CN101702733B - Message flow recognition method and device - Google Patents
Message flow recognition method and device Download PDFInfo
- Publication number
- CN101702733B CN101702733B CN2009102221510A CN200910222151A CN101702733B CN 101702733 B CN101702733 B CN 101702733B CN 2009102221510 A CN2009102221510 A CN 2009102221510A CN 200910222151 A CN200910222151 A CN 200910222151A CN 101702733 B CN101702733 B CN 101702733B
- Authority
- CN
- China
- Prior art keywords
- message flow
- meets
- protocol
- message
- transport layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Communication Control (AREA)
Abstract
The invention discloses message flow recognition method and device, wherein the method comprises the following steps of: filtering out a message flow according with a first transport layer protocol from an input message flow; filtering out a message flow according with a first encryption protocol from the message flow meeting the first transport layer protocol; according to a protocol to be recognized, sending a handshake message according with the first encryption protocol and the first transport layer protocol to the destination end or the source end of the message flow according with the first encryption protocol; and if handshake is successful, determining the input message flow as the message flow according with the protocol to be recognized, and breaking the communication of the successful handshake. The message flow recognition method and device actively shake hands with the destination end or the source end of the input message flow; if the handshake is successful, the input message flow according with the protocol to be recognized can be determined, thereby avoiding that all message flows according with the first encryption protocol are recognized as the message flow according with the protocol to be recognized and increasing the message recognition accuracy rate.
Description
Technical field
The present invention relates to network technology, relate in particular to a kind of message flow recognition method and device.
Background technology
In recent years, point-to-point (Peer to Peer is called for short P2P) technological develop rapidly, its business has occupied the 60%-80% of Internet service total amount, becomes popular broadband internet and uses.The P2P service application is fast-developing around the file-sharing of IP Voice & Video, has caused the huge consumption of the network bandwidth, even has caused network congestion, reduces other performance of services.Operator limits the P2P message in order to guard one's interest, with the normal operation that guarantees that other are professional.So P2P Development of Software person encrypts the P2P message of transmission over networks or is fuzzy, to escape the detection of agreement identification equipment.
In order to limit through encrypting or bluring the transmission of P2P message in network afterwards, operator needs the P2P message flow of certain specific protocol encryption of employing in the recognition network.
The problem that this message flow recognition method exists in the prior art is: the P2P protocol massages all can adopt certain specific protocol encryption or fuzzy with other non-P2P message protocols; Message flow recognition method in the prior art; Might non-P2P protocol massages be identified, cause mistake identification.
Summary of the invention
The embodiment of the invention provides a kind of message flow recognition method and device to the problem that exists in the prior art, improves the message recognition accuracy.
The embodiment of the invention provides a kind of message flow recognition method, comprising:
From the message flow of input, filter out the message flow that meets first transport layer protocol;
From the said message flow that meets first transport layer protocol, filter out the message flow that meets first cryptographic protocol;
According to agreement to be identified, send the handshake message that meets said first cryptographic protocol and said first transport layer protocol to said destination or the source end that meets the message flow of first cryptographic protocol;
If shake hands successfully, the message flow of then confirming input is the message flow that meets said agreement to be identified, breaks off the communication of the success of this time shaking hands.
The embodiment of the invention also provides a kind of message flow recognition device, comprising:
The host-host protocol filtering module is used for filtering out the message flow that meets first transport layer protocol from the message flow of input;
The cryptographic protocol filtering module is used for filtering out the message flow that meets first cryptographic protocol from the said message flow that meets first transport layer protocol;
Handshake module is connected with said cryptographic protocol filtering module, is used for according to agreement to be identified, sends the handshake message that meets said first cryptographic protocol and said first transport layer protocol to said destination or the source end that meets the message flow of first cryptographic protocol;
Determination module is connected with said handshake module, is used for after said handshake module is shaken hands success, and the message flow of confirming input is the message flow that meets said agreement to be identified;
Break off module, be used for after said handshake module is shaken hands success, breaking off the communication of the success of this time shaking hands.
In message flow recognition method that the embodiment of the invention provides and the device; At first from the message flow of input, filter out the message flow that meets first transport layer protocol and first cryptographic protocol; Simulation meets the client of agreement to be identified then; Initiatively shake hands,, can confirm that then the message flow of importing meets agreement to be identified if shake hands successfully with the destination or the source end of the message flow of importing; Thereby the message flow of having avoided all being met first transport layer protocol and first cryptographic protocol is identified as the message flow that meets agreement to be identified, has improved the message recognition accuracy.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Shown in Figure 1 is message flow recognition method embodiment flow chart of the present invention;
Shown in Figure 2 for the structural representation of message flow recognition device one embodiment of the present invention;
Shown in Figure 3 for the structural representation of another embodiment of message flow recognition device of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Be illustrated in figure 1 as message flow recognition method embodiment flow chart of the present invention, comprise:
If step 104 is shaken hands successfully, the message flow of then confirming input is the message flow that meets said agreement to be identified, breaks off the communication of the success of this time shaking hands.
Message flow recognition method provided by the invention can be used to discern that to adopt the message flow that meet to be identified agreement of various cryptographic protocols after encrypting, agreement to be identified can be the agreement of desire identification such as P2P file sharing protocol.First cryptographic protocol can comprise message flow encryption (Message StreamEncryption; Abbreviation MSE), protocol header is encrypted (Protocol Header Encryption; Be called for short PHE) etc.; The P2P file sharing protocol can comprise bit stream (BitTorrent is called for short BT) agreement, Ares agreement, eDonkey agreement etc.First transport layer protocol is the agreement that is used to transmit the P2P message flow, can be transmission control protocol (Transmission Control Protocol is called for short TCP) or UDP (User Datagram Protocol is called for short UDP).
Be the implementation procedure that example is explained the method that the embodiment of the invention one provides with BT message flow how to discern employing TCP transport layer protocol, MSE cryptographic protocol below.The BT agreement is an agreement to be identified, and the MSE agreement is first cryptographic protocol, and TCP is first transport layer protocol.
BT is a famous P2P file sharing protocol, and encryption of using in the BT client or fuzzy technology are the MSE technology.Encrypt based on the MSE agreement in the BT message flow or fuzzy, make Virtual network operator or Internet Service Provider can't discern the BT message flow.
The MSE agreement is used DH (Diffie-Hellman) agreement to carry out encryption key and is consulted; And use stream cipher AES RC4 to carry out data encryption; Message checking hash function adopts SHA-1, and DH parameter P is the safe prime of 768 bits (96 byte), and DH parameter G equals 2.
The process that the MSE agreement is carried out key agreement and data communication is following:
Password is consulted and data communication is that example is introduced to carry out between customer end A and the service end B.At first; Customer end A sends partial content and random number in the key for service end B; Wherein random number is mainly used in the internuncial statistical analysis identification based on length of opposing, a part from key to customer end A and random number that service end B sends, thus accomplish key agreement process.Carry out the selection and the parameter negotiation of cryptographic algorithm then between customer end A and the service end B, customer end A adopts the key and the cryptographic algorithm that consult that message flow is encrypted after consulting to accomplish, and sends to service end B to the message flow after encrypting.
The MSE agreement does not explicitly call for its bearing protocol, but mainly operates on the TCP at present.
To adopt MSE to encrypt BT message flow afterwards in order identifying, at first from the message flow of input, to filter out the message flow that meets Transmission Control Protocol, after leaching the message flow that meets the MSE agreement.Because except the BT message flow; Other message flows also possibly adopt the Transmission Control Protocol transmission; And adopt MSE agreement encryption or fuzzy, so, need further to simulate the BT client for fear of other message flows mistakes except the BT message flow are identified as the BT message flow; Source end or destination to the message flow of importing that meets the MSE agreement send the handshake message that meets Transmission Control Protocol and MSE agreement and BT agreement; If shake hands successfully, can confirm that then the current message flow that meets Transmission Control Protocol and MSE agreement that filters out is the message flow that meets the BT agreement, the source end or the destination of the current message flow that meets Transmission Control Protocol and MSE agreement that filters out are the BT client.The failure if shake hands can confirm that then the current message flow that meets Transmission Control Protocol and MSE agreement that filters out is not the message flow that meets the BT agreement.
Through above-mentioned method, just can identify and adopt Transmission Control Protocol transmission and MSE agreement to encrypt BT message flow afterwards, and can avoid the message flow mistake that meets other agreements that has adopted Transmission Control Protocol transmission and MSE agreement to encrypt is identified as the BT message flow.
The message flow recognition method that the embodiment of the invention provides; At first from the message flow of input, filter out the message flow that meets first transport layer protocol and first cryptographic protocol; Simulation meets the client of agreement to be identified then; Initiatively shake hands,, can confirm that then the message flow of importing meets agreement to be identified if shake hands successfully with the destination or the source end of the message flow of importing; Thereby the message flow of having avoided all being met first transport layer protocol and first cryptographic protocol is identified as the message flow that meets agreement to be identified, has improved the message recognition accuracy.
Be illustrated in figure 2 as the structural representation of message flow recognition device one embodiment of the present invention, this device comprises host-host protocol filtering module 11, cryptographic protocol filtering module 12, handshake module 13, determination module 14 and breaks off module 15.Host-host protocol filtering module 11 is used for filtering out the message flow that meets first transport layer protocol from the message flow of input; Cryptographic protocol filtering module 12 is used for filtering out the message flow that meets first cryptographic protocol from the said message flow that meets first transport layer protocol; Handshake module 13 is connected with cryptographic protocol filtering module 12, is used for according to agreement to be identified, sends the handshake message that meets said first cryptographic protocol and said first transport layer protocol to said destination or the source end that meets the message flow of first cryptographic protocol; Determination module 14 is connected with handshake module 13, is used for after said handshake module 13 is shaken hands success, and the message flow of confirming input is the message flow that meets said agreement to be identified.Disconnection module 15 is used for after said handshake module 13 is shaken hands success, breaking off the communication of the success of this time shaking hands.
Message flow recognition device as shown in Figure 2 can be degree of depth protocal analysis (Deep PacketInspection; Be called for short DPI) device; The DPI device can be the fire compartment wall with DPI function, is equivalent in existing DPI device, increase cryptographic protocol filtering module, handshake module, determination module and disconnection module.
Be illustrated in figure 3 as the structural representation of another embodiment of message flow recognition device of the present invention, among this embodiment, the cryptographic protocol filtering module be arranged in the DPI device 16, this DPI device 16 can be the fire compartment wall that possesses the DPI function.
Among the embodiment as shown in Figures 2 and 3, handshake module can comprise the generation submodule, encapsulation submodule, encryption submodule and transmission submodule.Wherein, generate the handshake message that submodule can be used to generate agreement to be identified; The encapsulation submodule can be used for according to first transport layer protocol, and the handshake message that generates the submodule generation is encapsulated; Encrypt submodule and can be used for, the handshake message after the encapsulation of encapsulation submodule is encrypted according to first cryptographic protocol; Sending submodule can be used for sending the handshake message of encrypting after submodule is encrypted to destination or source end.
The host-host protocol filtering module specifically can be used to discern the COM1 of the message flow of input, if meet preset port, then confirms as the message flow that meets first transport layer protocol; And/or the characteristic keyword of the message flow of identification input, if meet preset characteristic keyword, then confirm as the message flow of first transport layer protocol.
The cryptographic protocol filtering module specifically can be used to discern the characteristic keyword of the message flow that meets first transport layer protocol, if meet preset characteristic indication, then confirms as the message flow that meets first cryptographic protocol.
Be the operation principle that example is explained message flow recognition device of the present invention how to discern the BT message flow that adopts Transmission Control Protocol transmission and MSE agreement to encrypt below.
The host-host protocol filtering module filters out the message flow that meets first transport layer protocol from the message flow of input after; The cryptographic protocol filtering module filters out the message flow that meets the MSE agreement from the said message flow that meets first transport layer protocol; Because except the BT message flow; Other message flows also possibly adopt the MSE agreement to message flow encryption or fuzzy; So for fear of other message flow mistakes except the BT message flow are identified as the BT message flow, handshake module needs further simulation BT client, according to the BT agreement; Source end or destination to the message flow of importing that meets the MSE agreement send the handshake message that meets MSE agreement and Transmission Control Protocol; If shake hands successfully, then determination module can confirm that the current message flow that meets the MSE agreement that filters out is the message flow that meets the BT agreement, and the far-end or the destination of the current message flow that meets the MSE agreement that filters out are the BT client.The failure if shake hands, then determination module can confirm that the current message flow that meets the MSE agreement that filters out is not the message flow that meets the BT agreement.
Determination module confirms that the current message flow that meets the MSE agreement that filters out is to meet after the message flow of BT agreement, can report the result of message flow identification to the DPI device, and breaks off and being connected of BT client by breaking off module.
Message flow recognition device provided by the invention can be deployed in the network exit in a territory, so just can discern the all-network message flow of this device of flowing through.
The message flow recognition device that the embodiment of the invention provides; At first from the message flow of input, filter out the message flow that meets first transport layer protocol and first cryptographic protocol; Simulation meets the client of agreement to be identified then; Initiatively shake hands,, can confirm that then the message flow of importing meets agreement to be identified if shake hands successfully with the destination or the source end of the message flow of importing; Thereby the message flow of having avoided all being met first transport layer protocol and first cryptographic protocol is identified as the message flow that meets agreement to be identified, has improved the message recognition accuracy.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of program command; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
What should explain at last is: above embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although with reference to previous embodiment the present invention has been carried out detailed explanation, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.
Claims (10)
1. a message flow recognition method is characterized in that, comprising:
From the message flow of input, filter out the message flow that meets first transport layer protocol;
From the said message flow that meets first transport layer protocol, filter out the message flow that meets first cryptographic protocol;
According to agreement to be identified, send the handshake message that meets said first cryptographic protocol and said first transport layer protocol to said destination or the source end that meets the message flow of first cryptographic protocol;
If shake hands successfully, the message flow of then confirming input is the message flow that meets said agreement to be identified, breaks off the communication of the success of this time shaking hands.
2. message flow recognition method according to claim 1 is characterized in that, saidly from the message flow of input, filters out the message flow that meets first transport layer protocol and comprises:
Discern the COM1 of the message flow of said input,, then confirm as the message flow that meets first transport layer protocol if meet preset port; And/or
Discern the characteristic keyword of the message flow of said input,, then confirm as the message flow of first transport layer protocol if meet preset characteristic keyword.
3. message flow recognition method according to claim 1 is characterized in that, saidly from the said message flow that meets first transport layer protocol, filters out the message flow that meets first cryptographic protocol and comprises:
Discern the said characteristic keyword that meets the message flow of first transport layer protocol,, then confirm as the message flow that meets first cryptographic protocol if meet preset characteristic indication.
4. message flow recognition method according to claim 1 is characterized in that, said agreement to be identified comprises point-to-point P2P file sharing protocol.
5. message flow recognition method according to claim 1 is characterized in that, said first cryptographic protocol comprises that message flow is encrypted the MSE agreement or protocol header is encrypted the PHE agreement.
6. message flow recognition method according to claim 1; It is characterized in that; Said according to agreement to be identified, send the handshake message that meets said first cryptographic protocol and said first transport layer protocol to the destination of the said message flow that meets first cryptographic protocol or source end and comprise:
Generate the handshake message of agreement to be identified;
According to first transport layer protocol, said handshake message is encapsulated;
According to first cryptographic protocol, the handshake message after the encapsulation is encrypted;
Send the handshake message after encrypting to destination or source end.
7. a message flow recognition device is characterized in that, comprising:
The host-host protocol filtering module is used for filtering out the message flow that meets first transport layer protocol from the message flow of input;
The cryptographic protocol filtering module is used for filtering out the message flow that meets first cryptographic protocol from the said message flow that meets first transport layer protocol;
Handshake module is connected with said cryptographic protocol filtering module, is used for according to agreement to be identified, sends the handshake message that meets said first cryptographic protocol and said first transport layer protocol to said destination or the source end that meets the message flow of first cryptographic protocol;
Determination module is connected with said handshake module, is used for after said handshake module is shaken hands success, and the message flow of confirming input is the message flow that meets said agreement to be identified;
Break off module, be used for after said handshake module is shaken hands success, breaking off the communication of the success of this time shaking hands.
8. device according to claim 7 is characterized in that, said host-host protocol filtering module is used for:
Discern the COM1 of the message flow of said input,, then confirm as the message flow that meets first transport layer protocol if meet preset port; And/or
Discern the characteristic keyword of the message flow of said input,, then confirm as the message flow of first transport layer protocol if meet preset characteristic keyword.
9. device according to claim 7 is characterized in that, said cryptographic protocol filtering module is used for:
Discern the said characteristic keyword that meets the message flow of first transport layer protocol,, then confirm as the message flow that meets first cryptographic protocol if meet preset characteristic indication.
10. device according to claim 7 is characterized in that, said handshake module comprises:
Generate submodule, be used to generate the handshake message of agreement to be identified;
The encapsulation submodule is used for according to first transport layer protocol said handshake message being encapsulated;
Encrypt submodule, be used for, the handshake message after the encapsulation is encrypted according to first cryptographic protocol;
Send submodule, be used for sending the handshake message after encrypting to destination or source end.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102221510A CN101702733B (en) | 2009-11-18 | 2009-11-18 | Message flow recognition method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102221510A CN101702733B (en) | 2009-11-18 | 2009-11-18 | Message flow recognition method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101702733A CN101702733A (en) | 2010-05-05 |
| CN101702733B true CN101702733B (en) | 2012-05-02 |
Family
ID=42157626
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102221510A Expired - Fee Related CN101702733B (en) | 2009-11-18 | 2009-11-18 | Message flow recognition method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101702733B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854391B (en) * | 2010-05-25 | 2013-01-02 | 南京邮电大学 | Realization method of ares protocol analysis system based on peer-to-peer network |
| CN102368775B (en) * | 2011-11-09 | 2015-05-27 | 电子科技大学 | Cross-layer peer to peer (P2P) flow identification method based on IP filtering |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101296224A (en) * | 2007-04-24 | 2008-10-29 | 北京邮电大学 | P2P flux recognition system and method |
-
2009
- 2009-11-18 CN CN2009102221510A patent/CN101702733B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101296224A (en) * | 2007-04-24 | 2008-10-29 | 北京邮电大学 | P2P flux recognition system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101702733A (en) | 2010-05-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11848961B2 (en) | HTTPS request enrichment | |
| CN109450852B (en) | Network communication encryption and decryption method and electronic equipment | |
| CN103326850A (en) | Key generating device and key generating method | |
| Hjelmvik et al. | Breaking and improving protocol obfuscation | |
| JP2013518522A (en) | Method for establishing at least partly a secure communication channel between nodes allowing to at least partly test encrypted communications performed between at least some nodes | |
| JP6505710B2 (en) | TLS protocol extension | |
| KR20110092333A (en) | A module and associated method for tr-069 object management | |
| JP2022516352A (en) | One-time pad encryption hub | |
| CN101702733B (en) | Message flow recognition method and device | |
| CN107070998A (en) | A kind of safe Internet of Things communications protocol and method | |
| CN112202882B (en) | Transmission method, client and transmission system | |
| Heinz et al. | Covert channels in transport layer security | |
| Pattaranantakul et al. | Efficient key management protocol for secure RTMP video streaming toward trusted quantum network | |
| CN112637230B (en) | Instant messaging method and system | |
| US20080107267A1 (en) | Method for Transmitting a Digital Data File Via Telecommunication Networks | |
| US11362812B2 (en) | Method of end to end securing of a communication | |
| CN111797417A (en) | File uploading method and device, storage medium and electronic device | |
| KR101836835B1 (en) | Removable network security appratus and method for encrypting and decrypting network packet | |
| WO2020002793A1 (en) | Method for editing messages by a device on a communication path established between two nodes | |
| KR101503009B1 (en) | Method and apparatus for identifying application based on data size | |
| CN112333204B (en) | 5G network transmission security device based on TCP IP protocol disorder feature code | |
| KR100250457B1 (en) | Communication method between transmitter and receiver in internet protocol based network | |
| EP2846510A1 (en) | SRTP protocol extension | |
| Koppl et al. | Wireless Optical Data Transmission via LiFiMAX Technology with Security Using Elliptical Curves | |
| KR101771992B1 (en) | Operation method of server and client, server enabling the operation method, and client apparatus enabling the operation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120502 Termination date: 20191118 |