CN101741745B - Method and system for identifying application traffic of peer-to-peer network - Google Patents
Method and system for identifying application traffic of peer-to-peer network Download PDFInfo
- Publication number
- CN101741745B CN101741745B CN2009102640406A CN200910264040A CN101741745B CN 101741745 B CN101741745 B CN 101741745B CN 2009102640406 A CN2009102640406 A CN 2009102640406A CN 200910264040 A CN200910264040 A CN 200910264040A CN 101741745 B CN101741745 B CN 101741745B
- Authority
- CN
- China
- Prior art keywords
- packet
- flow
- ciphertext
- memory module
- processing module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention discloses a method and a system for identifying application traffic of a peer-to-peer network. The method comprises the following steps: acquiring all data packets by a detecting device; filtering the data packets primarily; performing plaintext characteristic string detection of known P2P application on the filtered data packets; sending the data packets into a P2P processing module after adding a plaintext identification or a ciphertext identification to the data packets correspondingly; respectively searching the data packets which comprise the plaintext identification and the ciphertext identification; counting P2P traffic transmitted in a mode of plaintext or ciphertext; for an unmatched ciphertext data packet, constructing an active detecting data packet to be transmitted to a detected target; and identifying the P2P traffic transmitted in the mode of the ciphertext or other unknown traffic according to a response data packet replied by the detected target. The technical scheme provided by the invention can effectively reduce processing workload of traffic detection, and improve the efficiency of the system; and a fault and the updating of a single module do not influence the overall system. The technology has no influence on the topology and the performance of the conventional network, and is convenient to deploy and implement.
Description
Technical field
The present invention relates to computer network traffic management technical field, relate in particular to a kind of method and system of identification peer-to-peer network application traffic in the computer network flow.
Background technology
In recent years, (Peer-to-Peer, P2P) application is more and more abundanter, many brand-new P2P agreement and application have occurred for the various peer-to-peer networks in the computer network.These P2P use and have taken a large amount of network bandwidths, have reduced the service quality that traditional Internet such as Web, Email are used, and the content that P2P application is simultaneously propagated also relates to problems such as copyright, virus and obscene content.Therefore,, protect the intellectual property, suppress the propagation of virus and obscene content, must effectively manage the flow that P2P uses in order effectively to utilize Internet resources, at first must be able to realize to the P2P flow efficiently, detection accurately.
The detection method of P2P flow can be divided three classes: port mapping (Port Mapping), depth data bag detect (Deep Packet Inspection, DPI), traffic characteristic detect (Transport LayerIdentification, TLI).
Port mapping method is to use employed transport layer port number (Port) according to various P2P, detects the P2P flow.But existing P2P uses in order to hide detection, brings into use dynamic port, even the port that uses traditional Internet to use, and like 80 ports of HTTP, so this method can not accurately detect the P2P flow.
The depth data packet inspection method through detecting application layer load (payload), extracts the characteristic string that various P2P use, and uses thereby detect P2P.The accuracy of this method is high, be easy to realize, is the most general method of utilization at present.Like Chinese invention patent " a kind of method of traffic monitoring, equipment and system " (CN101350781A), utilize a DPI equipment to discern to using the layer data message.But this method can only be used to the P2P with clear-text way transmission data and detect, and P2P uses and begins to adopt cipher mode transmission data mostly at present, so this method is also with degradation failure.
The traffic characteristic detection method; Through the statistical analysis of carrying out to all packets in the network traffics; Like packet size, blanking time, number of connection etc., utilize methods such as machine learning, data mining, find the traffic characteristic that P2P uses; Detect the flow that P2P uses with this, this method can detect P2P flow unknown and encryption.As Chinese invention patent " based on the hybrid point-to-point flow rate testing methods of SVMs " (CN101510873) with " based on the peer-to-peer network flow rate testing methods of SVMs " (CN101345704), with the SVMs technical application in the P2P flow detection.Because these class methods need just can be made judgement after the mass data bag is carried out statistical analysis, therefore need the data volume of processing bigger, the realization of machine learning is complicated, therefore can not accomplish efficient, real-time detection.And the detection of these class methods is according to being the traffic characteristic that P2P uses, and this is a statistic, can't accurately distinguish various concrete P2P application traffics.
Summary of the invention
The objective of the invention is the deficiency that exists to prior art, provide a kind of can be in real time, efficiently and accurately to expressly and the method and system that detects of the peer-to-peer network flow of encrypted test mode transmission.
For achieving the above object, the technical scheme that the present invention adopted provides a kind of method of discerning the peer-to-peer network application traffic, it is characterized in that comprising the steps:
(1) probe unit obtains whole packets from network, packet is filtered the irrelevant and discernible asymmetrical output packet of filtering; Described extraneous data bag comprises the packet of the following level of transport layer, and the response data packet of probe data packet that processing module to be checked is sent in the step (4) and detected target answer; The remainder data bag is sent into data identification module;
(2) in data identification module, the protocol characteristic sign indicating number of using by known P2P is gone here and there matching detection to packet, and the detected packet that comprises P2P protocol characteristic sign indicating number is added expressly sign, sends into P2P processing module execution in step (3); With detected packet of failing the identification protocol condition code, add the ciphertext sign, send into P2P processing module execution in step (4);
(3) the P2P processing module is stored in the plaintext P2P flow memory module plaintext peer-to-peer network application traffic that accumulative total obtains recognizing through expressly identifying the P2P flow that will confirm with the clear-text way transmission;
(4) data identification module is extracted < source IP, purpose IP, the source port of this packet; Destination interface, application layer load byte number, ciphertext sign>hexa-atomic group of information; By five-tuple < source IP, purpose IP, source port wherein; Destination interface, the ciphertext sign>be search terms, search ciphertext P2P flow memory module; If there is the corresponding stored record of this packet, then with < application layer load byte number>in this packet five-tuple, be added to < accumulative total is transmitted byte number>field of corresponding stored record in the ciphertext P2P flow memory module, carry out ciphertext P2P application traffic statistics; Otherwise, execution in step (5);
(5) use the information of being arranged by different P2P, structure active probe clear data bag sends active probe clear data bag through the network interface of probe unit to detected target;
(6) in the stand-by period of setting, the response data packet that the corresponding detected target of the active probe clear data bag content with sending that probe unit will be received is replied is if the detection of a target returns the clear data bag, execution in step (3); If return the encrypt data bag, then extract < source IP, purpose IP in the corresponding former packet of this probe data packet; Source port, destination interface, application layer load byte number>five-tuple; Add the ciphertext sign and constitute < source IP, purpose IP, source port; Destination interface, application layer load byte number, ciphertext sign>hexa-atomic group; Newly-increased this record is stored in the ciphertext P2P flow memory module, if detected target returns the unknown data bag or do not return, then with the former packet execution in step (7) of correspondence;
(7) the P2P processing module is extracted < source IP, purpose IP, the source port of this unknown application traffic packet; Destination interface, application layer load byte number>five-tuple information, by < source IP wherein; Purpose IP, source port, destination interface>be search terms; Search the unknown flow rate memory module; If there is the corresponding stored record of this packet in the unknown flow rate memory module,, be added to < accumulative total is transmitted byte number>field of corresponding stored record in the unknown flow rate memory module then with < application layer load byte number>in this packet five-tuple; Otherwise the five-tuple information of this packet that the exploration device will extract is added in the unknown flow rate memory module, becomes a new record.
Whole packet that obtains described in the above-mentioned steps (1) comprises that all pass through the raw data packets of this equipment.
P2P processing module statistics described in the above-mentioned steps (3) obtains comprising with the step of the P2P flow of clear-text way transmission: the P2P processing module is extracted and is comprised expressly < source IP, purpose IP, the source port of the packet of characteristic string; Destination interface, application layer load byte number, expressly sign>hexa-atomic group of information; By < source IP, purpose IP, source port wherein; Destination interface, expressly sign>be search terms, search expressly P2P flow memory module; If this packet has been deposited the corresponding stored record,, be added to < accumulative total is transmitted byte number>field of corresponding stored record in the plaintext P2P flow memory module then with < application layer load byte number>in this packet; Otherwise, hexa-atomic group of information < source IP, purpose IP of this packet that the P2P processing module will be extracted; Source port, destination interface, application layer load byte number; Expressly identify >; Add in the plaintext P2P flow memory module, become a new record, the plaintext peer-to-peer network application traffic that statistics obtains recognizing.
A kind of system that discerns the peer-to-peer network application traffic is characterized in that: it comprises sounds out device, data identification module, P2P processing module, unknown data processing module, plaintext P2P flow memory module, ciphertext P2P flow memory module and unknown flow rate memory module;
Described exploration device is used for from the raw data packets filtering mistake and irrelevant packet obtained the remainder data bag being sent to data identification module;
Described data identification module is used for the packet that filters through primary filter equipment, carries out expressly characteristic string coupling of P2P, and packet is divided into expressly and two types of ciphertexts, adds the identification marking of correspondence respectively, transfers to the P2P processing module and handles;
Described P2P processing module is used for passing through plaintext or the encrypt data bag that data identification module was handled, with < source IP, purpose IP; Source port, destination interface, expressly sign>or < source IP; Purpose IP, source port, destination interface; Ciphertext sign>be search terms, search and upgrade expressly or the information in the ciphertext P2P flow memory module, detect and add up the P2P flow; To unknown data, structure active probe packet; It also comprises a network interface, is used for sending the active probe packet and receiving the response data packet that detected target is replied to detected target; In the stand-by period of setting, the response data packet according to detected target is replied detects the P2P flow, and with P2P flow and the unknown flow rate of testing result by the encrypted test mode transmission, sends to ciphertext P2P flow memory module and unknown data processing module respectively;
Described unknown data processing module is used for receiving the packet of confirming type from the P2P processing module, through the five-tuple information searching and upgrade the information in the unknown flow rate memory module, detects and statistics unknown data flow;
Described plaintext P2P flow memory module receives and stores the P2P flow information by the clear-text way transmission that the plaintext processing module counts;
Described ciphertext P2P flow memory module receives and stores the detected P2P flow information by the encrypted test mode transmission of processing module to be checked;
Described unknown flow rate memory module, all fail the flow information of the correct packet that detects to receive and store processing module to be checked.
Described data identification module is for souning out physics output channel or the logic output channel on the device, and implementation method comprises a kind of in physical fiber interface, physics netting twine interface or the logic query's interface.
The implementation method of described plaintext P2P flow memory module, ciphertext P2P flow memory module, unknown flow rate memory module is Database Systems or file system.
Described network interface comprises following at least a: the physical fiber interface; Physics netting twine interface.
Compared with prior art; Can find out that from above technical scheme the distinguishing feature that the present invention has is: sound out device and obtain entire packet, at first filtering mistake and irrelevant packet from network forwarding equipment; Effectively reduce follow-up work of treatment, improve the efficient of system.Secondly; Data identification module is according to pre-configured plaintext characteristic string, and packet is gone here and there matching detection, and packet is divided into expressly and two types of ciphertexts; Send into the P2P processing module; Different packets can not obscured, and the packet of a plaintext processing module and an only processing part of unknown processing module, simplifies handling process separately.Expressly processing module is responsible for adding up the P2P flow with the clear-text way transmission.The P2P processing module is through sending the active probe packet through special tectonic to detected target; After only needing to wait for the stand-by period of regulation; The situation of the response data packet of replying according to detected target; Whether thereby detect is P2P flow or the unknown flow rate with the encrypted test mode transmission, so real-time is better.And P2P processing module and unknown processing module; Can be respectively by two different portions on different equipment or the equipment; Concurrent completion is to the further processing of packet; Improved the concurrent processing ability of system, and the fault of a processing unit, renewal and performance reduce and all can not influence another processing unit, improved the reliability and the extensibility of system.When handle packet, also need search, upgrade expressly P2P flow memory module, ciphertext P2P flow memory module and unknown flow rate memory module, this three can realize with Database Systems or file system.Search, renewal process to the three are to be accomplished by corresponding operation in Database Systems or the file system, make native system can be absorbed in the detection of P2P flow, reduce unnecessary spending, improve the efficient of system.Database Systems or file system can use different equipment to realize with P2P processing module or unknown processing module; Also can realize in the different piece of same equipment; The fault of any one equipment or part, renewal or performance reduce, and can not influence each other, and help expanded application.
Description of drawings
A kind of workflow sketch map of discerning the peer-to-peer network application traffic that Fig. 1 provides for the embodiment of the invention;
A kind of structural representation of discerning peer-to-peer network application traffic system that Fig. 2 provides for the embodiment of the invention;
A kind of networking sketch map of discerning peer-to-peer network application traffic system that Fig. 3 provides for the embodiment of the invention.
Embodiment
Below in conjunction with embodiment and accompanying drawing the present invention is further described.
Embodiment 1:
It is a kind of through luring the system that sounds out the application traffic of identification peer-to-peer network that the embodiment of the invention provides, be used for realizing to encrypt with unencrypted P2P application traffic is carried out in real time, efficiently, accurate recognition and detection.
Fig. 1 is a kind of workflow sketch map of discerning the peer-to-peer network application traffic that the embodiment of the invention provides, and below is elaborated through concrete steps:
Step 101 is soundd out device and is obtained packet from network forwarding equipment, to having the network forwarding equipment of optical fiber interface, sounds out device and can obtain raw data packets through the optical fibre light splitting on the network forwarding equipment.To having the network forwarding equipment of Port Mirroring function, sound out device and can obtain raw data packets through the mirror port on the network forwarding equipment.To not possessing optical fiber interface and not possessing the network forwarding equipment of Port Mirroring function; Can on up (Up-Link) of network forwarding equipment circuit, connect network coupler or hub, sound out device and obtain raw data packets through network coupler or hub.The raw data packets that above-mentioned exploration device obtains should comprise all packets, is not selectively to obtain the partial data bag.
Network forwarding equipment specifically can be the equipment that router, three-tier switch, Layer 2 switch etc. possess the packet forwarding capability.
Step 102 is soundd out device packet is carried out primary filter, specifically is the packet of wanting three types of filterings.First kind of filtering be because of the packet that makes a mistake of transmission interference problem, like the packet of checksum error, less than the packet of 64 bytes etc., therefore must filtering.Second kind of filtering be the packet of the following level of transport layer.Because the packet that P2P uses is the packet of the above application layer of transport layer, so the packet of following the level of transport layer can not be the packet that P2P uses, so necessary filtering.The third filtering be the P2P processing module is sent in the native system the active probe packet and the response data packet of detected target; The active probe packet is in the step 107, needs because of detecting encryption P2P flow, and a kind of packet that sends.Response data packet is the response of detected target to the active probe packet.These two kinds of packets all are not packets original in the network, in existing network, can not occur generally speaking, are the packets that need introduce owing to the detection of native system, therefore must filtering.
In this step, the filtration of first kind and second kind packet specifically is to be accomplished automatically by the filtering circuit of souning out on the device.The filtration of the third packet needs the IP address according to the network interface of P2P processing module in the native system, to souning out device filtercondition is set, and is accomplished automatically by the filtering circuit on the probe unit.IP address like P2P processing module in the system is 10.0.0.6, and the filtercondition that then is provided with is no ipaddress10.0.0.6.
In this step,, can effectively reduce follow-up work of treatment, improve the efficient of system through after souning out device this packet of three types being carried out primary filter.And the filtration of these three types of packets, be to accomplish by the filtering circuit of souning out on the device, can reach very high handling property and reliability.
Step 103, data identification module is carried out characteristic string coupling to packet, and packet is increased expressly and the ciphertext sign, sends into the P2P processing module.
The plaintext characteristic string that data identification module is used according to known P2P is to going here and there matching detection through the packet of primary filter.The string matching detection specifically is to be accomplished by the string match circuit of souning out device, and the string match circuit is realized the detection to the clear data bag according to the plaintext characteristic string testing conditions of setting.Concrete plaintext characteristic string testing conditions can be a character string, like " abcde ", or the hexadecimal number of plaintext characteristic string, like " 0x F2 35 4D "; Or the regular expression of plaintext characteristic string, like " 1:t4:.{4}1:v4:UT ".
To the packet through plaintext characteristic string matching detection, if comprise the plaintext characteristic string that certain known P2P uses, then data identification module increases expressly sign with it, otherwise increase ciphertext sign is sent into the P2P processing module respectively.
Step 104, the P2P processing module is searched expressly P2P flow according to the clear data bag, and upgrades clear data bag record; Search ciphertext P2P flow according to the encrypt data bag, and upgrade encrypt data bag record, unknown data is then constructed the active probe packet.
Have the expressly packet of sign in this step,, transfer to step 105 and handle the five-tuple information searching of < source IP, purpose IP, source port, destination interface, the expressly sign>of basis P2P flow memory module expressly.
The packet that has ciphertext sign in this step with the five-tuple information searching of < source IP, purpose IP, source port, destination interface, the ciphertext sign>of basis P2P flow memory module expressly, is transferred to step 106 and is handled.
The encrypt data bag that does not find in this step is transferred to step 107 to be handled.
Step 105 is upgraded expressly P2P flow memory module
The P2P processing module is extracted and is comprised expressly < source IP, purpose IP, the source port of the packet of characteristic string; Destination interface, application layer load byte number, expressly sign>hexa-atomic group of information; By < source IP, purpose IP, source port wherein; Destination interface, expressly sign>be search terms, search expressly P2P flow memory module; If this packet has been deposited the corresponding stored record,, be added to < accumulative total is transmitted byte number>field of corresponding stored record in the plaintext P2P flow memory module then with < application layer load byte number>in this packet; Otherwise, hexa-atomic group of information < source IP, purpose IP of this packet that the P2P processing module will be extracted; Source port, destination interface, application layer load byte number; Expressly identify >; Add in the plaintext P2P flow memory module, become a new record, the plaintext peer-to-peer network application traffic that statistics obtains recognizing.
In this step, expressly P2P flow memory module specifically is meant in the Database Systems the independently text of format independently in tables of data or the file system.Searching plaintext P2P flow memory module specifically can search or the completion of file system files search procedure through the tables of data of Database Systems.
Step 106 is upgraded ciphertext P2P flow memory module
What store in the ciphertext P2P flow memory module is the known P2P flow information by the encrypted test mode transmission, is specially < source IP, purpose IP, source port, destination interface, the accumulative total load byte number>of each data flow.Data identification module is extracted < source IP, purpose IP, source port, the destination interface of this packet; Application layer load byte number, the ciphertext sign>hexa-atomic group of information, by five-tuple < source IP, purpose IP wherein; Source port, destination interface, ciphertext sign>be search terms, search ciphertext P2P flow memory module; If there is the corresponding stored record of this packet, then with < application layer load byte number>in this packet five-tuple, be added to < accumulative total is transmitted byte number>field of corresponding stored record in the ciphertext P2P flow memory module, carry out ciphertext P2P application traffic statistics; Otherwise, execution in step 107.
In this step, ciphertext P2P flow memory module specifically is meant in the Database Systems the independently text of format independently in tables of data or the file system.Searching ciphertext P2P flow memory module specifically can search or the completion of file system files search procedure through the tables of data of Database Systems.
Step 107, structure also sends the active probe packet
The P2P processing module is according to the five-tuple information of unknown encrypt data bag, and structure active probe (Probe) packet is called for short the P packet, and through network interface the P packet is sent.The content of P packet is to use according to different P2P to set, and carries through the realization of transport layer Transmission Control Protocol.
The target that the P packet sends, specifically with < source IP, source port>in the unknown encrypt data bag five-tuple perhaps < purpose IP, destination interface>be target.General, if < source IP, source port>points to the main frame of internal network, then be the transmission target with < source IP, source port >; Otherwise, be target then with < purpose IP, destination interface >.Be not limited to the main frame of internal network simultaneously.
The source of P packet specifically is meant doublet < the IP address of P2P processing module, certain port >.The IP address of P2P processing module, the address assignment situation in the network that is generally connected according to the P2P processing module is provided with, like 10.0.0.6.But in attention and the step 102, the IP address of souning out the P2P processing module that is provided with on the device is consistent.Certain port of P2P processing module can be got certain fixing port, as 10000.Perhaps get port at random, span is from 0~65535.Port is at random got in general recommendations.
The P packet specifically is the network interface transmission through the P2P processing module, and the network interface of P2P processing module is directly to be connected on the network forwarding equipment.This network forwarding equipment is not necessarily that network forwarding equipment that exploration device in the step 101 obtains packet, as long as this network forwarding equipment can guarantee that processing module to be checked can normally be connected in the network.
Whether step 108, being surveyed main frame has response
Detect corresponding whether expressly P2P flow, in this way, then change step 109 over to and handle,, then change step 110 over to and handle as not.
Step 109, unknown processing module is upgraded the unknown flow rate memory module
What store in the unknown flow rate memory module is that all fail the five-tuple information of the correct packet that detects, and is specially < source IP, purpose IP, source port, destination interface, application layer load byte number >.< source IP, purpose IP, source port, the destination interface>these four that unknown processing module is pressed in the packet five-tuple is search terms, goes to search the unknown flow rate memory module.If there is the corresponding stored record, then unknown processing module is added to < accumulative total is transmitted byte number>field of corresponding stored record in the unknown flow rate memory module with < application layer load byte number>in the packet five-tuple.Otherwise unknown processing module is added the five-tuple information of the packet that extracts in the unknown flow rate memory module to, becomes a new record.
The unknown flow rate memory module specifically is meant in the Database Systems the independently text of format independently in tables of data or the file system.Unknown processing module is searched the unknown flow rate memory module and specifically can be searched or the completion of file system files search procedure through the tables of data of Database Systems.Upgrading the unknown flow rate memory module specifically can upgrade or the completion of file system files renewal process through the tables of data of Database Systems.
A kind of system configuration sketch map of discerning the peer-to-peer network application traffic that Fig. 2 provides for present embodiment; This system comprises exploration device 201, data identification module 202, P2P processing module 203; Unknown processing module 204; Expressly P2P flow memory module 205, ciphertext P2P flow memory module 206, unknown flow rate memory module 207.Wherein,
Sound out device 201, be used for transferring to data identification module and handling from the packet of three types of the raw data packets filterings of obtaining.
Wherein, sound out three kinds of packets that packet is respectively error of transmission that device needs filtering, the packet of the following level of transport layer, and the active probe packet that the P2P processing module is sent in the native system and the response data packet of detected target.After this packet of three types is carried out primary filter, can effectively reduce follow-up work of treatment, improve the efficient of system.
Wherein, the plaintext characteristic string that data identification module is used according to pre-configured P2P is to going here and there matching detection through the packet of primary filter.Concrete plaintext characteristic string testing conditions can be the hexadecimal number of character string, characteristic string, the regular expression of characteristic string, and condition setting very flexibly.Through the packet of string matching detection, add expressly or the ciphertext sign, transfer to the P2P processing module and handle.
Expressly P2P flow memory module 205, are used to store the known P2P flow information by the clear-text way transmission.
Ciphertext P2P flow memory module 206 is used to store the known P2P flow information by the encrypted test mode transmission.
Unknown flow rate memory module 207 is used to store all and fails the flow information of the correct packet that detects.
Plaintext P2P flow memory module 205, ciphertext P2P flow memory module 206, unknown flow rate memory module 207; All can realize through Database Systems or file system flexibly; According to concrete networking situation; The three can share Database Systems or file system, also can independently realize, very flexibly.Search, renewal process to the three are to transfer to corresponding operation completion in Database Systems or the file system, make native system can be absorbed in the detection of P2P flow, reduce unnecessary spending, improve the efficient of system.In addition, be separate between native system and Database Systems or the file system, the fault of any one system, renewal or performance reduce, and can not influence each other, and are beneficial to expanded application.
Fig. 3 comprises network 301, network forwarding equipment A302, sounds out device 303, server A 304, server B 305, network forwarding equipment B306 for a kind of networking sketch map to network application flow such as identification system that present embodiment provides.Wherein:
Network forwarding equipment A302 can be the equipment that router, three-tier switch, Layer 2 switch etc. possess the packet forwarding capability.This network forwarding equipment is that the packet of primary filter equipment obtains the source.
Sound out device 303, be primary filter equipment 201 shown in Figure 2 in the present embodiment.
Network forwarding equipment B306 is connected to network, is used for the active probe packet of forwarding server B P2P processing module generation and the response data packet of detected target.
In sum, the present invention is directed to the deficiency that existing P 2P application traffic detection method exists, mainly is to encrypting the detection and the not high problem of systematic function of P2P flow, having proposed a kind of method and system of P2P flow detection.Obtain whole packets through souning out device from network forwarding equipment; At first utilize filtering circuit; The response data packet that active probe packet that the P2P processing module is sent in packet below the packet of high speed filtering error of transmission, the transport layer and the native system and detected target are replied; Effectively reduce follow-up work of treatment, improve the efficient of system.Secondly, data identification module is according to pre-configured plaintext characteristic string, and packet is gone here and there matching detection, and packet is divided into two types, increases respectively expressly that sign identifies with ciphertext, transfers to the P2P processing module and does further processing.Like this, different packets can not obscured.The P2P processing module is through sending the active probe packet through special tectonic to detected target; After only needing to wait for the stand-by period of regulation; Response data packet according to the detected target answer; Whether thereby detect is P2P flow or the unknown flow rate with the encrypted test mode transmission, so real-time is better.And P2P processing module and unknown processing module can be respectively by two different portions on different equipment or the equipment; Concurrent completion is to the further processing of packet; Improved the concurrent processing ability of system; And the fault of a processing unit, renewal and performance reduce all can not influence another processing unit, has improved the reliability and the extensibility of system.P2P processing module and unknown processing module also need search, upgrade expressly P2P flow memory module when handle packet, ciphertext P2P flow memory module and unknown flow rate memory module, and this three can realize with Database Systems or file system.Search, renewal process to the three are to be accomplished by corresponding operation in Database Systems or the file system, make native system can be absorbed in the detection of P2P flow, reduce unnecessary spending, improve the efficient of system.Database Systems or file system are with expressly processing module or processing module to be checked can use different equipment to realize; Also can realize in the different piece of same equipment; The fault of any one equipment or part, renewal or performance reduce, and can not influence each other, and are beneficial to expanded application.
Claims (4)
1. a method of discerning the peer-to-peer network application traffic is characterized in that comprising the steps:
(1) probe unit obtains whole packets from network, packet is filtered the irrelevant and discernible asymmetrical output packet of filtering; Described extraneous data bag comprises the packet of the following level of transport layer, and the response data packet of probe data packet of sending in the step (5) and the answer of the detected target in the step (6); The remainder data bag is sent into data identification module;
(2) in data identification module, the protocol characteristic sign indicating number of using by known P2P is gone here and there matching detection to packet, and the detected packet that comprises P2P protocol characteristic sign indicating number is added expressly sign, sends into P2P processing module execution in step (3); With detected packet of failing the identification protocol condition code, add the ciphertext sign, send into P2P processing module execution in step (4);
(3) the P2P processing module is stored in the plaintext P2P flow memory module plaintext peer-to-peer network application traffic that accumulative total obtains recognizing through expressly identifying the P2P flow that will confirm with the clear-text way transmission;
(4) data identification module is extracted < source IP, purpose IP, the source port of this packet; Destination interface, application layer load byte number, ciphertext sign>hexa-atomic group of information; By five-tuple < source IP, purpose IP, source port wherein; Destination interface, the ciphertext sign>be search terms, search ciphertext P2P flow memory module; If there is the corresponding stored record of this packet, then with < application layer load byte number>in hexa-atomic group of this packet, be added to < accumulative total is transmitted byte number>field of corresponding stored record in the ciphertext P2P flow memory module, carry out ciphertext P2P application traffic statistics; Otherwise, execution in step (5);
(5) use the information of being arranged by different P2P, structure active probe clear data bag sends active probe clear data bag through the network interface of probe unit to detected target;
(6) in the stand-by period of setting, the response data packet that the corresponding detected target of the active probe clear data bag content with sending that probe unit will be received is replied is if the detection of a target returns the clear data bag, execution in step (3); If return the encrypt data bag, then extract < source IP, purpose IP in the corresponding former packet of this probe data packet; Source port, destination interface, application layer load byte number>five-tuple; Add the ciphertext sign and constitute < source IP, purpose IP, source port; Destination interface, application layer load byte number, ciphertext sign>hexa-atomic group; Newly-increased this record is stored in the ciphertext P2P flow memory module, if detected target returns the unknown data bag or do not return, then with the former packet execution in step (7) of correspondence;
(7) the unknown data processing module is extracted < source IP, purpose IP, the source port of this unknown application traffic packet; Destination interface, application layer load byte number>five-tuple information, by < source IP wherein; Purpose IP, source port, destination interface>be search terms; Search the unknown flow rate memory module; If there is the corresponding stored record of this packet in the unknown flow rate memory module,, be added to < accumulative total is transmitted byte number>field of corresponding stored record in the unknown flow rate memory module then with < application layer load byte number>in this packet five-tuple; Otherwise the five-tuple information of this packet that the exploration device will extract is added in the unknown flow rate memory module, becomes a new record.
2. a kind of method of discerning the peer-to-peer network application traffic according to claim 1 is characterized in that: the whole packet that obtains described in the step (1) comprises that all pass through the raw data packets of this equipment.
3. a kind of method of discerning the peer-to-peer network application traffic according to claim 1 is characterized in that: the P2P processing module statistics described in the step (3) obtains comprising with the step of the P2P flow of clear-text way transmission: the P2P processing module is extracted and is comprised expressly < source IP, the purpose IP of the packet of characteristic string; Source port, destination interface, application layer load byte number; Expressly identify hexa-atomic group of information, by < source IP, purpose IP wherein; Source port; Destination interface, expressly sign>be search terms, search expressly P2P flow memory module; If this packet has been deposited the corresponding stored record,, be added to < accumulative total is transmitted byte number>field of corresponding stored record in the plaintext P2P flow memory module then with < application layer load byte number>in this packet; Otherwise, hexa-atomic group of information < source IP, purpose IP of this packet that the P2P processing module will be extracted; Source port, destination interface, application layer load byte number; Expressly identify >; Add in the plaintext P2P flow memory module, become a new record, the plaintext peer-to-peer network application traffic that statistics obtains recognizing.
4. system that discerns the peer-to-peer network application traffic is characterized in that: it comprises sounds out device, data identification module, P2P processing module, unknown data processing module, expressly P2P flow memory module, ciphertext P2P flow memory module and unknown flow rate memory module;
Described exploration device is used for from the raw data packets filtering mistake and irrelevant packet obtained the remainder data bag being sent to data identification module;
Described data identification module is used for carrying out expressly characteristic string coupling of P2P with through souning out the packet of apparatus processes, and packet is divided into expressly and two types of ciphertexts, adds the identification marking of correspondence respectively, transfers to the P2P processing module and handles;
Described P2P processing module is used for passing through plaintext or the encrypt data bag that data identification module was handled, with < source IP, purpose IP; Source port, destination interface, expressly sign>or < source IP; Purpose IP, source port, destination interface; Ciphertext sign>be search terms, search and upgrade expressly or the information in the ciphertext P2P flow memory module, detect and add up the P2P flow; To unknown data, structure active probe packet; It also comprises a network interface, is used for sending the active probe packet and receiving the response data packet that detected target is replied to detected target; In the stand-by period of setting, the response data packet according to detected target is replied detects the P2P flow, and with P2P flow and the unknown flow rate of testing result by the encrypted test mode transmission, sends to ciphertext P2P flow memory module and unknown data processing module respectively;
Described unknown data processing module; Be used for receiving the packet of not confirming type, through < source IP, purpose IP from the P2P processing module; Source port; Destination interface, application layer load byte number>five-tuple information searching and upgrade the information in the unknown flow rate memory module, detect and statistics unknown data flow;
Described plaintext P2P flow memory module receives and stores the P2P flow information by the clear-text way transmission that the plaintext processing module counts;
Described ciphertext P2P flow memory module receives and stores the detected P2P flow information by the encrypted test mode transmission of processing module to be checked;
Described unknown flow rate memory module, all fail the flow information of the correct packet that detects to receive and store processing module to be checked.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102640406A CN101741745B (en) | 2009-12-29 | 2009-12-29 | Method and system for identifying application traffic of peer-to-peer network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102640406A CN101741745B (en) | 2009-12-29 | 2009-12-29 | Method and system for identifying application traffic of peer-to-peer network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101741745A CN101741745A (en) | 2010-06-16 |
| CN101741745B true CN101741745B (en) | 2012-01-04 |
Family
ID=42464651
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102640406A Expired - Fee Related CN101741745B (en) | 2009-12-29 | 2009-12-29 | Method and system for identifying application traffic of peer-to-peer network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101741745B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075443B (en) * | 2011-02-28 | 2012-11-21 | 电子科技大学 | Active detection-based host IP flow estimation method |
| CN103312621B (en) * | 2013-06-07 | 2016-08-10 | 深圳中兴网信科技有限公司 | Flow control system and flow control methods |
| CN103701670B (en) * | 2013-12-30 | 2017-12-19 | 北京神州绿盟信息安全科技股份有限公司 | A kind for the treatment of method and apparatus of packet load |
| CN104765884B (en) * | 2015-04-30 | 2018-06-22 | 哈尔滨工业大学 | A kind of fingerprint identification method of HTTPS webpages |
| CN107070745A (en) * | 2017-03-31 | 2017-08-18 | 武汉绿色网络信息服务有限责任公司 | Unknown flow rate analysis method caused by a kind of rule is omitted |
| CN111147486B (en) * | 2019-12-25 | 2022-06-07 | 国家电网有限公司 | Refined safety protection system and method and application thereof |
| CN112235160B (en) * | 2020-10-14 | 2022-02-01 | 福建奇点时空数字科技有限公司 | Flow identification method based on protocol data deep layer detection |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852164A (en) * | 2006-04-25 | 2006-10-25 | 清华大学 | P2P network management method based on federal model |
| CN101309218A (en) * | 2008-07-09 | 2008-11-19 | 南京邮电大学 | Hierarchical peer-to-peer network traffic detection and control method based on mobile proxy |
-
2009
- 2009-12-29 CN CN2009102640406A patent/CN101741745B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852164A (en) * | 2006-04-25 | 2006-10-25 | 清华大学 | P2P network management method based on federal model |
| CN101309218A (en) * | 2008-07-09 | 2008-11-19 | 南京邮电大学 | Hierarchical peer-to-peer network traffic detection and control method based on mobile proxy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101741745A (en) | 2010-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101741745B (en) | Method and system for identifying application traffic of peer-to-peer network | |
| US9871781B2 (en) | Systems and methods for path maximum transmission unit discovery | |
| CN110113345B (en) | Automatic asset discovery method based on flow of Internet of things | |
| KR100922582B1 (en) | Log-based traceback system and method by using the centroid decomposition technique | |
| CN101662393B (en) | Inter-domain prefix hijack detection and location method | |
| JP5050781B2 (en) | Malware detection device, monitoring device, malware detection program, and malware detection method | |
| CN106487879A (en) | A kind of network equipment recognition methodss based on device-fingerprint storehouse and device | |
| CN102821009B (en) | Method for monitoring ring network on basis of link layer discovery protocol and device | |
| CN102859952A (en) | Switch, and flow table control method | |
| CN107534690A (en) | Gather domain name system flow | |
| CN104320304A (en) | Multimode integration core network user traffic application identification method easy to expand | |
| CN101605132B (en) | Method for identifying network data stream | |
| CN112202609A (en) | Industrial control asset detection method and device, electronic equipment and storage medium | |
| CN1703890B (en) | Method for protocol recognition and analysis in data networks | |
| CN114172854B (en) | Report Wen Jingxiang, mirror image configuration method, virtual switch and mirror image configuration device | |
| CN101753456B (en) | Method and system for detecting flow of peer-to-peer network | |
| CN108833430B (en) | Topology protection method of software defined network | |
| CN102648604A (en) | Method of monitoring network traffic by means of descriptive metadata | |
| CN111404719B (en) | Network topology information acquisition method and system | |
| CN111010362B (en) | Monitoring method and device for abnormal host | |
| US11546356B2 (en) | Threat information extraction apparatus and threat information extraction system | |
| CN109547281B (en) | Tor network tracing method | |
| CN115499179A (en) | Method for detecting DoH tunnel flow in backbone network | |
| JP2010239392A (en) | System, device and program for controlling service disabling attack | |
| CN115065592A (en) | Information processing method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120104 Termination date: 20211229 |