CN102130956B - Method and system for identifying application layer protocols - Google Patents
Method and system for identifying application layer protocols Download PDFInfo
- Publication number
- CN102130956B CN102130956B CN 201110066864 CN201110066864A CN102130956B CN 102130956 B CN102130956 B CN 102130956B CN 201110066864 CN201110066864 CN 201110066864 CN 201110066864 A CN201110066864 A CN 201110066864A CN 102130956 B CN102130956 B CN 102130956B
- Authority
- CN
- China
- Prior art keywords
- protocol
- application layer
- suites
- character
- prefix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method and system for identifying application layer protocols, relating to the technical field of computer networks. The method comprises the following steps: S1, extracting prefix characters of loads of messages to be identified; S2, judging whether the prefix characters are matched with fixed prefixes of given application layer protocols; and if the prefix characters are matched with the fixed prefixes of the given application layer protocols, executing S3, otherwise executing S4; S3, according to the prefix characters, selecting a determined finite automaton engine, and using the selected finite automaton engine to carry out matching treatment on the messages to be identified corresponding to the prefix characters; and S4, carrying out protocol identification on the messages to be identified corresponding to the prefix characters based on protocol fingerprints. The method and system provided by the invention have the advantage of high identification accuracy, and meet the requirements of high throughput and less memory occupancy.
Description
Technical field
The present invention relates to technical field of the computer network, relate in particular to a kind of side's application protocol recognition method and system.
Background technology
Be accompanied by the continuous universal enhancing that acts in producing, living with the Internet of miscellaneous service in the Internet, information security issue becomes increasingly conspicuous.The fine granularity of network traffics is controlled, and helps data center that better data transport service is provided on the one hand, thereby effectively guarantees the main flow internet, applications; On the other hand, be conducive to better ensure the fail safe of enterprise network, solve with diverse network and use closely-related safety problem.
At present, traditional flow control strategy based on stream is more and more inapplicable in data center and enterprise network, and the application layer protocol recognition technology is progressively replacing traditional bag sorting technique.
Application layer protocol identification is called for short protocol identification, and purpose is to identify the application layer protocol type that the flow that transmits on network link uses.In order to satisfy growing the Internet demand, effectively protocol identification must reach higher recognition rate, and can compatible emerging agreement.
Use widely in order to obtain in the Core Feature of modern network, the application layer protocol recognition system should satisfy following requirement:
1, high-throughput: as the basis of fine granularity traffic management, the speed of application layer protocol identification must be higher than link rate.
2, low EMS memory occupation: for the cost restriction of supporting application layer protocol identification at a high speed, consider simultaneously to consume high-speed internal memory, memory usage should be low as far as possible.
3, high accuracy of identification: must have simultaneously lower false positive rate and false negative rate.
Be based on traditionally port mapping mechanism identifies using layer protocol always, for example, the message correspondence of 80 ports HTML (Hypertext Markup Language) (Hyper Text Transfer Protocol, HTTP), the agreement of 25 ports is domain name system (Domain Name System, DNS) agreement.But along with increasing procotol is not used fixing port and communicated, be very limited based on the protocol identification mode of message port, accuracy is subject to very large challenge, for example adopts equity (Peer-to-Peer, the P2P) agreement of dynamic port etc.
Traditional recognition methods based on port numbers is no longer applicable, and a lot of research work in recent years all are devoted to develop new method and are identified application layer protocol.A kind of method is based on machine Learning Theory, uses the means of statistics to carry out protocol identification.Information such as the average message length in the actual reciprocal process of statistics agreement, queuing time is carried out protocol identification as feature to message.Yet this method based on statistics has much such as insoluble problems such as accuracy, thereby can't obtain in actual applications performance preferably.
A lot of actual application layer protocol recognition systems, for example PaloAlto and Juniper, and the L7-filter that increases income etc. is the recognition methods of adopting based on load, to obtain better performance.Application layer protocol recognition system based on load is widely used at present, yet adopt the load that does not have definite prefix to escape the detection of protocol identification system due to a lot of P2P agreements, perhaps load contents is encrypted, makes the protocol identification system that adopts based on the recognition methods of load not good enough for the detection effect of these unconventional agreements.
Summary of the invention
The technical problem that (one) will solve
The technical problem to be solved in the present invention is: how a kind of accuracy of identification is high, throughput is high and EMS memory occupation is low application protocol recognition method and system are provided.
(2) technical scheme
For addressing the above problem, the invention provides a kind of application protocol recognition method, the method comprising the steps of:
A
1. record has the prefix length of the known application layer protocol of Fixed CP, according to initial character, described known application layer protocol with Fixed CP is divided into groups, and obtains some protocol suites;
A
2. removing in some protocol suites is the protocol suite of other protocol suite subsets;
A
3. adopt heuristic clustering algorithm to steps A
2The some protocol suites that obtain are optimized;
A
4. will be through steps A
3Some protocol suites after optimization process are compiled as the deterministic finite automaton engine;
S1. extract the prefix character of the load of message to be identified;
S2. judge whether described prefix character mates the Fixed CP of known application layer protocol, if, execution in step S3, otherwise execution in step S4;
S3. select the deterministic finite automaton engine according to described prefix character, and by selected deterministic finite automaton engine, message to be identified corresponding to described prefix character carried out matching treatment;
S4. based on the agreement fingerprint, message to be identified corresponding to described prefix character carried out protocol identification;
Steps A
3Further comprise:
B
1. get arbitrary protocol suite, travel through all the other protocol suites, whether judge the common protocol quantity of two protocol suites greater than setting threshold, if, execution in step B
2, otherwise, nonjoinder;
B
2. whether judge the average asterisk wildcard quantity of described two protocol suites less than 1, if, execution in step B
3, otherwise, nonjoinder;
B
3. judge the minimizing that whether can cause status number in described deterministic finite automaton engine after described two protocol suites merge, if, merge described two protocol suites, otherwise, nonjoinder;
B
4. judge whether to travel through all protocol suites, if, finish to optimize, otherwise, step B returned to
1, select arbitrary protocol suite in the protocol suite that never traverses.
Wherein, step S4 further comprises:
S4.1 extracts all certainty character strings in the known application layer protocol that does not have Fixed CP;
S4.2 is for each described known application layer protocol that does not have Fixed CP, selects length in its character string of extracting is the longest and character string that extract with other application layer protocols is not identical character string as the agreement fingerprint of this application layer protocol;
S4.3 carries out protocol identification based on the agreement fingerprint to message to be identified corresponding to described prefix character.
The present invention also provides a kind of application layer protocol recognition system, and this system comprises: extraction module, for the prefix character of the load of extracting message to be identified; Segmentation module, be used for judging whether prefix character that described extraction module extracts mates the Fixed CP of known application layer protocol, if the message to be identified that described prefix character is corresponding is sent to the first identification module, otherwise sends it to the second identification module; The first identification module is used for selecting the deterministic finite automaton engine according to described prefix character, and by selected deterministic finite automaton engine, message to be identified corresponding to described prefix character is carried out matching treatment; The second identification module is used for based on the agreement fingerprint, message to be identified corresponding to described prefix character being carried out protocol identification;
This system also comprises collector, and this module further comprises:
Grouped element is used for the prefix length that record has the known application layer protocol of Fixed CP, according to initial character, described known application layer protocol with Fixed CP is divided into groups, and obtains some protocol suites;
The subset merge cells is used for removing some protocol suites and is the protocol suite of other protocol suite subsets;
Optimize the unit, be used for adopting heuristic clustering algorithm that some protocol suites that described subset merging cell processing obtains are optimized;
Compilation unit is used for the some protocol suites after described optimization unit optimization is processed are compiled as the deterministic finite automaton engine;
Some protocol suites that described employing heuristic clustering algorithm obtains described subset merging cell processing are optimized and are specially:
B
1. get arbitrary protocol suite, travel through all the other protocol suites, whether judge the common protocol quantity of two protocol suites greater than setting threshold, if carry out B
2, otherwise, nonjoinder;
B
2. judge that whether the average asterisk wildcard quantity of described two protocol suites is less than 1, if carry out B
3, otherwise, nonjoinder;
B
3. judge the minimizing that whether can cause status number in described deterministic finite automaton engine after described two protocol suites merge, if, merge described two protocol suites, otherwise, nonjoinder;
B
4. judge whether to travel through all protocol suites, if, finish to optimize, otherwise, B returned to
1, select arbitrary protocol suite in the protocol suite that never traverses.
Wherein, described the second identification module further comprises: extraction unit is used for extraction and does not have all certainty character strings of known application layer protocol of Fixed CP; Agreement fingerprint determining unit, be used for for each described known application layer protocol that does not have Fixed CP, select length in its character string of extracting is the longest and character string that extract with other application layer protocols is not identical character string as the agreement fingerprint of this application layer protocol; Recognition unit is used for based on the agreement fingerprint, message to be identified corresponding to described prefix character being carried out protocol identification.
(3) beneficial effect
Method and system of the present invention have also satisfied the requirement of high-throughput and low EMS memory occupation when having high accuracy of identification.
Description of drawings
Fig. 1 is the application protocol recognition method flow chart according to one embodiment of the present invention;
Fig. 2 is the application layer protocol recognition system structured flowchart according to one embodiment of the present invention.
Embodiment
Application protocol recognition method and system that the present invention proposes reach by reference to the accompanying drawings embodiment and are described in detail as follows.
Find through observation and research to present mainstream applications layer protocol, most agreements begin with fixing prefix.That is to say, if an actual flow wants to mate a certain agreement with fixing prefix, it must begin with the character string that specifically satisfies this prefix, and the possibility of coupling is just arranged.So, when actual flow arrives, only need to take out the agreement of those and its prefix matching and this flow and mate and get final product, those have fixing prefix and the agreement different from its prefix impossible with this flow matches.Therefore, the application protocol recognition method that the present invention proposes mated and presorts based on the multistage, was divided into two stages when processing actual flow.In the phase I of protocol identification, processing be the message that those application layer protocol characteristic patterns that can be had Fixed CP are mated, process with which group DFA engine according to the judgement of its prefix character, then transfer to the DFA engine and carry out matching treatment; In second stage, be to process those fail to mate in the phase I, messages that feature mode mated that to be had Fixed CP.Process most flows owing to can expend very little Resources Consumption in the phase I of protocol identification, second stage only need be processed the small part flow, thereby has greatly improved the speed of identification, the purpose of reached high-throughput, hanging down EMS memory occupation.
As shown in Figure 1, the application protocol recognition method according to one embodiment of the present invention comprises step:
S1. extract the prefix character of the load of message to be identified;
S2. judge whether described prefix character mates the Fixed CP of known application layer protocol, if, execution in step S3, otherwise execution in step S4;
S3. select deterministic finite automaton (Deterministic Finite Automation, DFA) engine according to described prefix character, and by selected deterministic finite automaton engine, message to be identified corresponding to described prefix character carried out matching treatment;
S4. the recognition system based on the agreement fingerprint that is similar in the Snort system is carried out protocol identification to message to be identified corresponding to described prefix character.
Wherein, also the known application layer protocol characteristic pattern with Fixed CP need be divided into groups, merged and optimized according to prefix character before step S1, and group result is compiled as the DFA engine, this pretreated purpose is in order to reach the throughput that improves matching engine, the EMS memory occupation that reduces recognizer.Comprise that specifically step is as follows:
A
1. for the feature string of known application layer protocol, distinguish it and whether have Fixed CP, record has the prefix length of the known application layer protocol of Fixed CP, according to initial character, the known application layer protocol with Fixed CP is divided into groups, and obtains some protocol suites.All minimum values of prefix length value with agreement of Fixed CP are 1, so these agreements with Fixed CP are classified by its initial character.Otherwise, if with longer prefix as criteria for classification, can cause those prefix lengths is that 1 agreement repeats.
After agreement with Fixed CP is classified according to initial character, obtain a series of protocol suite.These protocol suites have different prefixes each other, between those agreements of protocol suite inside, have identical initial character.But may contain same protocol between protocol suite, this is due to the prefix of some agreement unique causing not.For example, be embroidered with " a " and " b " two before the agreement that " ^[ab] c.*d " is represented, it both can be assigned to " a " that group during protocol packet so, equally also can be assigned in " b " that group.So, preliminary divide into groups according to initial character after, caused number of protocols sum in all protocol suites more than the initial number of protocols that participates in grouping, the coupling that this will cause redundancy has reduced protocol identification speed.So, preliminary group result is handled as follows.
A
2. subset merges, and removing in some protocol suites is the protocol suite of other protocol suite subsets.As mentioned above, due to the multiplicity of protocol prefix, will cause some agreement to appear in different groupings, this has just caused the redundancy of some protocol suites, and What is more, and some protocol suites having occurred is situations of the subset of other protocol suite.For example, only contain in a certain protocol suite and be numbered 3,7,9 agreement, these agreements have identical prefix " a ", and 3,7,9 three agreements have comprised fixing prefix " b " simultaneously, simultaneously in prefix for also containing the agreements such as 17,23 in the group result of " b ", so, the protocol suite take " a " as prefix is exactly the subset of the protocol suite take " b " as prefix.Subset relation between this protocol suite has caused the coupling of redundancy, and namely subset is fully unwanted, concentrates because its full detail has been included in his father.Therefore, preliminary group result is carried out the processing that subset merges, those protocol suites that are other protocol suite subsets are removed in group result.
A
3. selectivity merges, and adopts heuristic clustering algorithm to steps A
2The some protocol suites that obtain are optimized.After subset merged, the protocol redundancy phenomenon in protocol suite had reduced greatly, and still, for an optimization problem, this group result is not the overall situation or local optimum, in order to improve protocol identification efficient, also needs to be optimized.Optimization problem for this nondeterministic polynomial difficulty (Non-deterministic Polynomial Hard, NP-Hard) adopts didactic clustering algorithm to be optimized processing.
A
4. will be through steps A
3Some protocol suites after optimization process are compiled as the DFA engine.
Wherein, steps A
3Further comprise:
B
1. get arbitrary protocol suite G
i, travel through all the other protocol suite G
j, whether judge the common protocol quantity of two protocol suites greater than setting threshold, if, execution in step B
2, otherwise, nonjoinder;
B
2. judgement G
iAnd G
jAverage asterisk wildcard quantity whether less than 1, if, execution in step B
3, otherwise, nonjoinder;
B
3. judgement G
iAnd G
jThe minimizing of status number in the DFA engine that whether can cause after merging compiling out, if, merge described two protocol suites, otherwise, nonjoinder;
B
4. judge whether to travel through all protocol suites, if, finish to optimize, otherwise, step B returned to
1, never traverse to such an extent that select arbitrary protocol suite in protocol suite.
Through the processing of step S3 phase I, most actual flow will be mated, and consume simultaneously less resource.For those flows that can't mate in the phase I, will carry out matching treatment in second stage.In second stage, although the flow of processing is less, still need reliably and efficiently to mate means.The present invention adopts to be similar to and based on the recognition system of agreement fingerprint, message to be identified is identified (the agreement fingerprint technique is a kind of protocol detection technology based on load that adopts in the Snort system) in Snort system (Snort is the intruding detection system of following GNU GPL the most frequently used on the Linux platform, is also a very outstanding packet gripping tool simultaneously).The step S4 of second stage further comprises:
S4.1 extracts all certainty character strings in the known application layer protocol that does not have Fixed CP;
S4.2 is for each described known application layer protocol that does not have Fixed CP, selects length in its character string of extracting is the longest and character string that extract with other application layer protocols is not identical character string as the agreement fingerprint of this application layer protocol;
S4.3 carries out protocol identification based on the agreement fingerprint to message to be identified corresponding to described prefix character.
The present invention proposes to compare with the DFA matching engine of highest level and have the more multistage matching engine of high-throughput.Show after real data test, the recognition rate of the method and system in the present invention is three times of recognition rate of DFA matching engine.The application of packet combining algorithm wherein makes memory usage significantly compress.Compare with the DFA matching engine of highest level, the method memory usage that the present invention proposes has reduced 60%.
As shown in Figure 2, the application layer protocol recognition system according to one embodiment of the present invention comprises: extraction module, for the prefix character of the load of extracting message to be identified; Segmentation module, be used for judging that described extraction module extracts to such an extent that whether prefix character mates the Fixed CP of known application layer protocol, if the message to be identified that described prefix character is corresponding is sent to the first identification module, otherwise sends it to the second identification module; The first identification module is used for selecting the deterministic finite automaton engine according to described prefix character, and by selected deterministic finite automaton engine, message to be identified corresponding to described prefix character is carried out matching treatment; The second identification module is used for based on the agreement fingerprint, message to be identified corresponding to described prefix character being carried out protocol identification.
This system also comprises collector, this module further comprises: grouped element, be used for the prefix length that record has the known application layer protocol of Fixed CP, according to initial character, described known application layer protocol with Fixed CP divided into groups, obtain some protocol suites; The subset merge cells is used for removing some protocol suites and is the protocol suite of other protocol suite subsets; Optimize the unit, be used for adopting heuristic clustering algorithm that some protocol suites that described subset merging cell processing obtains are optimized; Compilation unit is used for the some protocol suites after described optimization unit optimization is processed are compiled as the deterministic finite automaton engine.
Wherein, the second identification module further comprises: extraction unit is used for extraction and does not have all certainty character strings of known application layer protocol of Fixed CP; Agreement fingerprint determining unit, be used for for each described known application layer protocol that does not have Fixed CP, select length in its character string of extracting is the longest and character string that extract with other application layer protocols is not identical character string as the agreement fingerprint of this application layer protocol; Recognition unit is used for based on the agreement fingerprint, message to be identified corresponding to described prefix character being carried out protocol identification.
Above execution mode only is used for explanation the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (4)
1. an application protocol recognition method, is characterized in that, the method comprising the steps of:
A
1. record has the prefix length of the known application layer protocol of Fixed CP, according to initial character, described known application layer protocol with Fixed CP is divided into groups, and obtains some protocol suites;
A
2. removing in some protocol suites is the protocol suite of other protocol suite subsets;
A
3. adopt heuristic clustering algorithm to steps A
2The some protocol suites that obtain are optimized;
A
4. will be through steps A
3Some protocol suites after optimization process are compiled as the deterministic finite automaton engine;
S1. extract the prefix character of the load of message to be identified;
S2. judge whether described prefix character mates the Fixed CP of known application layer protocol, if, execution in step S3, otherwise execution in step S4;
S3. select the deterministic finite automaton engine according to described prefix character, and by selected deterministic finite automaton engine, message to be identified corresponding to described prefix character carried out matching treatment;
S4. based on the agreement fingerprint, message to be identified corresponding to described prefix character carried out protocol identification;
Steps A
3Further comprise:
B
1. get arbitrary protocol suite, travel through all the other protocol suites, whether judge the common protocol quantity of two protocol suites greater than setting threshold, if, execution in step B
2, otherwise, nonjoinder;
B
2. whether judge the average asterisk wildcard quantity of described two protocol suites less than 1, if, execution in step B
3, otherwise, nonjoinder;
B
3. judge the minimizing that whether can cause status number in described deterministic finite automaton engine after described two protocol suites merge, if, merge described two protocol suites, otherwise, nonjoinder;
B
4. judge whether to travel through all protocol suites, if, finish to optimize, otherwise, step B returned to
1, select arbitrary protocol suite in the protocol suite that never traverses.
2. application protocol recognition method as claimed in claim 1, is characterized in that, step S4 further comprises:
S4.1 extracts all certainty character strings in the known application layer protocol that does not have Fixed CP;
S4.2 is for each described known application layer protocol that does not have Fixed CP, selects length in its character string of extracting is the longest and character string that extract with other application layer protocols is not identical character string as the agreement fingerprint of this application layer protocol;
S4.3 carries out protocol identification based on the agreement fingerprint to message to be identified corresponding to described prefix character.
3. an application layer protocol recognition system, is characterized in that, this system comprises:
Extraction module is for the prefix character of the load of extracting message to be identified;
Segmentation module, be used for judging whether prefix character that described extraction module extracts mates the Fixed CP of known application layer protocol, if the message to be identified that described prefix character is corresponding is sent to the first identification module, otherwise sends it to the second identification module;
The first identification module is used for selecting the deterministic finite automaton engine according to described prefix character, and by selected deterministic finite automaton engine, message to be identified corresponding to described prefix character is carried out matching treatment;
The second identification module is used for based on the agreement fingerprint, message to be identified corresponding to described prefix character being carried out protocol identification;
This system also comprises collector, and this module further comprises:
Grouped element is used for the prefix length that record has the known application layer protocol of Fixed CP, according to initial character, described known application layer protocol with Fixed CP is divided into groups, and obtains some protocol suites;
The subset merge cells is used for removing some protocol suites and is the protocol suite of other protocol suite subsets;
Optimize the unit, be used for adopting heuristic clustering algorithm that some protocol suites that described subset merging cell processing obtains are optimized;
Compilation unit is used for the some protocol suites after described optimization unit optimization is processed are compiled as the deterministic finite automaton engine;
Some protocol suites that described employing heuristic clustering algorithm obtains described subset merging cell processing are optimized and are specially:
B
1. get arbitrary protocol suite, travel through all the other protocol suites, whether judge the common protocol quantity of two protocol suites greater than setting threshold, if carry out B
2, otherwise, nonjoinder;
B
2. judge that whether the average asterisk wildcard quantity of described two protocol suites is less than 1, if carry out B
3, otherwise, nonjoinder;
B
3. judge the minimizing that whether can cause status number in described deterministic finite automaton engine after described two protocol suites merge, if, merge described two protocol suites, otherwise, nonjoinder;
B
4. judge whether to travel through all protocol suites, if, finish to optimize, otherwise, B returned to
1, select arbitrary protocol suite in the protocol suite that never traverses.
4. application layer protocol recognition system as claimed in claim 3, is characterized in that, described the second identification module further comprises:
Extraction unit is used for extraction and does not have all certainty character strings of known application layer protocol of Fixed CP;
Agreement fingerprint determining unit, be used for for each described known application layer protocol that does not have Fixed CP, select length in its character string of extracting is the longest and character string that extract with other application layer protocols is not identical character string as the agreement fingerprint of this application layer protocol;
Recognition unit is used for based on the agreement fingerprint, message to be identified corresponding to described prefix character being carried out protocol identification.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201110066864 CN102130956B (en) | 2011-03-18 | 2011-03-18 | Method and system for identifying application layer protocols |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201110066864 CN102130956B (en) | 2011-03-18 | 2011-03-18 | Method and system for identifying application layer protocols |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102130956A CN102130956A (en) | 2011-07-20 |
CN102130956B true CN102130956B (en) | 2013-06-05 |
Family
ID=44268845
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 201110066864 Active CN102130956B (en) | 2011-03-18 | 2011-03-18 | Method and system for identifying application layer protocols |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102130956B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106789358A (en) * | 2017-02-15 | 2017-05-31 | 北京浩瀚深度信息技术股份有限公司 | Business recognition method and system based on DPI |
CN111163071A (en) * | 2019-12-20 | 2020-05-15 | 杭州九略智能科技有限公司 | Unknown industrial protocol recognition engine |
CN112887280B (en) * | 2021-01-13 | 2022-05-31 | 中国人民解放军国防科技大学 | Network protocol metadata extraction system and method based on automaton |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101425876B (en) * | 2008-12-16 | 2015-04-22 | 北京中创信测科技股份有限公司 | Communication protocol deciphering method and device |
-
2011
- 2011-03-18 CN CN 201110066864 patent/CN102130956B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN102130956A (en) | 2011-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1881950B (en) | Packet classification acceleration using spectral analysis | |
CN110019651A (en) | A kind of streaming regulation engine and business data processing method | |
CN101958804B (en) | Method for promoting warning processing efficiency, server and system | |
CN107819646A (en) | A kind of net flow assorted system and method for distributed transmission | |
CN107547671A (en) | A kind of URL matching process and device | |
CN101841440A (en) | Peer-to-peer network flow identification method based on support vector machine and deep packet inspection | |
CN104618304B (en) | Data processing method and data handling system | |
CN102130956B (en) | Method and system for identifying application layer protocols | |
CN101184000A (en) | Packet sampling and application signature based internet application flux identifying method | |
CN110034966B (en) | Data flow classification method and system based on machine learning | |
CN101645803B (en) | P2P service identification method and Internet service identification system | |
CN102385551B (en) | Method, device and system for screening test cases | |
CN102314520A (en) | Webpage text extraction method and device based on statistical backtracking positioning | |
CN108718306A (en) | A kind of abnormal flow behavior method of discrimination and device | |
CN104333483A (en) | Identification method, system and identification device for internet application flow | |
CN101714948B (en) | A kind of sorting technique of net bag of multiple domain and device | |
CN101582897A (en) | Deep packet inspection method and device | |
CN104333461A (en) | Identification method, system and identification device for internet application flow | |
CN108028807A (en) | Method and system for on-line automatic identification Model of network traffic | |
CN105429817A (en) | Illegal business identification device and illegal business identification method based on DPI and DFI | |
CN110266603A (en) | Authentication business network flow analysis system and method based on http protocol | |
CN103595729A (en) | Protocol analysis method and device | |
CN101710898A (en) | Method for describing characteristics of communication protocol of application software | |
CN102143151B (en) | Deep packet inspection based protocol packet spanning inspection method and deep packet inspection based protocol packet spanning inspection device | |
CN104125146B (en) | A kind of method for processing business and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C41 | Transfer of patent application or patent right or utility model | ||
TR01 | Transfer of patent right |
Effective date of registration: 20161208 Address after: 18 Xuanwu District, Jiangsu, Nanjing Xuanwu Avenue, No. -22, building 699, No. 210042 Patentee after: CERTUSNET CORP. Address before: 100084 Beijing Haidian District Tsinghua Yuan 100084-82 mailbox Patentee before: Tsinghua University |