CN101986609A - Method and system for realizing network flow cleaning - Google Patents
Method and system for realizing network flow cleaning Download PDFInfo
- Publication number
- CN101986609A CN101986609A CN2009100901327A CN200910090132A CN101986609A CN 101986609 A CN101986609 A CN 101986609A CN 2009100901327 A CN2009100901327 A CN 2009100901327A CN 200910090132 A CN200910090132 A CN 200910090132A CN 101986609 A CN101986609 A CN 101986609A
- Authority
- CN
- China
- Prior art keywords
- network traffics
- equipment
- template
- dfi
- flow detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for realizing network flow cleaning. In the scheme adopted by the invention, data field identifier (DFI) equipment detects network flow according to a flow detection template and transmits suspicious network flow to data processing installation (DPI) equipment; and the DPI equipment detects the suspicious network flow according to an identification template and cleans abnormal network flow according to a control policy. In the scheme adopted by the invention, DFI technology and DPI technology are combined, the contradiction between the completeness of the detection and cleaning efficiency in the network flow cleaning is well solved, the detection efficiency and accuracy are both taken into consideration, the network flow cleaning needs of mass data can be satisfied, and the network flow cleaning efficiency is improved considerably.
Description
Technical field
The present invention relates to computer networking technology, be meant a kind of method and system that realize that network traffics are cleaned especially.
Background technology
Fast development along with Internet service kind and traffic carrying capacity; junk traffic in the network is not (as having in all senses or the flow of use; or the flow of malicious attack) also increasing gradually; bearer network more and more can't bear the heavy load; occur congested through regular meeting; the situation of bandwidth deficiency; a very important reason that causes this situation to occur is exactly to have a lot of unusual network traffics in the network; network traffics as malicious attack; unauthorized network traffics; illegal point-to-point (P2P; Peer-to-Peer) network traffics etc.; at this moment, unusual network traffics are cleaned just become a very important processing operation.At present, packet-by-packet the network traffics cleaning way of Jian Ceing is all very high to the requirement of communication system and checkout equipment, and treatment effeciency is lower, yet, clean at network traffics be very large, therefore, the existing network traffics cleaning way network traffics that at all can't satisfy big flow application occasions such as backbone network are cleaned needs.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method and system that realize that network traffics are cleaned, and effectively improves the network traffics cleaning efficiency.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of method that realizes that network traffics are cleaned, this method comprises:
Deep stream detects DFI equipment and according to the flow detection template network traffics is detected, and detects DPI equipment to deep message and sends suspicious network traffics;
DPI equipment detects suspicious network traffics according to recognition template, cleans unusual network traffics according to control strategy.
This method also comprises:
Control centre issues the flow detection template of setting to DFI equipment, and DFI equipment is stored the flow detection template of receiving; And/or,
Control centre issues the recognition template and the control strategy of setting to DPI equipment, and DPI equipment is stored recognition template and the control strategy received.
Described DFI equipment also comprises after according to the flow detection template network traffics being detected: DFI equipment injects transmission link with normal network traffics and transmits; And/or,
Described DPI equipment also comprises after according to recognition template suspicious network traffics being detected: DPI equipment injects transmission link with normal network traffics and transmits.
Describedly network traffics are detected, comprising: the feature of network traffics and the flow detection template of storage are compared, when determining the feature abnormalities of network traffics, determine that the map network flow is suspicious network traffics according to the flow detection template.
Describedly according to recognition template suspicious network traffics are detected, comprising: according to recognition template suspicious network traffics are carried out deep message and detect, the concrete application of recognition network flow determines whether network traffics are unusual.
A kind of system that realizes that network traffics are cleaned comprises:
DFI equipment is used for according to the flow detection template network traffics being detected, and sends suspicious network traffics to DPI equipment;
DPI equipment is used for according to recognition template suspicious network traffics being detected, and cleans unusual network traffics according to control strategy.
Described system further comprises: control centre is used for issuing to DFI equipment the flow detection template of setting; And/or, be used for issuing the recognition template and the control strategy of setting to DPI equipment.
Described flow detection template or described recognition template are: the static setting, or according to current required dynamically arranging.
Described DFI equipment is used for that also normal network traffics are injected transmission link to be transmitted; And/or described DPI equipment is used for that also normal network traffics are injected transmission link to be transmitted.
Among the present invention program, the DFI technology is combined with the DPI technology, thereby the integrality of detection during network traffics are cleaned and the contradiction between the cleaning efficiency have been solved well, and detection efficiency and accuracy have been taken into account, network traffics that can the satisfying magnanimity data are cleaned to be needed, and has improved the network traffics cleaning efficiency greatly.
In addition, flow detection template related among the present invention program can be identical with existing flow detection template, therefore the present invention program does not need the flow detection template of frequently upgrading in the relevant realization of relevant flow detection template, greatly reduces the maintenance cost that network traffics are cleaned.
Description of drawings
Fig. 1 is for realizing the system configuration schematic diagram that network traffics are cleaned among the present invention;
Fig. 2 is for realizing the schematic flow sheet that network traffics are cleaned among the present invention.
Embodiment
Deep message detects (DPI, Deep Packet Inspection) technology and deep stream detection (DFI, Deep Flow Inspection) technology is two kinds of main modes that unusual network traffics are discerned.Wherein, the DPI technology has increased the analysis to application layer on the basis of analyzing packet header, be a kind of flow detection and control technology based on application layer; The loaded matching of carrying out application layer with the DPI technology is different, and what the DFI technology adopted is a kind of application recognition technology based on the flow behavior, and the state that promptly different application types is embodied on session connection or the data flow is had nothing in common with each other.
For example, the feature that IP flow in the network is embodied on the stream mode is just very obvious: RTP (RTP, Real-time Transport Protocol) Liu bag appearance is to fixing, generally in 130 to 220 bytes (byte), it is lower to connect speed, be 20 to 84 kilobits per seconds (Kbit/s), session persistence is longer relatively simultaneously; And based on the characteristics of the network traffics of P2P down load application be average packet long all more than 450byte, download time is long, connect the speed height, first-selected transport layer protocol is a transmission control protocol (TCP, Transmission Control Protocol) etc.
The DFI technology just is being based on the feature of this serial flow behavior, set up the traffic characteristic model, be the flow detection template, compare by length of data package, the connection speed of analysis session connection stream, information such as the interval flow detection template of transmitting between amount of bytes, the packet next and that set up, thus the discriminating of realization application type.
In view of above-mentioned DPI technology and DFI technology characteristics separately, among the present invention program the DFI technology is combined with the DPI technology, promptly DFI equipment detects network traffics according to the flow detection template, sends suspicious network traffics to DPI equipment; DPI equipment detects suspicious network traffics according to recognition template, cleans unusual network traffics according to control strategy, improves the network traffics cleaning efficiency greatly.
Fig. 1 is for realizing the system configuration schematic diagram that network traffics are cleaned among the present invention, as shown in Figure 1, this system comprises: DFI equipment and DPI equipment, wherein, DFI equipment is used for according to the flow detection template network traffics being detected, and sends suspicious network traffics to DPI equipment; DPI equipment is used for according to recognition template suspicious network traffics being detected, and cleans unusual network traffics according to control strategy.
DFI equipment is used for that also normal network traffics are injected transmission link to be transmitted.DPI equipment is used for that also normal network traffics are injected transmission link to be transmitted.
This system may further include: control centre is used for issuing to DFI equipment the flow detection template of setting; Also be used for issuing the recognition template and the control strategy of setting to DPI equipment.The flow detection template that control centre issues, recognition template, control strategy can be initial static settings, also can be according to current required dynamically arranging.
The schematic flow sheet that Fig. 2 cleans for realization network traffics among the present invention, as shown in Figure 2,
Step 201: control centre issues the flow detection template of setting to DFI equipment, and DFI equipment is stored the flow detection template of receiving.
Step 202: control centre issues the recognition template and the control strategy of setting to DPI equipment, and DPI equipment is stored recognition template and the control strategy received.
When in the network transfer of data being arranged, the network traffics that DFI equipment will need to detect are directed to self, to carry out flow detection.It is that the feature of network traffics and the flow detection template of storage are compared that DFI equipment adopts the DFI technology to carry out flow detection, and processing speed is very fast.Flow detection template related among the present invention program can be identical with existing flow detection template, therefore the present invention program does not need the flow detection template of frequently upgrading in the relevant realization of relevant flow detection template, greatly reduces the maintenance cost that network traffics are cleaned.
DFI equipment judges whether unusual concrete processing is that network traffics and flow detection template are compared to network traffics, whether the feature that promptly can determine network traffics is unusual, if determine that the feature of network traffics is normal, then network traffics injected transmission link and transmit; If determine the feature abnormalities of network traffics, show that then network traffics may be unusual, determine that network traffics are suspicious network traffics, send to DPI equipment with suspicious network traffics, carry out deep message by DPI equipment and detect, further discern unusual network traffics particularly.
Step 205:DFI equipment sends suspicious network traffics to DPI equipment, carries out deep message by DPI equipment and detects.
Step 206:DPI equipment detects the suspicious network traffics of receiving according to recognition template, determine exception of network traffic after, according to control strategy unusual network traffics are carried out clean.
DPI equipment carries out deep message according to recognition template to suspicious network traffics and detects, the accurately concrete application of recognition network flow, thereby determine whether network traffics unusual, determine exception of network traffic after, according to control strategy the unusual network traffics that identify are carried out clean.The unusual network traffics that DPI equipment is determined are the unusual network traffics that finally obtain according to the present invention program.For example, DPI equipment determines that according to recognition template the source of network traffics is the disabled user, determines that therefore the map network flow is unusual network traffics, directly tackles the map network flow, thereby the map network flow can not transmitted in transmission link; And for example, DPI equipment determines that according to recognition template network traffics are the information of a large amount of empty contents, determines that therefore the map network flow is unusual network traffics, directly tackles the map network flow, thereby the map network flow can not transmitted in transmission link.
Step 207:DPI equipment injects transmission link with normal network traffics and transmits, and finishes whole abnormal flow cleaning process.Here said normal network traffics can be to carry out resulting normal network traffics after the clean.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.
Claims (9)
1. method that realizes that network traffics are cleaned is characterized in that this method comprises:
Deep stream detects DFI equipment and according to the flow detection template network traffics is detected, and detects DPI equipment to deep message and sends suspicious network traffics;
DPI equipment detects suspicious network traffics according to recognition template, cleans unusual network traffics according to control strategy.
2. method according to claim 1 is characterized in that, this method also comprises:
Control centre issues the flow detection template of setting to DFI equipment, and DFI equipment is stored the flow detection template of receiving; And/or,
Control centre issues the recognition template and the control strategy of setting to DPI equipment, and DPI equipment is stored recognition template and the control strategy received.
3. method according to claim 1 and 2 is characterized in that,
Described DFI equipment also comprises after according to the flow detection template network traffics being detected: DFI equipment injects transmission link with normal network traffics and transmits; And/or,
Described DPI equipment also comprises after according to recognition template suspicious network traffics being detected: DPI equipment injects transmission link with normal network traffics and transmits.
4. method according to claim 1 and 2, it is characterized in that, describedly network traffics are detected according to the flow detection template, comprise: the feature of network traffics and the flow detection template of storage are compared, when determining the feature abnormalities of network traffics, determine that the map network flow is suspicious network traffics.
5. method according to claim 1 and 2, it is characterized in that, describedly suspicious network traffics are detected, comprising: according to recognition template suspicious network traffics are carried out deep message and detect according to recognition template, the concrete application of recognition network flow determines whether network traffics are unusual.
6. a system that realizes that network traffics are cleaned is characterized in that, comprising:
DFI equipment is used for according to the flow detection template network traffics being detected, and sends suspicious network traffics to DPI equipment;
DPI equipment is used for according to recognition template suspicious network traffics being detected, and cleans unusual network traffics according to control strategy.
7. system according to claim 6 is characterized in that, described system further comprises: control centre,
Be used for issuing the flow detection template of setting to DFI equipment; And/or,
Be used for issuing the recognition template and the control strategy of setting to DPI equipment.
8. system according to claim 7 is characterized in that, described flow detection template or described recognition template are: the static setting, or according to current required dynamically arranging.
9. according to the arbitrary described system of claim 6 to 8, it is characterized in that,
Described DFI equipment is used for that also normal network traffics are injected transmission link to be transmitted; And/or,
Described DPI equipment is used for that also normal network traffics are injected transmission link to be transmitted.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100901327A CN101986609A (en) | 2009-07-29 | 2009-07-29 | Method and system for realizing network flow cleaning |
| PCT/CN2010/072585 WO2011012004A1 (en) | 2009-07-29 | 2010-05-10 | Method and system for realizing network flow cleaning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100901327A CN101986609A (en) | 2009-07-29 | 2009-07-29 | Method and system for realizing network flow cleaning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101986609A true CN101986609A (en) | 2011-03-16 |
Family
ID=43528738
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100901327A Pending CN101986609A (en) | 2009-07-29 | 2009-07-29 | Method and system for realizing network flow cleaning |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101986609A (en) |
| WO (1) | WO2011012004A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103166807A (en) * | 2011-12-15 | 2013-06-19 | 中国电信股份有限公司 | Analyzing and processing method and analyzing and processing system of traffic flow direction based on application |
| CN104243237A (en) * | 2014-09-17 | 2014-12-24 | 杭州华三通信技术有限公司 | P2P flow detection method and device |
| CN107819646A (en) * | 2017-10-23 | 2018-03-20 | 国网冀北电力有限公司信息通信分公司 | A kind of net flow assorted system and method for distributed transmission |
| CN111783804A (en) * | 2019-04-04 | 2020-10-16 | 中国移动通信集团上海有限公司 | Abnormal call bill determining method, device, equipment and storage medium |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104320304B (en) * | 2014-11-04 | 2017-11-28 | 武汉虹信技术服务有限责任公司 | A kind of core network user flow application recognition methods of the multimode fusion easily extended |
| CN107302472A (en) * | 2017-06-14 | 2017-10-27 | 苏州海加网络科技股份有限公司 | Application Activity recognition method and system based on stream morphological feature |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060009775A (en) * | 2004-07-26 | 2006-02-01 | 삼성전자주식회사 | Apparatus and method for transmitting multimedia packet |
| WO2006063052A1 (en) * | 2004-12-07 | 2006-06-15 | Nortel Networks Limited | Method and apparatus for network immunization |
| US20060268866A1 (en) * | 2005-05-17 | 2006-11-30 | Simon Lok | Out-of-order superscalar IP packet analysis |
| CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
| CN101488946A (en) * | 2008-01-16 | 2009-07-22 | 华为技术有限公司 | Packet detection method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090146838A1 (en) * | 2007-12-09 | 2009-06-11 | Daniel A. Katz | Communication System for Data Acquisition from Remote Devices Applicable for AMR |
| CN101299724B (en) * | 2008-07-04 | 2010-12-08 | 杭州华三通信技术有限公司 | Method, system and equipment for cleaning traffic |
| CN101431449B (en) * | 2008-11-04 | 2011-05-04 | 中国科学院计算技术研究所 | Network flux cleaning system |
-
2009
- 2009-07-29 CN CN2009100901327A patent/CN101986609A/en active Pending
-
2010
- 2010-05-10 WO PCT/CN2010/072585 patent/WO2011012004A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060009775A (en) * | 2004-07-26 | 2006-02-01 | 삼성전자주식회사 | Apparatus and method for transmitting multimedia packet |
| WO2006063052A1 (en) * | 2004-12-07 | 2006-06-15 | Nortel Networks Limited | Method and apparatus for network immunization |
| US20060268866A1 (en) * | 2005-05-17 | 2006-11-30 | Simon Lok | Out-of-order superscalar IP packet analysis |
| CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
| CN101488946A (en) * | 2008-01-16 | 2009-07-22 | 华为技术有限公司 | Packet detection method and system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103166807A (en) * | 2011-12-15 | 2013-06-19 | 中国电信股份有限公司 | Analyzing and processing method and analyzing and processing system of traffic flow direction based on application |
| CN104243237A (en) * | 2014-09-17 | 2014-12-24 | 杭州华三通信技术有限公司 | P2P flow detection method and device |
| CN104243237B (en) * | 2014-09-17 | 2017-05-17 | 新华三技术有限公司 | P2P flow detection method and device |
| CN107819646A (en) * | 2017-10-23 | 2018-03-20 | 国网冀北电力有限公司信息通信分公司 | A kind of net flow assorted system and method for distributed transmission |
| CN111783804A (en) * | 2019-04-04 | 2020-10-16 | 中国移动通信集团上海有限公司 | Abnormal call bill determining method, device, equipment and storage medium |
| CN111783804B (en) * | 2019-04-04 | 2023-11-24 | 中国移动通信集团上海有限公司 | Abnormal ticket determining method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2011012004A1 (en) | 2011-02-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2437456B1 (en) | Method and system for realizing concurrent access of multi-kinds of bearer protocols on machine-to-machine (m2m) platform | |
| CN100474819C (en) | A deep message detection method, network device and system | |
| CN101986609A (en) | Method and system for realizing network flow cleaning | |
| CN102084634B (en) | Optimized selection of transmission protocol respecting thresholds | |
| CN102055674B (en) | Internet protocol (IP) message as well as information processing method and device based on same | |
| CN101925028B (en) | Short message gateway and short message isomerous network communication processing method thereof | |
| CN101248628A (en) | Network interface control program and network interface control device | |
| CN103414725A (en) | Method and device used for detecting and filtering data message | |
| CN101953139A (en) | DHCP initialization responsive to network layer connectivity | |
| CN102082699A (en) | P2P (peer-to-peer) protocol identification method on basis of active detection mode | |
| JP2006279636A (en) | Consistency guarantee management system for inter-client communication log | |
| CN101350764B (en) | Network flow control method | |
| CN104580346B (en) | Data transmission method and device | |
| CN101350765A (en) | Network flow detection method | |
| US20100254310A1 (en) | Packet sniffer for ad hoc network | |
| EP2400389B1 (en) | A method, a system, a server, a device, a computer program and a computer program product for transmitting data in a computer network | |
| CN102130792A (en) | Communication amount monitoring system | |
| CN101841424A (en) | EMS network management system and method based on SOCKS proxy connection | |
| CN105703967B (en) | Method and device for detecting connectivity of label switched path | |
| CN101232406A (en) | OAM fast detecting method, apparatus and system | |
| CN107104892A (en) | The method and apparatus of network acceleration | |
| US8605612B2 (en) | Method and apparatus for extracting QoS parameters in mobile device | |
| CN110166518B (en) | Session information transmission method, device, storage medium and electronic device | |
| CN101478775B (en) | Detection method, system and equipment for multi-neighbor connection state | |
| CN101800682A (en) | Bidirectional forwarding detection (BFD) method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110316 |