CN101854366A - Peer-to-peer network flow-rate identification method and device - Google Patents
Peer-to-peer network flow-rate identification method and device Download PDFInfo
- Publication number
- CN101854366A CN101854366A CN201010199464A CN201010199464A CN101854366A CN 101854366 A CN101854366 A CN 101854366A CN 201010199464 A CN201010199464 A CN 201010199464A CN 201010199464 A CN201010199464 A CN 201010199464A CN 101854366 A CN101854366 A CN 101854366A
- Authority
- CN
- China
- Prior art keywords
- network traffics
- doubtful
- network
- data flow
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a peer-to-peer (P2P) network flow-rate identification method and a device. Length of data stream packets of a given quantity is measured, the data stream packets are divided into two types according to a set length threshold value, the typical proportion of the two types of packets is calculated, if the typical proportion of the packet is more than the upper limit of the typical threshold value interval, the data stream is deemed as a peer-to-peer network flow rate. By adopting the method and the device, through the typical proportion of the packet, the data stream can be rapidly and effectively classified so as to rapidly and effectively identify the P2P network flow rate, so the identification efficiency and accuracy can be improved, and the system expenditure caused by the flow-rate detection solution can be greatly reduced.
Description
Technical field
The present invention relates to the network traffics recognition technology, particularly a kind of equity (P2P, Peer-to-Peer) method and the device of network traffics identification.
Background technology
The P2P network is proposed in 1969 by Steve Crocker the earliest, it is a kind of distributed network, the participant of network shares a part of hardware resource that they are had, as: disposal ability, storage capacity, network concatenation ability, printer etc., these shared resources need provide service and content by network, can directly be visited by other peer node and need not through intermediate entities.Participant in this network is that resource is promptly served supplier (Server) with content, also be resource obtain taker (Client).Different with traditional client/server (C/S) network is: the status of each node in the network all is reciprocity, and each node had both served as server, for other nodes provide service, also enjoys the service that other nodes provide simultaneously.
At present, the P2P technology has been widely used in fields such as download, instant messaging, the networking telephone, Web TV, online game, financial service and information retrieval, P2P has changed existing network application mode, and also the development for future network provides a kind of new networking thinking.Yet all advantages behind in the P2P technology exists a lot of problems:
Adopt the P2P The Application of Technology a lot of now, as: bit stream (BitTorrent), electric donkey (eDonkey), electric mule (eMule), network exchange file software (Gnutella), Web TV (PPLive), Streaming Media (PPStream), network real-time phonetic communication (Skype) or the like easily simply again, P2P user's sum is in millions upon millions of, so, caused the huge consumption of the network bandwidth, even cause network congestion, greatly reduce network performance, deterioration network service quality, hindered carrying out of proper network business and popularizing of key business.Simultaneously, be accompanied by the propagation privately of a large amount of unauthorized content, convenience be provided also for illegal piracy and internet worm, quickened their growth, bring huge impact for network security and protection of Intellectual Property Rights.
According to statistics, the P2P network traffics have occupied the 60%-70% of whole network traffics, extreme case down even reached 80%-90%, become genuine " bandwidth killer ", cause the rapid decline of operator, enterprise network, the crucial link congestion of campus network and other conventional Internet service service quality (QoS, Quality of Service).People especially telecom operators recognize more and more significantly and are necessary P2P network traffics and network behavior are carried out deep understanding and analysis, for monitoring provides technical support with management P2P, in order to finish this target, top priority is exactly that the P2P network traffics on the network are carried out effective recognition.
In the prior art, the scheme one that the P2P network traffics are used is an employing port identification method: use rise early stage at P2P, what the great majority application was used all is fixed port, for example, Gnutella uses the 346-6347 port, and BitTorrent uses 6881-6889 port etc.In this case, RM to its flow is identical with the mode of identification common application grouping: passive collection grouping in the network of needs monitoring, check the transport layer header message of grouping then, if port numbers and the port numbers coupling that some is specific, illustrate that then this grouping is the grouping of P2P network traffics, can handle it according to default action.This recognition methods biggest advantage is exactly simple, and it does not need to carry out complicated packet transaction and can reach a conclusion; The port identification method seems very simple effective at the initial stage that P2P uses appearance, but development along with the P2P technology, it is no longer suitable that this method becomes gradually, technology such as port-hopping, random port, Information hiding are widely used employing by P2P, and are simple by can't identify the existence of this class P2P network traffics to the coupling of stiff end slogan.
To P2P network traffics application scheme two are recognition methodss of adopting based on the application layer feature field: use random port or camouflage port because current most of P2P uses, can't identify the existence that this class is used by the port information of analyzing packet header simply.But, all carry specific message information in the grouping of every kind of application, for example, in the http protocol message message printed words such as GET, PUT, POST can appear.Similar with it, in various P2P application protocols, also have similar information.Therefore, people propose by checking that load information that packets inner is carried carries out the method for packet identification, that is: based on recognition technology---deep-packet detection (DPI, the Deep Packet Inspection) technology of application layer feature field.The DPI technology not only detects network layer and transport layer data header, and detects the packaged content part of net load (payload) of packet in application layer.This technology is deeply detected the application rs traffic of packet or data flow, according to the net load of packet packet is made a decision on how to handle it.Because the P2P agreement is introduced dynamic port, can only find out the P2P datagram by the scanning upper-layer protocol, detect by each P2P message through the network equipment is carried out depth content, the attribute that marks each data message is a recognition result, so that carry out next step flow control strategy.This technology is used a net load (payload) feature database storage payload characteristic information, and the datagram that meets the payload feature promptly is considered as the P2P datagram.The most crucial technology of DPI technology recognition methods is the selection of string matching algorithm, and string matching algorithm can improve the response performance of program efficiently.Several string matching algorithms commonly used have: simple string matching algorithm, Krap-Rabin algorithm, string matching automaton and KMP algorithm etc.The shortcoming of DPI technology is: all will untie the analysis of carrying out agreement one deck to entire I P datagram, amount of calculation is bigger at every turn, and speed is slow.The detection that new P2P is used has hysteresis quality, that is: can't not detect new P2P before upgrade feature storehouse and use, and could effectively detect this application implementation after must finding the payload feature of new application.Very limited to the detectability of encrypting the P2P application.Algorithm performance is relevant with the complexity of payload feature, and the payload feature is complicated more, and it is high more then to detect cost, and algorithm performance is poor more.
The scheme three that the P2P network traffics are used is based on the recognition methods of transport layer flow behavioural characteristic: all belong to the probabilistic classification method based on the recognition methods of the behavioural characteristic of transport layer with based on the recognition methods of transport layer stream statistics, all be by macroscopic analysis transport layer header information, and do not carry out any detection that relates to application layer data; Difference is, based on the P2P basis of characterization that flows statistics is the packet size of P2P stream, the transmission byte number, the attributive character of stream such as Mean Speed and duration, identification then is that features such as the connection features of the IP address that connects according to P2P and port numbers and P2P network diameter are discerned based on the P2P network traffics of transport layer behavioural characteristic.The shortcoming of this technology is: flow rate mode identification needs the information of every stream of record, and, the recognition result of flow rate mode has uncertainty, be based on the result of probability, therefore the precision of method depends on the significance degree of P2P network flow characteristic and the heuristic rule covering power to this feature, is unusual difficulties and often find the universals of P2P network traffics.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method and device of peer-to-peer network flow identification, identifies the P2P network traffics fast and accurately.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention provides a kind of method of peer-to-peer network flow identification, this method comprises:
According to the length threshold that is provided with data stream packet is divided into two classes, and calculates the type ratio of this two classes grouping, described packet type thinks that than greater than the type threshold interval that is provided with upward in limited time described data flow is the P2P network traffics.
In the such scheme, this method also comprises: two counter smallCount and LargeCount are set, if block length smaller or equal to set length threshold, then counter smallCount is from increasing 1; If block length is greater than set length threshold, then counter LargeCount is from increasing 1;
The type ratio of described two classes grouping is specially: the ratio of count value among counter smallCount and the LargeCount.
In the such scheme, this method also comprises: prescribe a time limit than the following of type threshold interval less than setting when described packet type, think that then this data flow is non-P2P network traffics; When described packet type ratio is in type threshold interval scope, think that then this data flow is doubtful P2P network traffics.
In the such scheme, described length threshold is set to any integer value between [500,1000] Byte interval range; Described type threshold interval is set to [0.8,1.2].
In the such scheme, when thinking that this data flow is doubtful P2P network traffics, this method also comprises: doubtful P2P network traffics are identified the P2P network traffics that adopt fixed port to communicate by comparison algorithm, and the doubtful P2P network traffics that will be unidentified go out enter the traffic characteristic detection.
In the such scheme, in traffic characteristic detects, doubtful P2P network traffics are identified the P2P network traffics by the traffic characteristic detection method, and the doubtful P2P network traffics that will be unidentified go out enter the feature field detection.
In the such scheme, in feature field detects, doubtful P2P network traffics are identified the P2P network traffics by pattern matching algorithm, and the doubtful P2P network traffics that will be unidentified go out enter the current limliting detection.
In the such scheme, in current limliting detects, when doubtful P2P network traffics greater than set flow threshold, think that then this data flow is the P2P network traffics, otherwise, think that this data flow is non-P2P network traffics.
In the such scheme, described data stream packet is divided into after two classes, this method also comprises: when total number packets during greater than the total threshold value that is provided with, calculate the type ratio of this two classes grouping.
The present invention also provides a kind of device of peer-to-peer network flow identification, this device comprises: packet type compares identification module, be used for data stream packet being divided into two classes according to the length threshold that is provided with, and calculate the type ratio of this two class grouping, described packet type thinks then that than prescribing a time limit greater than going up of the type threshold interval that is provided with this data flow is the P2P network traffics.
In the such scheme, described packet type comprises than identification module: counter smallCount sum counter LargeCount; Wherein,
Counter smallCount, when being used for length when data stream packet smaller or equal to set length threshold, counter smallCount is from increasing 1;
Counter LargeCount, when being used for length when data stream packet greater than set length threshold, counter LargeCount is from increasing 1;
The type ratio of described two classes grouping is specially: the ratio of count value among counter smallCount and the LargeCount.
In the such scheme, described packet type also is used for prescribing a time limit than the following of type threshold interval less than setting when described packet type than identification module, thinks that then this data flow is non-P2P network traffics; When described packet type ratio is in type threshold interval scope, think that then this data flow is doubtful P2P network traffics.
In the such scheme, this device also comprises: port detecting module, traffic characteristic detection module, feature field detection module, current limliting detection module; Wherein,
Port detecting module, be used for the P2P data flow in the fixed port database of doubtful P2P network traffics and port detecting module is compared, identify the P2P network traffics that adopt fixed port to communicate by comparison algorithm, and the unidentified doubtful P2P network traffics that go out are entered the traffic characteristic detection module;
The traffic characteristic detection module, it is right to be used for doubtful P2P network traffics source destination address and source port composition, if formed to not in the traffic characteristic detection module in the static port mapping table, think that then this data flow is the P2P network traffics, and the unidentified doubtful P2P network traffics that go out are entered the feature field detection module;
The feature field detection module, be used for the corresponding character string of doubtful P2P network traffics being compared with the character string of P2P software in dead load (payload) database by pattern matching algorithm, identify the P2P network traffics, and the unidentified doubtful P2P network traffics that go out are entered the current limliting detection module;
The current limliting detection module is used in setting-up time, when doubtful P2P network traffics greater than set flow threshold, think that then this data flow is the P2P network traffics, otherwise, think that this data flow is non-P2P network traffics.
The method and the device of P2P network traffics identification provided by the present invention, measure the data stream packet length of some, according to the length threshold that is provided with data stream packet is divided into two classes, and calculate the type ratio of this two class grouping, if described packet type thinks then that than the upper limit greater than the type threshold interval that is provided with this data flow is the P2P network traffics.So, the present invention can make data flow be divided rapidly and effectively by the packet type ratio is judged, thereby identifies the P2P network traffics fast and effectively.
Because the present invention is used in combination identification P2P data flow with comparison algorithm, traffic characteristic detection method and feature field detection method, and only adopt comparison algorithm, traffic characteristic detection method or feature field detection method that part P2P data flow is discerned, therefore, the shortcoming of said method be can avoid using separately, recognition efficiency and accuracy improved; In addition, the present invention identifies the P2P network traffics by the mode of packet type ratio, has reduced the overhead that the flow detection scheme is brought to a great extent.
Description of drawings
Fig. 1 is the method flow diagram of the P2P network traffics identification of the embodiment of the invention;
Fig. 2 is the structure drawing of device of the P2P network traffics identification of the embodiment of the invention.
Embodiment
The basic thought of technical solution of the present invention is: the data stream packet length of measuring some, according to the length threshold that is provided with data stream packet is divided into two classes, and calculate the type ratio of this two class grouping, if described packet type thinks then that than the upper limit greater than the type threshold interval that is provided with this data flow is the P2P network traffics.
In the process of transfer of data, the network equipment can receive IP traffic, and IP traffic is stored in the inner buffer of self, and packet data streams is carried out respective handling.
The method of the P2P network traffics identification that the embodiment of the invention provides as shown in Figure 1, may further comprise the steps:
Step 101:IP data flow enters the inner buffer of the network equipment;
In this step, according to transmission control protocol/internet interconnection protocol (TCP/IP, TransmissionControl Protocol/Internet Protocol) IP traffic is divided into groups, and make IP traffic enter the inner buffer of First Input First Output in the network equipment (FIFO, First Input First Output) form with the form of grouping.
Step 102: distinguish the type of the data stream packet in the inner buffer, and when total number packets during greater than the total threshold value m of setting, execution in step 103; Otherwise, return step 101;
In this step, at first, two counter smallCount, LargeCount and length threshold t are set, and measure the length of each data stream packet, if block length smaller or equal to set length threshold t, then counter smallCount is from increasing 1; If block length is greater than set length threshold t, then counter LargeCount is from increasing 1; Like this, data stream packet in the inner buffer has been distinguished into two types: block length is recorded among the counter smallCount smaller or equal to the grouping number of length threshold t, and block length is recorded among the counter LargeCount greater than the grouping number of length threshold t; Wherein, length threshold t can be according to the physical length setting of data stream packet, generally speaking, block length is between [500,1000] grouping number of Byte interval range is considerably less, so preferably, length threshold t is set between [500,1000] any integer value of Byte interval range can reach the purpose of distinguishing packet type preferably;
Secondly, total threshold value m is set, and calculates total number packets, total number packets is the count value sum of two counters, when total number packets less than total threshold value m, then read in a grouping once more, and recomputate total number packets, up to total number packets greater than total threshold value m, execution in step 103; Wherein, being provided with of total threshold value m can be determined according to network condition, when the sum of grouping reaches some, can make method of the present invention have more general applicability, can be set to 100000 generally speaking.
Step 103: calculate the packet type ratio, packet type is defined as the P2P network traffics than the data flow of the type threshold interval k upper range that is higher than setting, and this part P2P network traffics is carried out the P2P network flow management, finish current flow process; Packet type is defined as doubtful P2P network traffics, execution in step 104 than the data flow in type threshold interval k scope; Packet type is defined as non-P2P network traffics than the data flow of the type threshold interval k lower range that is lower than setting, and finishes current flow process.
In this step, packet type is than the ratio for count value among counter smallCount and the LargeCount; Set type threshold interval k can determine according to network condition, the present invention is according to a large amount of experiments, utilize 100000 data flow samples to reach a conclusion: when packet type than greater than 1.2 the time, data flow is the P2P network traffics, and when packet type than less than 0.8 the time, data flow is non-P2P network traffics, therefore preferably, type threshold interval k is set gets [0.8,1.2]; By the P2P network flow identification method in this step, the accuracy rate of identification can reach more than 50%, and identifying is rapid.
Step 104: identify the P2P network traffics that adopt fixed port to communicate by comparison algorithm, and the P2P network traffics that identify are carried out the P2P network flow management, the unidentified doubtful P2P network traffics that go out are carried out traffic characteristic detect;
In this step, contrast in detail by the P2P data flow of comparison algorithm of the prior art the fixed port database in the doubtful P2P data flow and the network equipment, identify the P2P network traffics that adopt fixed port to communicate, enter P2P network flow management module after this part P2P network traffics is marked; And all the other unidentified doubtful P2P network traffics that go out are carried out traffic characteristic detect execution in step 105.
Step 105: identify the P2P network traffics by the traffic characteristic detection method, and the P2P network traffics that identify are carried out the P2P network flow management, with the unidentified doubtful P2P network traffics execution pattern matching detection that goes out;
In this step, analyze the protocol header in the data flow, the source destination address, source port, place destination address and place port, source destination address and source port in the doubtful P2P network traffics are formed (pair), as long as use Transmission Control Protocol and User Datagram Protocol (UDP simultaneously, User Datagram Protocol), and source destination address and source port be not in the network equipment in the existing static port mapping table, determine that then this data flow is the P2P network traffics, carry out the P2P network flow management after this part P2P network traffics marked, and the unidentified doubtful P2P network traffics that go out are carried out feature field detect execution in step 106; Wherein, the identifying in this step can be passed through existing techniques in realizing.
Step 106: detect by feature field and to identify the P2P network traffics, and the P2P network traffics that identify are carried out the P2P network flow management, the unidentified doubtful P2P network traffics that go out are carried out current limliting detect;
In this step, by pattern matching algorithm corresponding character string in the doubtful P2P network traffics is compared with the character string of P2P software in the payload database, and then identify the P2P network traffics; And enter P2P network flow management module after the P2P network traffics that identify are marked, the unidentified doubtful P2P network traffics that go out are carried out current limliting detect; Wherein, described pattern matching algorithm can adopt the classic algorithm KMP algorithm in the pattern recognition, and the detailed process of this algorithm is not done detailed description at this.
Here, can comprise domestic popular P2P software at present in the payload database, wherein, the character string characteristic sequence can comprise :+21 ,-13 ,+0 ,-134 ,-75 ,+18 ,-0 ,+68 ,+80 ,-80 ,+95 ,-95, E3, C5, D4.
In most of the cases, can finish the identification of P2P network traffics substantially by this step.
Step 107: if doubtful P2P network traffics are greater than set flow threshold in setting-up time, think that then this data flow is the P2P network traffics, the P2P network traffics of being discerned are carried out the P2P network flow management, the unidentified data flow that goes out all be can be considered non-P2P data flow.
In this step, set here threshold value should be definite according to the network bandwidth and congestion situation, for example: when flow surpasses 1Mb/s (mbit/), think that data flow is the P2P data flow.
The present invention discerns the P2P network traffics according to the complexity that detects or the degree consuming time of detection, can identify the P2P network traffics rapidly by said method, reduced the recognition time of P2P network traffics, make the P2P network traffics in time carry out the P2P network flow management, improved recognition efficiency and precision.
For realizing said method, the present invention also provides a kind of device of P2P network traffics identification, and as shown in Figure 2, this device comprises:
Packet type compares identification module, be used to measure the data stream packet length of some, according to set length threshold data stream packet is divided into two classes, and calculate the type ratio of this two class grouping, if described packet type thinks then that than the upper limit greater than set type threshold interval this data flow is the P2P network traffics.
Wherein, described length threshold can be according to the physical length setting of data stream packet, and preferably, length threshold is set to any integer value between [500,1000] Byte interval range; Described type threshold interval can determine that preferably, the type threshold interval is set to [0.8,1.2] according to network condition.
Described packet type comprises counter smallCount sum counter LargeCount than identification module; Wherein, counter smallCount, when being used for length when data stream packet smaller or equal to set length threshold, counter smallCount is from increasing 1;
Counter LargeCount, when being used for length when data stream packet greater than set length threshold, counter LargeCount is from increasing 1.
The quantity ratio of described two classes grouping is specially: the ratio of count value among counter smallCount and the LargeCount.
Described packet type also is used for thinking then that when the lower limit of described packet type ratio less than set type threshold interval this data flow is non-P2P network traffics than identification module; When described packet type ratio is in type threshold interval scope, think that then this data flow is doubtful P2P network traffics.
This device also comprises: port detecting module, traffic characteristic detection module, feature field detection module, current limliting detection module; Wherein,
Port detecting module, be used for the P2P data flow in the fixed port database of doubtful P2P network traffics and port detecting module is compared, identify the P2P network traffics that adopt fixed port to communicate by comparison algorithm, and the unidentified doubtful P2P network traffics that go out are entered the traffic characteristic detection module;
The traffic characteristic detection module, it is right to be used for doubtful P2P network traffics source destination address and source port composition, if formed to not in the traffic characteristic detection module in the static port mapping table, think that then this data flow is the P2P network traffics, and the unidentified doubtful P2P network traffics that go out are entered the feature field detection module;
The feature field detection module, be used for the corresponding character string of doubtful P2P network traffics being compared with the character string of P2P software in dead load (payload) database by pattern matching algorithm, identify the P2P network traffics, and the unidentified doubtful P2P network traffics that go out are entered the current limliting detection module;
The current limliting detection module is used in setting-up time, when doubtful P2P network traffics greater than set flow threshold, think that then this data flow is the P2P network traffics, otherwise, think that this data flow is non-P2P network traffics.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. the method for an equity (P2P) network traffics identification is characterized in that this method comprises:
According to the length threshold that is provided with data stream packet is divided into two classes, and calculates the type ratio of this two classes grouping, described packet type thinks that than greater than the type threshold interval that is provided with upward in limited time described data flow is the P2P network traffics.
2. method according to claim 1 is characterized in that, this method also comprises: two counter smallCount and LargeCount are set, if block length smaller or equal to set length threshold, then counter smallCount is from increasing 1; If block length is greater than set length threshold, then counter LargeCount is from increasing 1;
The type ratio of described two classes grouping is specially: the ratio of count value among counter smallCount and the LargeCount.
3. method according to claim 2 is characterized in that, this method also comprises: prescribe a time limit than the following of type threshold interval less than setting when described packet type, think that then this data flow is non-P2P network traffics; When described packet type ratio is in type threshold interval scope, think that then this data flow is doubtful P2P network traffics.
4. method according to claim 3 is characterized in that described length threshold is set to any integer value between [500,1000] Byte interval range; Described type threshold interval is set to [0.8,1.2].
5. method according to claim 3, it is characterized in that, when thinking that this data flow is doubtful P2P network traffics, this method also comprises: doubtful P2P network traffics are identified the P2P network traffics that adopt fixed port to communicate by comparison algorithm, and the doubtful P2P network traffics that will be unidentified go out enter the traffic characteristic detection.
6. method according to claim 5 is characterized in that, in traffic characteristic detects, doubtful P2P network traffics is identified the P2P network traffics by the traffic characteristic detection method, and the doubtful P2P network traffics that will be unidentified go out enter the feature field detection.
7. method according to claim 6 is characterized in that, in feature field detects, doubtful P2P network traffics is identified the P2P network traffics by pattern matching algorithm, and the doubtful P2P network traffics that will be unidentified go out enter the current limliting detection.
8. method according to claim 7 is characterized in that, in current limliting detects, when doubtful P2P network traffics greater than set flow threshold, think that then this data flow is the P2P network traffics, otherwise, think that this data flow is non-P2P network traffics.
9. according to each described method of claim 1 to 8, it is characterized in that described data stream packet is divided into after two classes, this method also comprises:, calculate the type ratio of this two classes grouping when total number packets during greater than the total threshold value that is provided with.
10. the device of peer-to-peer network flow identification, it is characterized in that, this device comprises: packet type compares identification module, be used for data stream packet being divided into two classes according to the length threshold that is provided with, and calculate the type ratio of this two class grouping, described packet type thinks then that than prescribing a time limit greater than going up of the type threshold interval that is provided with this data flow is the P2P network traffics.
11. device according to claim 10 is characterized in that, described packet type comprises than identification module: counter smallCount sum counter LargeCount; Wherein,
Counter smallCount, when being used for length when data stream packet smaller or equal to set length threshold, counter smallCount is from increasing 1;
Counter LargeCount, when being used for length when data stream packet greater than set length threshold, counter LargeCount is from increasing 1;
The type ratio of described two classes grouping is specially: the ratio of count value among counter smallCount and the LargeCount.
12., it is characterized in that described packet type also is used for prescribing a time limit than the following of type threshold interval less than setting when described packet type than identification module, thinks that then this data flow is non-P2P network traffics according to claim 10 or 11 described devices; When described packet type ratio is in type threshold interval scope, think that then this data flow is doubtful P2P network traffics.
13. device according to claim 12 is characterized in that, this device also comprises: port detecting module, traffic characteristic detection module, feature field detection module, current limliting detection module; Wherein,
Port detecting module, be used for the P2P data flow in the fixed port database of doubtful P2P network traffics and port detecting module is compared, identify the P2P network traffics that adopt fixed port to communicate by comparison algorithm, and the unidentified doubtful P2P network traffics that go out are entered the traffic characteristic detection module;
The traffic characteristic detection module, it is right to be used for doubtful P2P network traffics source destination address and source port composition, if formed to not in the traffic characteristic detection module in the static port mapping table, think that then this data flow is the P2P network traffics, and the unidentified doubtful P2P network traffics that go out are entered the feature field detection module;
The feature field detection module, be used for the corresponding character string of doubtful P2P network traffics being compared with the character string of P2P software in dead load (payload) database by pattern matching algorithm, identify the P2P network traffics, and the unidentified doubtful P2P network traffics that go out are entered the current limliting detection module;
The current limliting detection module is used in setting-up time, when doubtful P2P network traffics greater than set flow threshold, think that then this data flow is the P2P network traffics, otherwise, think that this data flow is non-P2P network traffics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010199464.1A CN101854366B (en) | 2010-06-10 | 2010-06-10 | Peer-to-peer network flow-rate identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010199464.1A CN101854366B (en) | 2010-06-10 | 2010-06-10 | Peer-to-peer network flow-rate identification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101854366A true CN101854366A (en) | 2010-10-06 |
| CN101854366B CN101854366B (en) | 2015-04-01 |
Family
ID=42805631
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010199464.1A Expired - Fee Related CN101854366B (en) | 2010-06-10 | 2010-06-10 | Peer-to-peer network flow-rate identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101854366B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098346A (en) * | 2011-02-23 | 2011-06-15 | 北京邮电大学 | Method for identifying flow of P2P (peer-to-peer) stream media in unknown flow |
| CN102932199A (en) * | 2012-09-19 | 2013-02-13 | 邦讯技术股份有限公司 | Method and system for detecting P2P (Peer-to-Peer) stream of multi-core system |
| CN104243225A (en) * | 2013-06-19 | 2014-12-24 | 北京思普崚技术有限公司 | Traffic identification method based on deep package inspection |
| CN104283699A (en) * | 2013-07-01 | 2015-01-14 | 中兴通讯股份有限公司 | Method and device for determining service types |
| CN109067665A (en) * | 2018-09-25 | 2018-12-21 | 华为技术有限公司 | Jamming control method and the network equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459546A (en) * | 2007-12-11 | 2009-06-17 | 华为技术有限公司 | Recognition method and apparatus for peer-to-peer node flow |
| CN101505314A (en) * | 2008-12-29 | 2009-08-12 | 成都市华为赛门铁克科技有限公司 | P2P data stream recognition method, apparatus and system |
-
2010
- 2010-06-10 CN CN201010199464.1A patent/CN101854366B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459546A (en) * | 2007-12-11 | 2009-06-17 | 华为技术有限公司 | Recognition method and apparatus for peer-to-peer node flow |
| CN101505314A (en) * | 2008-12-29 | 2009-08-12 | 成都市华为赛门铁克科技有限公司 | P2P data stream recognition method, apparatus and system |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098346A (en) * | 2011-02-23 | 2011-06-15 | 北京邮电大学 | Method for identifying flow of P2P (peer-to-peer) stream media in unknown flow |
| CN102932199A (en) * | 2012-09-19 | 2013-02-13 | 邦讯技术股份有限公司 | Method and system for detecting P2P (Peer-to-Peer) stream of multi-core system |
| CN102932199B (en) * | 2012-09-19 | 2018-07-27 | 邦讯技术股份有限公司 | A kind of method and system of multiple nucleus system detection P2P streams |
| CN104243225A (en) * | 2013-06-19 | 2014-12-24 | 北京思普崚技术有限公司 | Traffic identification method based on deep package inspection |
| CN104243225B (en) * | 2013-06-19 | 2017-08-08 | 北京思普崚技术有限公司 | A kind of method for recognizing flux based on deep-packet detection |
| CN104283699A (en) * | 2013-07-01 | 2015-01-14 | 中兴通讯股份有限公司 | Method and device for determining service types |
| CN109067665A (en) * | 2018-09-25 | 2018-12-21 | 华为技术有限公司 | Jamming control method and the network equipment |
| CN109067665B (en) * | 2018-09-25 | 2022-01-11 | 华为技术有限公司 | Congestion control method and network equipment |
| US11606297B2 (en) | 2018-09-25 | 2023-03-14 | Huawei Technologies Co., Ltd. | Congestion control method and network device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101854366B (en) | 2015-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1764951B1 (en) | Statistical trace-based method, apparatus, node and system for real-time traffic classification | |
| CN102724317B (en) | A kind of network traffic data sorting technique and device | |
| CN101714952B (en) | Method and device for identifying traffic of access network | |
| Tammaro et al. | Exploiting packet‐sampling measurements for traffic characterization and classification | |
| Qin et al. | Robust application identification methods for P2P and VoIP traffic classification in backbone networks | |
| KR100997182B1 (en) | Flow information restricting apparatus and method | |
| CN101202652A (en) | Device for classifying and recognizing network application flow quantity and method thereof | |
| CN102148854B (en) | Method and device for identifying peer-to-peer (P2P) shared flows | |
| CN102571946B (en) | Realization method of protocol identification and control system based on P2P (peer-to-peer network) | |
| CN101854366B (en) | Peer-to-peer network flow-rate identification method and device | |
| CN108206788B (en) | Traffic service identification method and related equipment | |
| US7907543B2 (en) | Apparatus and method for classifying network packet data | |
| CN105227348A (en) | A kind of Hash storage means based on IP five-tuple | |
| US20040148417A1 (en) | Method and system for distinguishing higher layer protocols of the internet traffic | |
| CN101984635B (en) | Method and system for flow identification of point to point (P2P) protocol | |
| CN101510878A (en) | Method, device and equipment for monitoring peer-to-peer network | |
| Oudah et al. | Using burstiness for network applications classification | |
| CN114465786B (en) | Monitoring method for encrypted network traffic | |
| CN104253712B (en) | A kind of method that P2P Network Recognitions are carried out using deep packet inspection technical | |
| CN115174961A (en) | Multi-platform video flow early identification method facing high-speed network | |
| CN101459546A (en) | Recognition method and apparatus for peer-to-peer node flow | |
| CN104348675A (en) | Bidirectional service data flow identification method and device | |
| Yoon et al. | Header signature maintenance for Internet traffic identification | |
| Li et al. | MP-ROOM: Optimal matching on multiple PDUs for fine-grained traffic identification | |
| CN108347447B (en) | P2P botnet detection method and system based on periodic communication behavior analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20170224 Address after: 561102 Guiyang science and Technology Industrial Park, Jinyang hi tech Zone, Guizhou, China, B527 Patentee after: Guizhou Kai Tong Tong Technology Co., Ltd. Address before: 518057 Nanshan District Guangdong high tech Industrial Park, South Road, science and technology, ZTE building, Ministry of Justice Patentee before: ZTE Corporation |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150401 Termination date: 20170610 |