CN101741686A - Method applied to traffic identification and control of P2P network based on mathematical modeling technology - Google Patents
Method applied to traffic identification and control of P2P network based on mathematical modeling technology Download PDFInfo
- Publication number
- CN101741686A CN101741686A CN200810171807A CN200810171807A CN101741686A CN 101741686 A CN101741686 A CN 101741686A CN 200810171807 A CN200810171807 A CN 200810171807A CN 200810171807 A CN200810171807 A CN 200810171807A CN 101741686 A CN101741686 A CN 101741686A
- Authority
- CN
- China
- Prior art keywords
- address
- flow
- mathematical modeling
- session
- technology
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method applied to traffic identification and control of a P2P network based on mathematical modeling technology, in particular a method for identifying the network traffic and performing control based on a user behavior by performing mathematical modeling on the traffic. The method comprises the following steps: serially connecting a gateway or a bridge device with the network to analyze the network traffic; analyzing active session condition of each IP address; comprehensively analyzing the distribution condition of the IP address at the opposite end in active connection with IP, the TCP/UDP port distribution condition of the active session, the session state information, and the like for mathematical modeling; and judging the P2P downloading behavior of a user through the model matching. The network traffic of an application layer is identified based on the mathematical model matching which is independent of traditional protocol resolution and keyword matching-based methods; and the efficiency of the traffic identification and the processing capacity of a traffic control device are greatly improved.
Description
Technical field
The present invention relates to the flow identification and the control technology of data communication field, relate in particular to a kind of based on flow mathematics Model Matching method identification P2P flow and control the method for P2P flow.
Background technology
Current, P2P has become internet, applications file transfer technology the most widely, and according to incomplete statistics, provider backbone bandwidth about 60% is the flow that P2P software produces, a large amount of P2P cause network congestion, bandwidth waste, cause whole communication network decrease in efficiency.Therefore, how discerning and control P2P is the current huge challenge that faces.
Based on the software of P2P technological development, have following several characteristic feature:
1, software type is very various, and the communication protocol that adopts is lack of standardization, nonstandard;
2, each main frame is a server, also is client, does not have tangible central control unit, and flow has netted connection features, is difficult to identification;
3, network is escaped the control to the P2P business such as operator, generally adopts technology such as encrypted transmission, frequent updating protocol characteristic, causes the identification control difficulty.
Traditional P2P flow identification, as: the open date is on March 22nd, 2006, and publication number is the patent application of CN 1750538A, has disclosed the technology of utilizing condition code (keyword) to discern the P2P flow.But in case new P2P software occurs, perhaps the P2P software signatures upgrades, and perhaps P2P software is encrypted flow, just can't discern the P2P flow.
The open date is on October 10th, 2007, and publication number is the patent application of CN 101051997A, has disclosed the technology of carrying out P2P identification greater than 1024 TCP/UDP port number of utilizing.But this method can't traffic differentiation P2P is professional and types such as TCP, DdoS attack come.
The open date is on November 15th, 2006, and publication number is the patent application of CN 1863154A, and the quantity that has disclosed the Correspondent Node IP address that utilizes the connection of IP address is carried out the technology that P2P discerns.But this method can't be distinguished an IP address and whether belong to one for numerous users provide the equipment of server, and still a user connects at a large amount of P2P of initiation.
Summary of the invention
The present invention draws typical P2P discharge model by the analysis to the P2P technical characterictic, and by the extraction of aspect of model value, very high efficient and convenient is discerned them.
The invention provides a kind of method that is applied to flow identification with the control of P2P network based on the mathematical modeling technology, specifically may further comprise the steps: the communication session to each the IP address in the network carries out mathematical modeling, gather peer IP address distribution, TCP/UDP port distribution and session state information that this IP address active session is connected, utilize the mathematical modeling technology to produce the Mathematical Modeling characteristic value; Mathematical Modeling characteristic value and the P2P flow mathematical model parameter of presetting are mated; With the situation of P2P flow mathematical model parameter coupling under, judge that the current P2P technology of using in this IP address carries out transfer of data; According to pre-configured P2P flow control strategy, the flow that all of this IP address is met the P2P feature is controlled.
Above-mentioned default P2P flow mathematical model parameter comprises minimum IP address diffusance Cip, minimum TCP/UDP port diffusance Mport, max-session call completing rate Cratemax and minimum session call completing rate Cratemin, and above-mentioned four parameters are configured in the Mathematical Modeling storehouse.
Aforesaid method is calculated its Mathematical Modeling characteristic value to each the movable IP in the network, comprises connective diffusance Xip, port diffusance Xport and the session call completing rate Xrate of each IP address.
When satisfying Xip>Cip, Xport>Mport and Cratemin<Xrate<Cratemax simultaneously, judge the current P2P technology of using in this IP address, utilizing token bucket algorithm (token bucket) that the P2P message is carried out message queuing afterwards handles, peak-peak in order to the P2P flow that limits this IP address, perhaps limit the total amount of data of the P2P flow that can transmit in this IP address unit interval, perhaps limit the session number of the P2P flow of this IP address.
The technology that three inventions that the present invention is better than giving an example in the background technology are adopted is embodied in:
1, the present invention does not rely on content of message is carried out keyword or condition code identification, and therefore, method of the present invention can be discerned P2P and the unknown emerging P2P flow encrypted;
2, the present invention only relies on to add up being higher than 1024 TCP/UDP port, identification P2P, and it has avoided flows such as P2P flow and network sweep, DdoS attack are got mixed up.Therefore more accurate;
3, the present invention only relies on the peer IP address quantity that the IP address is connected to add up, and has therefore avoided the flow of P2P flow and Website server is obscured.
Description of drawings
Fig. 1 is the handling process when adopting the method for the invention to carry out P2P flow mathematics modeler model The matching analysis.
Fig. 2 adopts the method for the invention to carry out the flow chart of the communication equipment process IP message of identification of P2P flow and control.
Embodiment
For fear of the drawback that the recognition methods described in the background technology brings, we have studied the universal flow model of P2P business, and there is following feature in it:
1, the flow of P2P software download, different with the flow that the traditional file server is downloaded.The P2P flow can initiatively be initiated request of data at least one hundred terminals;
2, P2P software generally can not use fixed port in order to escape the fire compartment wall interception, but the dynamic negotiation port;
3, the terminal of P2P software connection not necessarily is in active state, and the call completing rate of therefore communicating by letter does not ensure.One side is some communication request successfully, but also can fail a part.The session that its call completing rate produces greater than virus, attack is less than normal network communication.
Whether determine jointly can to identify the P2P flow in the network more accurately by the P2P flow by four parameters of comprehensive employing.
Comprehensive utilization of C ip, Mport, these 4 parameters of Cratemin, Cratemax can accomplish not rely on the P2P flow and whether encrypt, whether revise protocol fields, emerging P2P whether, the flow in the accurate recognition phase-split network.
Comprehensive these 4 parameters can be very accurately, accurate recognition P2P, avoided erroneous judgement, failed to judge, thereby accomplished accurate more flow control.
Fig. 1 is the handling process when adopting the method for the invention to carry out P2P flow mathematics modeler model The matching analysis, and concrete steps comprise:
Step S101, initialization Mathematical Modeling storehouse;
Step S102, the various parameter presets of P2P flow Mathematical Modeling are configured, suppose the minimum Cip of being of IP address diffusance of P2P flow Mathematical Modeling, TCP/UDP port diffusance minimum is Mport, the session call completing rate is Cratemax to the maximum, minimum is Cratemin, with above-mentioned four parameter configuration in the Mathematical Modeling storehouse;
Step S103, gather peer IP address distribution, TCP/UDP port distribution, session state information that each IP address communication session is connected, carry out mathematical modeling, calculate the connective diffusance Xip of each IP address in the communication network in real time, port diffusance Xport, session call completing rate Xrate;
Step S104, when satisfying Xip>Cip, Xport>Mport and Cratemin<Xrate<Cratemax simultaneously, judge that this IP address flow meets P2P discharge model feature, as meet then execution in step S105, otherwise enter step 106;
Step S105 utilizes the queue scheduling algorithm based on token bucket algorithm if the P2P flow starts the P2P flow control strategy that sets in advance, and the P2P flow is limited;
If step S106 does not meet P2P discharge model feature, according to normal IP message forwarding process.
In the network equipment of a reality, as gateway or the bridge equipment that series connection in network inserts, can utilize the software flow pattern of Fig. 2, realize accurate control to P2P:
Step S201, carry out conversation analysis, to described 3 the mathematics aspect of model values of each IP address computation step S103;
The parameter of step S202, the Mathematical Modeling characteristic value that step S201 is calculated and step S102 configuration compares, and analyzes each IP address and whether has the P2P flow;
Step S203, identify the IP address of using P2P transmission data, they are gathered, form unified statistical indicator;
Step S204, read the P2P flow control strategy in the flow-control equipment, which kind of control strategy decision carries out to the P2P flow of these IP addresses, as limit the peak-peak of the P2P flow of these IP addresses, perhaps limit the total amount of data of the P2P flow that can transmit in these IP address unit interval, perhaps limit the session number of the P2P flow of these IP addresses;
Step S205, utilize token bucket algorithm, the P2P flow is ranked, realize the concrete control of flow according to the P2P flow control strategy of determining.
Claims (6)
1. method that is applied to flow identification with the control of P2P network based on the mathematical modeling technology is characterized in that:
Communication session to each the IP address in the network carries out mathematical modeling, gathers peer IP address distribution, TCP/UDP port distribution and session state information that this IP address communication session is connected, utilizes the mathematical modeling technology to produce the Mathematical Modeling characteristic value;
Mathematical Modeling characteristic value and the P2P flow mathematical model parameter of presetting are mated;
With the situation of P2P flow mathematical model parameter coupling under, judge that the current P2P technology of using in this IP address carries out transfer of data;
According to pre-configured P2P flow control strategy, the flow that all of this IP address is met the P2P feature is controlled.
2. the method for claim 1 is characterized in that: if the P2P flow mathematical model parameter that does not match default is carried out normal IP message forwarding process.
3. method as claimed in claim 1 or 2, it is characterized in that: described default P2P flow mathematical model parameter comprises minimum IP address diffusance Cip, minimum TCP/UDP port diffusance Mport, max-session call completing rate Cratemax and minimum session call completing rate Cratemin, and above-mentioned four parameters are configured in the Mathematical Modeling storehouse.
4. method as claimed in claim 3 is characterized in that: described Mathematical Modeling characteristic value comprises connective diffusance Xip, port diffusance Xport and the session call completing rate Xrate of each IP address.
5. method as claimed in claim 4 is characterized in that: when satisfying Xip>Cip, Xport>Mport and Cratemin<Xrate<Cratemax simultaneously, judge the current P2P technology of using in this IP address.
6. method as claimed in claim 5, when judging that this IP address is current and using the P2P technology, utilizing token bucket algorithm that the P2P message is carried out message queuing handles, and limit the peak-peak of the P2P flow of this IP address, perhaps limit the total amount of data of the P2P flow that can transmit in this IP address unit interval, perhaps limit the session number of the P2P flow of this IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101718076A CN101741686B (en) | 2008-11-13 | 2008-11-13 | Method applied to traffic identification and control of P2P network based on mathematical modeling technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101718076A CN101741686B (en) | 2008-11-13 | 2008-11-13 | Method applied to traffic identification and control of P2P network based on mathematical modeling technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101741686A true CN101741686A (en) | 2010-06-16 |
| CN101741686B CN101741686B (en) | 2012-05-30 |
Family
ID=42464607
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101718076A Expired - Fee Related CN101741686B (en) | 2008-11-13 | 2008-11-13 | Method applied to traffic identification and control of P2P network based on mathematical modeling technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101741686B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883030A (en) * | 2010-07-21 | 2010-11-10 | 华中科技大学 | Detection method of P2P nodes based on random measure of IP addresses |
| CN101984635A (en) * | 2010-11-23 | 2011-03-09 | 清华大学 | Method and system for flow identification of point to point (P2P) protocol |
| CN102130974A (en) * | 2011-04-29 | 2011-07-20 | 北京网御星云信息技术有限公司 | Method and device for recognizing P2P (Peer-to-Peer) data |
| CN103414600A (en) * | 2013-07-19 | 2013-11-27 | 华为技术有限公司 | Approximate matching method, related device and communication system |
| WO2019148569A1 (en) * | 2018-02-02 | 2019-08-08 | 网宿科技股份有限公司 | Method and system for sending request for acquiring data resource |
| CN110445808A (en) * | 2019-08-26 | 2019-11-12 | 杭州迪普科技股份有限公司 | Abnormal flow attack guarding method, device, electronic equipment |
-
2008
- 2008-11-13 CN CN2008101718076A patent/CN101741686B/en not_active Expired - Fee Related
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883030A (en) * | 2010-07-21 | 2010-11-10 | 华中科技大学 | Detection method of P2P nodes based on random measure of IP addresses |
| CN101883030B (en) * | 2010-07-21 | 2012-11-21 | 华中科技大学 | Detection method of P2P nodes based on random measure of IP addresses |
| CN101984635A (en) * | 2010-11-23 | 2011-03-09 | 清华大学 | Method and system for flow identification of point to point (P2P) protocol |
| CN101984635B (en) * | 2010-11-23 | 2012-12-26 | 清华大学 | Method and system for flow identification of point to point (P2P) protocol |
| CN102130974A (en) * | 2011-04-29 | 2011-07-20 | 北京网御星云信息技术有限公司 | Method and device for recognizing P2P (Peer-to-Peer) data |
| CN103414600A (en) * | 2013-07-19 | 2013-11-27 | 华为技术有限公司 | Approximate matching method, related device and communication system |
| WO2015007095A1 (en) * | 2013-07-19 | 2015-01-22 | 华为技术有限公司 | Approximate matching method and related device, and communication system |
| CN103414600B (en) * | 2013-07-19 | 2017-03-08 | 华为技术有限公司 | Approximate adaptation method and relevant device and communication system |
| WO2019148569A1 (en) * | 2018-02-02 | 2019-08-08 | 网宿科技股份有限公司 | Method and system for sending request for acquiring data resource |
| CN110445808A (en) * | 2019-08-26 | 2019-11-12 | 杭州迪普科技股份有限公司 | Abnormal flow attack guarding method, device, electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101741686B (en) | 2012-05-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101741686B (en) | Method applied to traffic identification and control of P2P network based on mathematical modeling technology | |
| CN109257326B (en) | Method and device for defending against data stream attack, storage medium and electronic equipment | |
| CN109167798B (en) | Household Internet of things device DDoS detection method based on machine learning | |
| CN110430096A (en) | A kind of gateway test method and equipment | |
| CN102055627B (en) | Method and device for identifying peer-to-peer (P2P) application connection | |
| CN109818970B (en) | Data processing method and device | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| Hjelmvik et al. | Breaking and improving protocol obfuscation | |
| CN102201982A (en) | Application identification method and equipment thereof | |
| Huang et al. | Early identifying application traffic with application characteristics | |
| CN106878314A (en) | Network malicious act detection method based on confidence level | |
| CN114338120B (en) | Method, device, medium and electronic equipment for detecting sweep attack | |
| KR101469285B1 (en) | System and method for analyzing alternative internet traffic using routing based on policy | |
| CN112702321B (en) | Distributed transaction current limiting method, device, equipment and storage medium | |
| CN111049780A (en) | Network attack detection method, device, equipment and storage medium | |
| Freire et al. | On metrics to distinguish skype flows from http traffic | |
| CN101494663B (en) | Active identification method and apparatus based on peer-to-peer network | |
| Alserhani et al. | Evaluating intrusion detection systems in high speed networks | |
| CN115633359A (en) | PFCP session security detection method, device, electronic equipment and storage medium | |
| US20200382541A1 (en) | Communication monitoring system, communication monitoring apparatus, and communication monitoring method | |
| CN109818973B (en) | Protocol fuzzy test method based on serial connection mode | |
| CN110337115B (en) | Method for judging WeChat payment perception based on TCP (Transmission control protocol) | |
| CN112422474B (en) | Method for monitoring encrypted data stream, first electronic device and storage medium | |
| Wagener et al. | Towards an estimation of the accuracy of TCP reassembly in network forensics | |
| CN107342969B (en) | Message identification system, method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120530 Termination date: 20171113 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |