CN101834886A - Method capable of improving P2P application recognition accuracy - Google Patents
Method capable of improving P2P application recognition accuracy Download PDFInfo
- Publication number
- CN101834886A CN101834886A CN201010130792A CN201010130792A CN101834886A CN 101834886 A CN101834886 A CN 101834886A CN 201010130792 A CN201010130792 A CN 201010130792A CN 201010130792 A CN201010130792 A CN 201010130792A CN 101834886 A CN101834886 A CN 101834886A
- Authority
- CN
- China
- Prior art keywords
- network
- application
- commonly used
- network application
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method capable of improving P2P application recognition accuracy. The connection detection for P2P application by using the network characteristic that the P2P application makes TCP/UDP connection establishment rate suddenly greatly improved at the connection stage; and simultaneously, non-P2P application with similar network characteristics is removed so as to reduce the false reject rate by combining determination of common non-P2P network application feature codes. The method has the advantages of high accuracy and low system overhead.
Description
Technical field
The present invention relates to a kind of method that can improve the P2P application recognition accuracy, belong to the Web content filtration art.
Background technology
Along with the development of network application, variously emerge in an endless stream based on the P2P The Application of Technology, when these P2P are applied in and bring great convenience to people, also cause a large amount of propagation of flame and the reduction of network service efficiency.Therefore strengthen the supervision that various P2P use is become one of vital task of administrative department.In order to guarantee effective supervision, guarantee the degree of accuracy of P2P application identification particularly important from technological layer.
P2P application identification technology is at present modal to be signature detection, namely by analyzing the network traffics of a large amount of certain P2P application, finds out the condition code of this flow, and then the flow that this kind P2P uses is identified.There are two defectives in this identification way: the one, need the variation of the condition code of the concrete P2P application of constantly tracking, and the 2nd, the P2P that None-identified is encrypted uses.P2P on the network uses, and more especially has the P2P of certain harmfulness to use, and in order to escape supervision, can often change the part agreement, and this difficulty and recognition accuracy that causes condition code to be obtained reduces.More bad is, increasing P2P uses and begins to encrypt, and the P2P application data after these are encrypted can be extracted without any condition code.
P2P application identification technology also have at present a kind of way be exactly by identification greater than 1024 non-common port, have what destination interfaces whether to enable the P2P application greater than 1024 definite these IP in namely connecting by all that detect that certain IP sets up.The technological deficiency that this Intelligent Measurement technology has effectively avoided condition code to detect, but the probability that it mistake identification occurs is very high, because increasing mechanism brings into use a large amount of information systems, and these systems substantially all are to use the non-common port greater than 1024.
Summary of the invention
The present invention is intended to solve the existing defective of above-mentioned P2P application identification technology, by detect typical P2P application network connection performance and in conjunction with to the examination of non-P2P network application commonly used to improve the degree of accuracy of P2P application identification, this recognition methods overhead is littler in addition.
For the technical solution adopted for the present invention to solve the technical problems is: utilize P2P to be applied in access phase and can cause TCP/UDP to connect setting up speed significantly to increase suddenly this network characteristic carrying out the connection that P2P uses and detect, use to reduce False Rate in conjunction with the non-P2P with similar network characteristic is got rid of in the examination of non-P2P network application condition code commonly used simultaneously.
Concrete processing procedure is as follows:
Step 1: for each User IP is set up user record, comprising IP address, whether started that P2P uses, the P2P application start time.
Step 2: for each network connects (comprising that TCP connection and the UDP puppet are connected) record that connects, comprising respective user IP address, source IP address, purpose IP address, source port, destination interface, protocol type, network application type, connection setup time.
Step 3: the various feature chips that will use non-P2P network application always deposit in the non-P2P network application condition code module library commonly used, in order to inquiring about the back.
Step 4: the 1st packet that checks each network connection of setting up in the step 2, compare with non-P2P network protocol features code commonly used, with the network application type of determining this connection and charge in the corresponding linkage record, if do not obtain the network application type then be labeled as the unknown network application type.
Step 5: speed is set up in the connection of certain User IP detected, if the connection of unknown network application type set up speed surpass pre-set threshold value (such as: 10/second), then this User IP is demarcated for starting P2P and used, and will be defined as the P2P application start time current time.
Whether step 6: detect User IP and demarcated to starting the P2P application, if start, then directly the forwarding data bag is left intact.
Step 7: whether as detecting in the step 6 to starting, then detecting following judgment formula is true: the current time>user P2P application start time+P2P application connection sets up the duration.If for very then the user is demarcated to starting the P2P application, directly transmit all packets.
Step 8: if judgment formula is false in the step 7, the linkage flag that then all creation-times of this user is begun all the unknown network application types to the duration in the user P2P application start time is that P2P uses and connects.
The invention has the beneficial effects as follows, detect P2P by the identification of P2P being used the representative network characteristic and use connection, simultaneously in conjunction with to the identification of non-P2P network application condition code commonly used to reduce False Rate, improve P2P and used the accuracy of identification, set up rate variations because this method just adds up to connect in addition, so overhead is little.
Description of drawings
Fig. 1 system architecture diagram of the present invention
Fig. 2 workflow diagram of the present invention
Embodiment
Below in conjunction with accompanying drawing the present invention is further described in detail.
With reference to Fig. 1, the present invention at first obtains all through the packet of this gateway from gateway system, carry out analyzing and processing according to above-mentioned steps then.The User IP tabulation is used for safeguarding current online IP, comprises increasing New Consumers IP record and carrying out overtime deletion.The network connection tabulation is set up a network connection tabulation take the User IP tabulation as the basis for each User IP, comprises that increase connection, deletion connect, connect the functions such as time-out check.Non-P2P network application identification module commonly used carries out network application type corresponding to this connection of Analysis deterrmination take non-P2P network application feature database commonly used as the basis by first packet to each connection.P2P network application identification module is mainly finished P2P and is connected recognition function.Non-P2P network application feature database commonly used is being stored the condition code (as HTTP, FTP, MSN, QQ) of a large amount of application protocols commonly used, uses for non-P2P network application identification module commonly used.
With reference to Fig. 2, workflow involved in the present invention: the tabulation of model User IP, according to User IP building of correspondence user's network connection tabulation, system is according to network connection establishment, the deletion situation of each online IP of this network connection list management then.Intelligent Recognition algorithm of the present invention the most important thing is to connect the identification of setting up rate detection and non-P2P network application agreement commonly used, and the network connection that only is identified as the unknown network application type in system just can be carried out P2P application Intelligent Recognition.
Claims (2)
1. the present invention is a kind of method that can improve the P2P application recognition accuracy, it is characterized in that: utilize P2P to be applied in access phase and can cause TCP/UDP to connect setting up speed significantly to increase this network characteristic suddenly carrying out the joint detection that P2P uses, use to reduce False Rate in conjunction with the examination of non-P2P network application condition code commonly used being got rid of non-P2P simultaneously with similar network characteristic.
2. the method that can improve the P2P application recognition accuracy as claimed in claim 1, it is characterized in that: at first from gateway system, obtain all through the packet of this gateway, carry out analyzing and processing according to above-mentioned steps then, the User IP tabulation is used for safeguarding current online IP, comprise and increase New Consumers IP record and carry out overtime deletion, the network connection tabulation is take the User IP tabulation as the basis, for each User IP is set up a network connection tabulation, comprise increasing and connect, deletion connects, connect the functions such as time-out check, non-P2P network application identification module commonly used is take non-P2P network application feature database commonly used as the basis, carry out network application type corresponding to this connection of Analysis deterrmination by first packet to each connection, P2P network application identification module is mainly finished P2P linkage identification function.Non-P2P network application feature database commonly used is being stored the condition code (as HTTP, FTP, MSN, QQ) of a large amount of application protocols commonly used, uses for non-P2P network application identification module commonly used.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010130792A CN101834886A (en) | 2010-03-24 | 2010-03-24 | Method capable of improving P2P application recognition accuracy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010130792A CN101834886A (en) | 2010-03-24 | 2010-03-24 | Method capable of improving P2P application recognition accuracy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101834886A true CN101834886A (en) | 2010-09-15 |
Family
ID=42718815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010130792A Pending CN101834886A (en) | 2010-03-24 | 2010-03-24 | Method capable of improving P2P application recognition accuracy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101834886A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746768A (en) * | 2013-10-08 | 2014-04-23 | 北京神州绿盟信息安全科技股份有限公司 | Data packet identification method and equipment thereof |
-
2010
- 2010-03-24 CN CN201010130792A patent/CN101834886A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746768A (en) * | 2013-10-08 | 2014-04-23 | 北京神州绿盟信息安全科技股份有限公司 | Data packet identification method and equipment thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103312565B (en) | A kind of peer-to-peer network method for recognizing flux based on autonomous learning | |
| CN103607399B (en) | Private IP network network safety monitoring system and method based on darknet | |
| CN101741862B (en) | System and method for detecting IRC bot network based on data packet sequence characteristics | |
| CN107968791B (en) | Attack message detection method and device | |
| CN102148854B (en) | Method and device for identifying peer-to-peer (P2P) shared flows | |
| CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
| KR101295708B1 (en) | Apparatus for capturing traffic and apparatus, system and method for analyzing traffic | |
| CN108282497A (en) | For the ddos attack detection method of SDN control planes | |
| TW200926674A (en) | Application classification method in network traffic | |
| CN102055627B (en) | Method and device for identifying peer-to-peer (P2P) application connection | |
| CN104618377A (en) | NetFlow based botnet network detection system and detection method | |
| CN101184000A (en) | Packet sampling and application signature based internet application flux identifying method | |
| CN104243237A (en) | P2P flow detection method and device | |
| CN110034966B (en) | Data flow classification method and system based on machine learning | |
| Mazhar Rathore et al. | Exploiting encrypted and tunneled multimedia calls in high-speed big data environment | |
| CN104883362A (en) | Method and device for controlling abnormal access behaviors | |
| CN105827474A (en) | Network monitoring method, data packet filtering method and data packet filtering device | |
| CN104104675A (en) | Internet control message protocol camouflage capture and analysis technology | |
| CN111010362B (en) | Monitoring method and device for abnormal host | |
| US11595419B2 (en) | Communication monitoring system, communication monitoring apparatus, and communication monitoring method | |
| CN101834886A (en) | Method capable of improving P2P application recognition accuracy | |
| CN103200193B (en) | Session creating method and session creating device in network equipment | |
| Yuan et al. | Harvesting unique characteristics in packet sequences for effective application classification | |
| TWI666568B (en) | Method of Netflow-Based Session Detection for P2P Botnet | |
| Lee et al. | Sky-Scope: Skype application traffic identification system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100915 |