CN101710898B - Method for describing characteristics of communication protocol of application software - Google Patents
Method for describing characteristics of communication protocol of application software Download PDFInfo
- Publication number
- CN101710898B CN101710898B CN2009102374338A CN200910237433A CN101710898B CN 101710898 B CN101710898 B CN 101710898B CN 2009102374338 A CN2009102374338 A CN 2009102374338A CN 200910237433 A CN200910237433 A CN 200910237433A CN 101710898 B CN101710898 B CN 101710898B
- Authority
- CN
- China
- Prior art keywords
- characteristic item
- load
- item
- characteristic
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Communication Control (AREA)
Abstract
The invention relates to a method for describing characteristics of a communication protocol of application software, and belongs to the technical field of information and network security. The premise of using the method is that the characteristics of the communication protocol of the application software required to be identified have been acquired in a network data packet through analysis; and then the method provided by the invention is used to describe the characteristics of the communication protocol of the application software so as to accurately identify the communication protocol of the application software. The characteristics of the communication protocol of the application software are definitely classified and defined, and the method has the characteristics of strict logic, compact structure, wide application range, good expandability and the like. When the method is used for identifying the characteristics of the communication protocol of the application software, the method has the advantages to high efficiency, accuracy, real time, expandability and the like.
Description
Technical field
The present invention relates to a kind of method that is used to discern characteristics of communication protocol of application software, belong to the network information security technology field.Be applicable in the network traffic data identifying description to characteristics of communication protocol of application software.
Background technology
Along with on the Internet in order to the rapid increase of the application software quantity of message transmission, the user is also increasing to the demand of using software and discerning.For example: enterprise wishes to identify point-to-point (P2P) class and downloads software, online game, stock information class, instant messaging class etc. and the irrelevant software of work, and then by forbidding the internet behavior that these softwares come the standard employee; The teen-age head of a family wishes that ISP (ISP) can accurately identify online game software, and the service that can forbid the online game software communication is provided; Colleges and universities and ISP user then wish to identify the P2P flow of a large amount of bandwidth-hoggings, thereby carry out traffic management control according to strategy.
Distinguish different classes of application software mainly the communication protocol by discerning each type application software exclusive feature finish, are wherein key technologies and how effectively to describe these protocol characteristics.The characteristics of communication protocol of application software describing method mainly contains following several in the prior art at present:
(1) code description method.This method is that condition code is write in the program code, and its shortcoming is to be unfavorable for safeguarding existing protocol characteristic and expansion New Deal feature, and each feature upgrades all needs to change program code, recompility program and upgrading products correlation module.
(2) regular expression method.This method is to utilize regular language statement protocol characteristic, and its shortcoming is that descriptive power is quite limited, and the very expensive source of regular expression matching characteristic.Experiment test finds, in the identifying, has match time of 90% to spend on the regular expression matched character string, and other check and analysis or function for monitoring only take the processing time seldom.
(3) self-defined describing method.This method is a kind of protocol characteristic descriptor format of User Defined.Deng Fan for every kind of application, adopts following information to be described in document " based on the method for recognizing flux of feature database " (patent, publication number are CN 101442489A):
Apply Names is convenient to the user and is checked;
Use ID, be convenient to system's retrieval;
Characteristic value is described, every kind of application can have a plurality of characteristic values to describe, and each characteristic value is described and comprised again: protocol type, feature string, feature string position (with respect to the skew of message head or tail), characteristic mask (some character in the representation feature character string can be any character).
The method that the document proposes, defective is that feature description is limited in one's ability, and it can only describe the key characteristics that the fixed position occurs in the single application layer load, and descriptive power is not as good as regular expression.
Summary of the invention
The objective of the invention is deficiency, propose a kind of describing method of more effective characteristics of communication protocol of application software at existing characteristics of communication protocol of application software describing method existence.The prerequisite that the present invention uses is to have analyzed the feature that acquisition needs the communication protocol of application software of identification from the network packet of catching, the method of using the present invention to go out then is described this characteristics of communication protocol of application software, so that realize the identification to this communication protocol of application software accurately.
The application software that the present invention relates to comprise P2P class software (as, loud, high-pitched sound Vagaa " picture " epoch software), instant messaging class software (as, MSN), online game class software (as, CS software) and stock information class software, but be not limited to above-mentioned software.
The prerequisite that the present invention uses is to have analyzed the feature of the communication protocol of application software that acquisition need discern.
Based on above-mentioned prerequisite, the present invention is achieved by the following technical solutions.
At first, provide the related notion definition.
Definition: connection features
Among the present invention in the network traffics finite time at interval in, source IP, source port, purpose IP, destination interface, the packet that transport layer protocol is identical belong to same connection.So-called connection features, the exclusive characteristics of a certain communication protocol of application software that promptly in a connection, embody.
Each communication protocol of application software can have many connection features, when the packet that belongs to same connection that grasps satisfies one of them connection features, just can finish the identification to this communication protocol of application software.
The describing method of a kind of characteristics of communication protocol of application software of the present invention is:
The present invention is provided with following description entry and describes a connection features: transport layer protocol characteristic item, source port characteristic item, destination interface characteristic item, single load characteristic item and multi-load behavioural characteristic item are formed.Wherein single load characteristic item is made up of position feature item, direction character item, length characteristic item, retention feature item, displacement characteristic item, reciprocity characteristic item, length operating characteristic item and port operating characteristic item; Multi-load behavioural characteristic item is not that the application layer of a plurality of continuous data bags loads on the common feature that forms on length, direction, the content in 0 the preceding finite population packet for packet application layer load length in connecting.Multi-load behavioural characteristic item is made up of a plurality of single load characteristic items.
Characteristics of communication protocol of application software is described as shown in Figure 1.
Elaborate the composition and the value constraint of each characteristic item among the figure below.
1. transport layer protocol characteristic item
The transport layer protocol type of the application layer load that the expression connection features is described; Optional value is " TCP ", " UDP "; This characteristic item does not have daughter element, occurs 1 time at most in connection features, does not occur representing that this connection features is applicable to TCP and two kinds of agreements of UDP.
2. source port characteristic item
The source port of the connection that the expression connection features is described belongs to one or more fixed values, perhaps belongs to a certain scope.The port span is 0~65535.The source port characteristic item occurs 1 time at most in connection features, passive port diagnostic do not occur representing.
3. destination interface characteristic item
The purpose of connecting port that the expression connection features is described belongs to one or more fixed values, perhaps belongs to a certain scope.The port span is 0~65535.The destination interface characteristic item occurs 1 time at most in connection features, the no destination interface feature of expression do not occur.
4. single load characteristic item
Feature on the application layer load content of a certain packet in the finite population packet before the expression connection application layer.Single load characteristic item is made up of following a few class subcharacter items:
1. position feature item:
The position of representing packet appearance in whole application connects that this list load characteristic item is described.The position can be a fixed value or a scope.For example preceding 4 byte content of application layer load are abcd feature appears in the 1st packet of connection, or application layer load end 4 bit byte contents are that the feature of 0x0a0b0c0d appears at after the 3rd packet, before the 10th packet.The position of the packet of mentioning is for the data packet sequencing that all application layer load length are not 0 among the present invention.Investigate the application layer load of preceding limited the packet that connects when investigating connection features at most.Preferable scheme is for investigating the feature of preceding 15 packets.Occur 1 time at most in the position feature Xiang Zaidan load characteristic item, do not occur representing that this feature may appear at the optional position.
2. direction character item:
Represent that the application layer load that this list load characteristic item is described is identical or opposite for connecting inceptive direction.For example: represent to represent opposite with 1 with the connection inceptive direction with to connect inceptive direction identical with 0.Occur 1 time at most in the direction character Xiang Zaidan load characteristic item, directionless feature do not occur representing.
3. length characteristic item:
Represent that the application layer load length that single load characteristic item is described belongs to one or more fixed values, perhaps belongs to a certain scope.The length here is meant the length of removing application layer load behind three layers of header.Occur 1 time at most in the length characteristic Xiang Zaidan load characteristic item, the no length characteristic of expression do not occur.
4. retention feature item:
Represent some feature strings fixed-site in the application layer load, and content is constant.Occurrence frequency is 0 to n time in the retention feature Xiang Zaidan load characteristic item, and n is the integer greater than 0.Retention feature item content sees Table 1.
Table 1 retention feature item content
Example: it is that 8 character string content is " abcdefgh " that the 11st byte begins length, and two byte content in bag end are 0x09dd.
5. displacement characteristic item:
Represent that some feature strings position is unfixing, the feature that content is fixing.Displacement characteristic item occurrence frequency in single load characteristic item is 0 to n time, and n is the integer greater than 0.Displacement characteristic item content sees Table 2.
Table 2 displacement characteristic item content
For example: locate the 4th byte to occurring the character string of content between the penult byte for " abcd " at distance applications layer load head.
6. reciprocity characteristic item:
Expression is distributed in the content of place, 2 fixed positions of application layer load equal length for equating or not waiting.Equity characteristic item occurrence frequency in single load characteristic item is 0 to n time, and n is the integer greater than 0.Equity characteristic item content sees Table 3.
The reciprocity characteristic item content of table 3
Example: it is 4 string A that length is got at the 3rd byte place, and it is 4 string B that length is got at the 30th byte place, has judged whether A==B
7. length operating characteristic item:
Represent content that this application layer loads on fixed position place regular length be converted into numerical value and with one fixedly the add deduct result of computing of correction value equal this application layer load length; The frequency that occurs in the length operating characteristic Xiang Zaidan load characteristic item is 0 to n time, and n is the integer greater than 0.Length operating characteristic item content sees Table 4.
Table 4 length operating characteristic item content
For example: effectively application layer load length is 32, and the content of third and fourth byte is 0x001c, and decimal value is 28, and 28+4=32 is then arranged, and wherein 4 is correction value.
8. port operating characteristic item:
Represent that this application layer loads on the fixed position and locates source port or the destination interface that the content of regular length equals this connection.The frequency that occurs in the port operating characteristic Xiang Zaidan load characteristic item is 0 to n time, and n is the integer greater than 0.Port operating characteristic item content sees Table 5.
Table 5 port operating characteristic item content
For example: connecting destination interface and be 3333, the 3 byte places, to get length be to be A after 4 the content decimal arithmetic, and A==3333 is then arranged.
5. multi-load behavioural characteristic item
Packet application layer load length is not that the application layer of a plurality of continuous data bags loads on the common feature that forms on length, direction, the content in 0 the preceding finite population packet in the connection.
Multi-load behavioural characteristic item is made up of a plurality of single load characteristic items.When the load of analytical applications software application layer, if the feature of single load is less relatively, cause bumping with other characteristics of communication protocol of application software, the feature of continuous a plurality of application layer loads in the finite population packet before then can the use in conjunction software protocol communicating to connect, thereby avoid the feature collision, increase recognition accuracy.Yet the multi-load behavioural characteristic will be investigated the feature of a plurality of packets, and for single load characteristic efficiently, the multi-load behavioural characteristic can expend Network Security Device more time and resource.
In a connection features, single load characteristic item and multi-load behavioural characteristic item are mutex relations, and promptly connection features only comprises a kind of in single load characteristic item and the multi-load behavioural characteristic item.
6. self-defining term
According to the specific characteristic of communication protocol of application software, the self-defining term of setting can be provided with multinomial.
Beneficial effect
The description of the invention mode is to propose on the basis of the common feature that refines a large amount of different classes of characteristics of communication protocol of application software, it has carried out clear and definite classification and definition to characteristics of communication protocol of application software, has strict logic, of a tightly knit structure, applied widely, characteristics such as extensibility is good.When the method that the present invention is proposed is used for communication protocol of application software identification, have efficient, accurately, in real time, advantage such as can expand.
Description of drawings
Fig. 1 is a characteristics of communication protocol of application software describing mode schematic diagram of the present invention.
Embodiment
According to technique scheme, the present invention is described in detail below in conjunction with embodiment.
Select P2P class, instant messaging class (IM), the online game class part application software different as the protocal analysis object, show that the describing method that how to use the present invention to set forth carries out protocol characteristic and describes with this four class of stock information class.The P2P class selects the broad-based Vagaa of domestic user to analyze in the four class softwares, and version is 2.6.6.3; The IM class selects the widest MSN of domestic and international application to analyze, and version is 2009 editions (version 14.0.8050.1202); Considering that the online game class is similar with the stock information class, is the function difference, and the present invention only selects online game anti-terrorism elite software to analyze, and version is 1.6v3647.
Experimental situation:
Hardware: Pentium IV3.0G processor, internal memory 1G;
Operating system: windows xp sp2;
Packet catcher software: wireshark
Test Application software: Vagaa, MSN, CS.
Network environment: ADSL dials up on the telephone, bandwidth 1M.
At first,, analyze above three kinds of communication protocol of application software, obtain protocol characteristic through the network packet capturing.
1.Vagaa agreement
The Vagaa protocol characteristic is as follows:
(1) the Vagaa agreement can be carried out file transfer by TCP and two kinds of host-host protocols of UDP;
(2) preceding 4 byte content of first application layer load of udp protocol are 0xff0a0c02, and load length perseverance is 8;
(3) preceding 4 byte content of first application layer load of udp protocol are 0xff0e0000, and load length perseverance is 12;
(4) preceding 4 byte content of first application layer load of UDP or Transmission Control Protocol are 0xffdee3e4, and load length is greater than 68;
(5) preceding two byte content of first application layer load of UDP or Transmission Control Protocol are 0x3cb0, and the 4th, 5 byte content are 0x649b;
(6) continuous 3 application layer load length of Transmission Control Protocol are not in 0 the packet, the application layer load length range of first bag is 220~240, the application layer load length range of second bag is that the application layer load length value of the 160~200, three bag is 26 or 80;
(7) continuous 3 application layer load length of Transmission Control Protocol are not in 0 the packet, the application layer load length of first bag is 26, the application layer load length of second bag is a certain value in 29,66,188,10,14, and the application layer load length of the 3rd bag is a certain value in 26,54,14,10.
(8) continuous 3 application layer load length of udp protocol are not that the application layer load length of first bag is a certain value in 8,12,16 in 0 the packet, and the application layer load length of second bag is that the application layer load length of 4, the three bags is 4.
2.MSN agreement
The MSN protocol characteristic is as follows:
(1) the MSN agreement is carried out file transfer by the TCP host-host protocol;
(2) preceding 4 byte content of first bag application layer load of Transmission Control Protocol are " VER ", and having content after the 4th byte is the character string of " MSNP ", and the position of this character string is unfixing;
(3) first bag application layer preceding 6 byte content of load " ISR 1 " of Transmission Control Protocol, latter two byte content is 0x0d0a;
(4) first bag application layer load preceding 6 byte content of Transmission Control Protocol are " ANS 1 ", and latter two byte content is 0x0d0a.
3. CS agreement
The CS protocol characteristic is as follows:
(1) the CS agreement is carried out file transfer by the UDP host-host protocol;
(2) preceding 16 byte content of first bag application layer load of udp protocol are 0xffffffff6765746368616c6c656e6765;
(3) the preceding 25 byte content 0xffffffff54536f7572636520456e67696e6520517565727900 of first bag reference level load of udp protocol.
The feature of explaining above-mentioned communication protocol of application software according to the feature description mode of the present invention's proposition is as follows:
1.Vagaa agreement
Vagaa soft communication agreement feature is made up of 7 connection features:
(1) connection features is made up of a transport layer protocol characteristic item and a single load characteristic item, and transport layer protocol characteristic item value is UDP, represents that the connection employing transport layer protocol that this feature identifies is UDP.Single load characteristic item is made up of position feature item, length characteristic item and a retention feature item: position feature item value is 1, represents that characteristic information that this list load characteristic item is write down is arranged in first application load of connection; Length characteristic item content is for equaling 8, and offset is 1 in the retention feature item, and characteristic length is 4, and feature is 0xff0a0c0a, and the operator item is EQ.
(2) connection features is made up of a transport layer protocol characteristic item and a single load characteristic item, and transport layer protocol characteristic item value is UDP.Single load characteristic item is made up of position feature item, length characteristic item and a retention feature item: position feature item value is 1, length characteristic equals 12 to value, and offset is 1 in the retention feature item, and characteristic length is 4, feature is 0xff0e0000, and the operator item is EQ.
(3) connection features is made up of a single load characteristic item, single load characteristic item is made up of position feature item, length characteristic item and a retention feature item: position feature item value is 1, length characteristic item value is greater than 68, offset is 1 in the retention feature item, characteristic length is 4, feature is 0xff0e0000, and the operator item is EQ.
(4) connection features is made up of a single load characteristic item: single load characteristic item is made up of position feature item and two retention feature items: position feature item value is 1, offset is 1 in first retention feature item, characteristic length is 2, and feature is 0x3cb0, and the operator item is EQ; Offset is 4 in second retention feature item, and characteristic length is 2, and feature is 0x649b, and the operator item is EQ.
(5) connection features is made up of a transport layer protocol characteristic item and a multi-load behavioural characteristic item.Transport layer protocol characteristic item value is TCP.Multi-load behavioural characteristic Xiang Yousan single load characteristic item formed: first single load characteristic Xiang Youyi length characteristic item formed, and value is between 220~240.Second single load characteristic Xiang Youyi length characteristic item formed, and value is between 160~200.The 3rd single load characteristic Xiang Youyi length characteristic item formed, and value is 26 or 80.
(6) connection features is made up of a transport layer protocol characteristic item and a multi-load behavioural characteristic item.Transport layer protocol characteristic item value is TCP.Multi-load behavioural characteristic Xiang Yousan single load characteristic item formed: first single load characteristic Xiang Youyi length characteristic item formed, and value is 26.Second single load characteristic Xiang Youyi length characteristic item formed, and value is 29 or 66 or 188 or 14 or 10.The 3rd single load characteristic Xiang Youyi length characteristic item formed, and value is 26 or 54 or 14 or 10.
(7) connection features is made up of a transport layer protocol characteristic item and a multi-load behavioural characteristic item.Transport layer protocol characteristic item value is UDP.Multi-load behavioural characteristic Xiang Yousan single load characteristic item formed: first single load characteristic Xiang Youyi length characteristic item formed, and value is 16 or 12 or 8.Second single load characteristic Xiang Youyi length characteristic item formed, and value is 4.The 3rd single load characteristic Xiang Youyi length characteristic item formed, and value is 4
2.MSN agreement
MSN software protocol feature is made up of 3 connection features:
(1) connection features is made up of a transport layer protocol characteristic item and a single load characteristic item: transport layer protocol characteristic item value is TCP; Single load characteristic item is made up of position feature item, a retention feature item and a displacement characteristic item.Position feature item value is 1, and offset is 1 in the retention feature item, and characteristic length is 4, and feature is " VER ", and the operator item is EQ; The original position skew is 5 in the displacement characteristic item, and the final position skew is for-1, and characteristic length is 4, and feature is " MSNP ", and the operator item is EQ.
(2) connection features is made up of a transport layer protocol characteristic item and a single load characteristic item: transport layer protocol characteristic item value is TCP; Single load characteristic item is made up of position feature item and two retention feature items: position feature item value is 1, and offset is 1 in first retention feature item, and characteristic length is 6, and feature is EQ for " ISR 1 " operator item; Offset is-1 in second retention feature item, and characteristic length is 2, and feature is 0x0d0a, and the operator item is EQ.
(3) connection features is made up of a transport layer protocol characteristic item and a single load characteristic item: transport layer protocol characteristic item value is TCP; Single load characteristic item is made up of position feature item and two retention feature items: position feature item value is 1, and offset is 1 in first retention feature item, and characteristic length is 6, and feature is " ANS 1 ", and the operator item is EQ; Offset is-1 in second retention feature item, and characteristic length is 2, and feature is 0x0d0a, and the operator item is EQ.
3. CS agreement
The CS software protocol is made up of two connection features:
(1) connection features is made up of a transport layer protocol characteristic item and a single load characteristic item, and transport layer protocol characteristic item value is UDP.Single load characteristic item is made up of position feature item and a retention feature item: position feature item value is 1, offset is 1 in the long retention feature item, characteristic length is 16, and feature is 0xffffffff6765746368616c6c656e6765, and the operator item is EQ.
(2) connection features is made up of a transport layer protocol characteristic item and a single load characteristic item, and transport layer protocol characteristic item value is UDP.Single load characteristic item is made up of position feature item and a retention feature item: position feature item value is 1, offset is 1 in the long retention feature item, characteristic length is 25, feature is 0xffffffff54536f7572636520456e67696e6520517565727900, and the operator item is EQ.
After the describing method of the characteristics of communication protocol of application software that proposes by the present invention is described the feature of using soft communication agreement, can realize identification exactly to this communication protocol of application software.
Of particular note, to those skilled in the art, under the prerequisite that does not break away from the principle of the invention, can also make some improvement, these also should be considered as belonging to protection scope of the present invention.
Claims (1)
1. method that is used to discern characteristics of communication protocol of application software, this method is carried out clear and definite classification and definition to characteristics of communication protocol of application software, realization is to the identification of this communication protocol of application software, it is characterized in that: the feature of from the network packet of catching, analyzing the communication protocol of application software that obtains needs identification, realize identification to this communication protocol of application software according to the feature of this communication protocol of application software, the description entry of this characteristics of communication protocol of application software is by the transport layer protocol characteristic item, the source port characteristic item, the destination interface characteristic item, single load characteristic item, multi-load behavioural characteristic item and self-defining term are formed; Wherein single load characteristic item is made up of position feature item, direction character item, length characteristic item, retention feature item, displacement characteristic item, reciprocity characteristic item, length operating characteristic item and port operating characteristic item; Multi-load behavioural characteristic item is not that the application layer of a plurality of continuous data bags loads on the common feature that forms on length, direction, the content in 0 the preceding finite population packet for packet application layer load length in connecting; Multi-load behavioural characteristic item is made up of a plurality of single load characteristic items; Self-defining term is the specific characteristic of user according to communication protocol of application software, the self-defining term of setting;
The composition and the value of each characteristic item are constrained to:
(1). the transport layer protocol characteristic item
The transport layer protocol type of the application layer load that the expression connection features is described; The choosing value is " TCP ", " UDP "; This characteristic item does not have daughter element, occurs 1 time at most in connection features, does not occur representing that this connection features is applicable to TCP and two kinds of agreements of UDP;
(2). the source port characteristic item
The source port of the connection that the expression connection features is described belongs to one or more fixed values, perhaps belongs to a certain scope; The port span is 0~65535; The source port characteristic item occurs 1 time at most in connection features, passive port diagnostic do not occur representing;
(3). the destination interface characteristic item
The purpose of connecting port that the expression connection features is described belongs to one or more fixed values, perhaps belongs to a certain scope; The port span is 0~65535; The destination interface characteristic item occurs 1 time at most in connection features, the no destination interface feature of expression do not occur;
(4). single load characteristic item
Feature on the application layer load content of a certain packet in the finite population packet before the expression connection application layer; Single load characteristic item is made up of following a few class subcharacter items:
1. position feature item:
The position of representing packet appearance in whole application connects that this list load characteristic item is described; The position is a fixed value or a scope; The position of packet is for the data packet sequencing that all application layer load length are not 0; Investigate the application layer load of preceding limited the packet that connects when investigating connection features at most; Occur 1 time at most in the position feature Xiang Zaidan load characteristic item, do not occur representing that this feature appears at the optional position;
2. direction character item:
Represent that the application layer load that this list load characteristic item is described is identical or opposite for connecting inceptive direction; Occur 1 time at most in the direction character Xiang Zaidan load characteristic item, directionless feature do not occur representing;
3. length characteristic item:
Represent that the application layer load length that single load characteristic item is described belongs to one or more fixed values, perhaps belongs to a certain scope; The length here is meant the length of removing application layer load behind three layers of header; Occur 1 time at most in the length characteristic Xiang Zaidan load characteristic item, the no length characteristic of expression do not occur;
4. retention feature item:
Represent some feature strings fixed-site in the application layer load, and content is constant; Occurrence frequency is 0 to n time in the retention feature Xiang Zaidan load characteristic item, and n is the integer greater than 0; Retention feature item content sees Table 1;
Table 1 retention feature item content
5. displacement characteristic item:
Represent that some feature strings position is unfixing, the feature that content is fixing; Displacement characteristic item occurrence frequency in single load characteristic item is 0 to n time, and n is the integer greater than 0; Displacement characteristic item content sees Table 2;
Table 2 displacement characteristic item content
6. reciprocity characteristic item:
Expression is distributed in the content of place, 2 fixed positions of application layer load equal length for equating or not waiting; Equity characteristic item occurrence frequency in single load characteristic item is 0 to n time, and n is the integer greater than 0; Equity characteristic item content sees Table 3;
The reciprocity characteristic item content of table 3
7. length operating characteristic item:
Represent content that this application layer loads on fixed position place regular length be converted into numerical value and with one fixedly the add deduct result of computing of correction value equal this application layer load length; The frequency that occurs in the length operating characteristic Xiang Zaidan load characteristic item is 0 to n time, and n is the integer greater than 0; Length operating characteristic item content sees Table 4;
Table 4 length operating characteristic item content
8. port operating characteristic item:
Represent that this application layer loads on the fixed position and locates source port or the destination interface that the content of regular length equals this connection; The frequency that occurs in the port operating characteristic Xiang Zaidan load characteristic item is 0 to n time, and n is the integer greater than 0; Port operating characteristic item content sees Table 5;
Table 5 port operating characteristic item content
(5). multi-load behavioural characteristic item
Packet application layer load length is not that the application layer of a plurality of continuous data bags loads on the common feature that forms on length, direction, the content in 0 the preceding finite population packet in the connection;
Multi-load behavioural characteristic item is made up of a plurality of single load characteristic items; When the load of analytical applications software application layer, if the feature of single load is less relatively, cause bumping with other characteristics of communication protocol of application software, the feature of continuous a plurality of application layer loads in the finite population packet before then the use in conjunction software protocol communicates to connect, thereby avoid the feature collision, increase recognition accuracy; Yet the multi-load behavioural characteristic will be investigated the feature of a plurality of packets, and for single load characteristic efficiently, the multi-load behavioural characteristic can expend Network Security Device more time and resource;
In a connection features, single load characteristic item and multi-load behavioural characteristic item are mutex relations, and promptly connection features only comprises a kind of in single load characteristic item and the multi-load behavioural characteristic item;
(6). self-defining term
According to the specific characteristic of communication protocol of application software, multinomial self-defining term is set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102374338A CN101710898B (en) | 2009-11-06 | 2009-11-06 | Method for describing characteristics of communication protocol of application software |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102374338A CN101710898B (en) | 2009-11-06 | 2009-11-06 | Method for describing characteristics of communication protocol of application software |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101710898A CN101710898A (en) | 2010-05-19 |
| CN101710898B true CN101710898B (en) | 2011-10-19 |
Family
ID=42403658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102374338A Expired - Fee Related CN101710898B (en) | 2009-11-06 | 2009-11-06 | Method for describing characteristics of communication protocol of application software |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101710898B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102938764B (en) * | 2012-11-09 | 2015-05-20 | 北京神州绿盟信息安全科技股份有限公司 | Application identification processing method and device |
| CN105871832B (en) * | 2016-03-29 | 2018-11-02 | 北京理工大学 | A kind of network application encryption method for recognizing flux and its device based on protocol attribute |
| CN106101061A (en) * | 2016-05-24 | 2016-11-09 | 北京奇虎科技有限公司 | The automatic classification method of rogue program and device |
| CN106060025A (en) * | 2016-05-24 | 2016-10-26 | 北京奇虎科技有限公司 | Automatic application classification method and automatic application classification device |
| CN107465570B (en) * | 2017-07-12 | 2020-12-15 | 西安交大捷普网络科技有限公司 | Data packet keyword detection method based on ring queue |
| CN115242691B (en) * | 2022-07-04 | 2023-05-19 | 中国电子科技集团公司第三十研究所 | Protocol identification method based on protocol feature library |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
-
2009
- 2009-11-06 CN CN2009102374338A patent/CN101710898B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101710898A (en) | 2010-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101827084B (en) | Efficient application identification with network devices | |
| CN101710898B (en) | Method for describing characteristics of communication protocol of application software | |
| US8220048B2 (en) | Network intrusion detector with combined protocol analyses, normalization and matching | |
| US7548848B1 (en) | Method and apparatus for semantic processing engine | |
| CN102724317A (en) | Network data flow classification method and device | |
| RU2419986C2 (en) | Combining multiline protocol accesses | |
| IL275042A (en) | Self-adaptive application programming interface level security monitoring | |
| Sija et al. | A survey of automatic protocol reverse engineering approaches, methods, and tools on the inputs and outputs view | |
| CN102316087A (en) | The detection method that network application is attacked | |
| CN100553206C (en) | Internet, applications method for recognizing flux based on packet sampling and application signature | |
| CN112769633B (en) | Proxy traffic detection method and device, electronic equipment and readable storage medium | |
| CN102571946B (en) | Realization method of protocol identification and control system based on P2P (peer-to-peer network) | |
| CN104333483A (en) | Identification method, system and identification device for internet application flow | |
| CN107404459B (en) | Method for acquiring fingerprint characteristics of network attack message and network equipment | |
| CN104333461A (en) | Identification method, system and identification device for internet application flow | |
| CN106452954B (en) | HTTP data characteristics analysis method and system | |
| US10333769B2 (en) | Deployable linear bitwise protocol transformation | |
| CN114070800A (en) | SECS2 traffic rapid identification method combining deep packet inspection and deep stream inspection | |
| CN101854366A (en) | Peer-to-peer network flow-rate identification method and device | |
| CN104796426B (en) | The detection method at webpage back door | |
| CN105681317A (en) | Novel business and database auditing engine | |
| CN102185758A (en) | Protocol recognizing method based on Ares message tagged word | |
| CN116192527A (en) | Attack flow detection rule generation method, device, equipment and storage medium | |
| Oudah et al. | Using burstiness for network applications classification | |
| CN108650229A (en) | A kind of network application behavior parsing restoring method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111019 Termination date: 20141106 |
|
| EXPY | Termination of patent right or utility model |