that the packet of current connection to be identified and said current identification plug-in unit do not match; When the return value of current identification plug-in unit is OK, to the end of identification of current connection to be identified; When the return value of current identification plug-in unit is NO, get back to step 32), call next identification plug-in unit according to priority;
Said step 31) also comprises; Traffic identification result according to real-time statistics; Distribution in data flow is upgraded to all types of business; Reset according to the distribution of all types of business in data flow after upgrading then and respectively discern the priority of plug-in unit, the pairing identification plug-in unit of type of service that accounting is great in the data flow is preferentially discerned.
6. recognition methods according to claim 5; It is characterized in that; Said network service flow identification system also comprises the plug-in unit incidence relation library; Be used for writing down mixed service respectively discern plug-in unit corresponding professional incidence relation, said business comprises bottom business and applied business, said incidence relation is that applied business is to the professional relations of dependence of bottom;
Said step 31) also comprises, force to be set at the priority of the identification plug-in unit that is higher than the professional pairing applied business of this bottom according to the priority of the plug-in unit incidence relation library identification plug-in unit that bottom is professional.
7. recognition methods according to claim 6 is characterized in that, said step 33) in, said return value also comprises PENDING and PASS; PENDING representes the Partial Feature and the said current identification plug-in unit coupling of the packet of current connection to be identified, needs the more multidata bag of said current connection to be identified further to confirm; PASS is the professional peculiar return value of identification plug-in unit of bottom in the plug-in unit incidence relation, and this return value is represented the packet and the professional identification plug-in unit coupling of this bottom of current connection to be identified; When the return value of current identification plug-in unit is PENDING, current identification plug-in unit will continue the next packet of said current connection to be identified is discerned, and be OK or NO until return value; When the return value of current identification plug-in unit is PASS, in incidence relation library, search and call the identification plug-in unit of the professional pairing applied business of identification plug-in unit of this bottom.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100917927A CN101645778B (en) | 2009-08-25 | 2009-08-25 | Network service flow identification system and identification method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100917927A CN101645778B (en) | 2009-08-25 | 2009-08-25 | Network service flow identification system and identification method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101645778A CN101645778A (en) | 2010-02-10 |
| CN101645778B true CN101645778B (en) | 2012-02-15 |
Family
ID=41657505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100917927A Expired - Fee Related CN101645778B (en) | 2009-08-25 | 2009-08-25 | Network service flow identification system and identification method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101645778B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102523295B (en) * | 2011-12-20 | 2014-07-09 | 深圳市茁壮网络股份有限公司 | Plug-in registration method and system thereof |
| CN103747367B (en) * | 2014-01-22 | 2017-02-08 | 苏州科达科技股份有限公司 | Video terminal control method and system based on ActiveX polling |
| CN105100241B (en) * | 2015-07-23 | 2018-12-18 | 中国联合网络通信集团有限公司 | Identify the method and device of type of service |
| CN106484445A (en) * | 2015-08-27 | 2017-03-08 | 阿里巴巴集团控股有限公司 | The page display method of application program for mobile terminal and device |
| CN108881392B (en) * | 2018-05-22 | 2021-10-22 | 中国联合网络通信集团有限公司 | Method and device for updating service characteristic database |
| CN112788000B (en) * | 2020-12-28 | 2024-01-19 | 安徽百诚慧通科技股份有限公司 | UDP data packet analysis method, system and storage medium |
| CN114629970B (en) * | 2022-01-14 | 2023-07-21 | 华信咨询设计研究院有限公司 | TCP/IP flow reduction method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1988447A (en) * | 2006-12-22 | 2007-06-27 | 华为技术有限公司 | Method and device for treating communication network service |
| CN101183988A (en) * | 2007-11-19 | 2008-05-21 | 华为技术有限公司 | Method of identifying packet corresponding service types and device thereof |
| CN101442489A (en) * | 2008-12-30 | 2009-05-27 | 北京畅讯信通科技有限公司 | Method for recognizing flux based on characteristic library |
| CN101510830A (en) * | 2009-02-24 | 2009-08-19 | 陈鸣 | Method for recognizing expandable P2P flow |
-
2009
- 2009-08-25 CN CN2009100917927A patent/CN101645778B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1988447A (en) * | 2006-12-22 | 2007-06-27 | 华为技术有限公司 | Method and device for treating communication network service |
| CN101183988A (en) * | 2007-11-19 | 2008-05-21 | 华为技术有限公司 | Method of identifying packet corresponding service types and device thereof |
| CN101442489A (en) * | 2008-12-30 | 2009-05-27 | 北京畅讯信通科技有限公司 | Method for recognizing flux based on characteristic library |
| CN101510830A (en) * | 2009-02-24 | 2009-08-19 | 陈鸣 | Method for recognizing expandable P2P flow |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101645778A (en) | 2010-02-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101645778B (en) | Network service flow identification system and identification method thereof | |
| US8429288B2 (en) | Massive terminals access of a streaming media server including setting maximum count of file handles allowed to be opened | |
| US20070291791A1 (en) | Dynamic reconfigurable embedded compression common operating environment | |
| US20140219101A1 (en) | Feature Extraction Apparatus, and Network Traffic Identification Method, Apparatus, and System | |
| US9015822B2 (en) | Automatic invocation of DTN bundle protocol | |
| CN101483613B (en) | Method and device for providing QoS control capability to presenting server, and system thereof | |
| JP2007241805A (en) | System-analyzing device and system-analyzing method | |
| CN107800565A (en) | Method for inspecting, device, system, computer equipment and storage medium | |
| CN101960780B (en) | In-bound mechanism that monitors end-to-end QOE of services with application awareness | |
| CN111314565B (en) | Voice packet capturing and distributing processing method and system, mobile terminal and storage medium | |
| CN105847179B (en) | The method and device that Data Concurrent reports in a kind of DPI system | |
| CN101359979B (en) | Link packet drop rate control method and system based on terminal | |
| CN102571946A (en) | Realization method of protocol identification and control system based on P2P (peer-to-peer network) | |
| CN101710898B (en) | Method for describing characteristics of communication protocol of application software | |
| WO2021238259A1 (en) | Data transmission method, apparatus and device, and computer-readable storage medium | |
| CN110912887A (en) | Bro-based APT monitoring system and method | |
| CN109559121A (en) | Transaction path calls exception analysis method, device, equipment and readable storage medium storing program for executing | |
| CN101582880B (en) | Method and system for filtering messages based on audited object | |
| CN102316116B (en) | System for supporting multiple platform network communication processing and method thereof | |
| US7539288B2 (en) | Apparatus and method for simulating a trunk gateway in a telecommunications switch test system | |
| CN109951532B (en) | DPDK-based automatic flow model conversion device | |
| CN103078865A (en) | Network server communication model based on transmission control protocol (TCP) | |
| CN112436982B (en) | Network flow automatic mixed running test method, system, terminal and storage medium | |
| CN106936927A (en) | A kind of socket communication means based on pc client | |
| CN100544311C (en) | real-time data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120215 Termination date: 20210825 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |