CN102185758A - Protocol recognizing method based on Ares message tagged word - Google Patents
Protocol recognizing method based on Ares message tagged word Download PDFInfo
- Publication number
- CN102185758A CN102185758A CN2011100899979A CN201110089997A CN102185758A CN 102185758 A CN102185758 A CN 102185758A CN 2011100899979 A CN2011100899979 A CN 2011100899979A CN 201110089997 A CN201110089997 A CN 201110089997A CN 102185758 A CN102185758 A CN 102185758A
- Authority
- CN
- China
- Prior art keywords
- ares
- protocol
- message
- agreement
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a protocol recognizing method based on an ARES message tagged word. The invention provides a characteristic library for ARES protocol message and simultaneously provides the protocol recognizing method based on the Ares protocol tagged word, aiming at solving the problems that the ARES protocol is rarely researched at home and abroad, is difficult to recognize and the like. The ARES protocol recognizing system comprises three functional modules, namely an abnormal detection module, a DPI (data processing installation) data packet scanning module and a log printing module, wherein the core recognizing module adopts a Netfilter mechanism and DPI technology under Linux, thus ensuring the real-time characteristic and reliability of the recognizing system. The invention can efficiently recognize various message flow of ARES protocol and then serves the ARES protocol analysis system, thereby having good generality and extensibility.
Description
Technical field
The present invention is a kind of solution that ARES in the network traffics (Ares) agreement special packet is discerned.Be mainly used in the problem that solution is discerned ARES agreement special packet, and then serve the ARES protocol analysis system, belong to identification of computer network flow and monitoring field.
Background technology
The application of current P2P has been very general thing, yet the extensive use of P2P also allows bandwidth operator feel very awkward really.Be accompanied by the continuous increase that P2P uses, general internet is used to use with a large amount of P2P and is shared limited bandwidth resources, this has further aggravated the bottleneck of bandwidth, P2P uses the input that also will cause the builder to ceaselessly seizing of bandwidth resources and takes in the increase that can not be directly proportional simultaneously, thereby influence the enthusiasm of building link on the industrial chain, cause the whole industry environment healthy to develop optimumly.If still continue present " doing one's best " pattern, will cause the decline of general internet application service quality, damaged the interests of ISP simultaneously.On the other hand, the convenience of P2P environment File Sharing and routing mechanism fast, for internet worm and unhealthy information etc. also provides better invasion chance.At present, show that according to the nearest measurement of several large-scale ISP the P2P flow has occupied the bandwidth more than 60% even 70% of internet traffic, we set up a caching system and come the P2P network is optimized with regard to an urgent demand for this.Realize such caching system, key is to solve the problem that P2P agreement among the Internet is discerned.Realize the accurate identification of P2P flow, for effective supervising the network with rationally utilize Internet resources all to have very important significance.
DPI (scanning of deep layer packet) finds that by the detection of packet application layer protocol is resolved P2P uses.By application layer data in the scan-data bag,, can think that then this data flow belongs to P2P and uses if find the characteristic feature string of known P2P agreement.This technology is used a load feature database storage load feature string, and the packet that meets load feature string promptly is considered as the P2P packet.For example in a packet if find " BitTorrent protocol " character string, can think that then this data flow belongs to BitTorrent and uses.IPP2P scans the project of increasing income discerning P2P by the application layer deep layer, and its target identifies the P2P data exactly in the IP flow.Implementation is to expand the Netfilter/iptables framework by a new rule match module, therefore can be integrated into easily in the existing Linux fire compartment wall and go, and use it by certain filtering rule.IPP2P carries out deep layer scanning by suitable match pattern to packet, discerns the P2P flow.On base of recognition, this P2P stream can be abandoned, reduces priority, limiting bandwidth, thereby improve network performance.
The development of Ares starts from 2002, originally runs on the Gnutella network.After 6 months, convert the network and the framework of leaf node and super node to.Ares (Ares Galaxy) is the P2P software of a free band chatroom and shared file function.Support multiple form, it all downloads nearly all music, film, picture, file, software etc. and obtains.The protocol characteristic of ARES and identification thereof are difficult to determine than other P2P agreement of current popular more.At present, feature and identification thereof to agreements such as Kazaa, Gnutella, eDonkey, eMule and BitTorrent both at home and abroad all has certain research, and very few for the research of ARES agreement, in current search engine, almost search less than research data for the ARES agreement.This point is worth the scientific research personnel of domestic and international P2P aspect to draw attention, and needs everybody to carry out research to the ARES agreement jointly.
Summary of the invention
Technical problem: the objective of the invention is on the basis of the autonomous ARES of analysis protocol characteristic, a kind of protocol recognition method based on Ares message characteristic word is provided, be used to solve current both at home and abroad to the research of ARES agreement very less and to its problem such as identification difficulty etc.The present invention can identify all kinds of message flows of ARES agreement efficiently, and then serves the ARES protocol analysis system.
Technical scheme: the present invention at first carries out the differentiation of big class to the flow in the network, by the load of concrete ARES agreement and corresponding ARES system thereof is carried out feature extraction, sets up feature database then.Real-time network stream for flowing through adopts pattern matching algorithm, judges the feature string that wherein whether comprises in the ARES protocol characteristic storehouse.If the characteristic matching success, this network flow is exactly the ARES data.Recognition function of the present invention partly adopts the DPI scanning technique, comes a series of messages in the agreement identification ARES specific network service according to the fixed bit tagged word.
The present invention has made full use of real-time processing and the extensibility of the Netfilter in the linux system to network traffics, realizes the Real time identification and the measurement of ARES flow.In order to realize real-time ARES agreement recognition system, statistic flow information in real time, and the flow information of statistics carried out data processing according to the network traffics measurement index.Netfilter is linux kernel the inside one a cover filtering packets framework, can all packages of the network interface of flowing through be detected in real time, guarantees the safety of system.Opening that linux system is good and extensibility are also provided convenience for utilizing it to implement flow measurement.
The implementation method of discerning based on the agreement of ARES protocol characteristic word is:
Step 1). carry out demand analysis, the function that ARES agreement recognition system need be finished is analyzed, and generate the demand analysis document;
Step 2). according to the analytical documentation design module of step 1, the function of each module is carried out labor, generate logical relation and function declaration document between each module;
Step 3). according to the analytical documentation of step 1, determine to use the Netfilter mechanism under the linux system to handle the network traffics of flowing through in real time, guarantee real-time, fail safe and the extensibility of ARES agreement recognition system;
Step 4). by concrete ARES agreement being studied and the load of corresponding ARES system is carried out feature extraction, set up ARES protocol characteristic storehouse;
Step 5). the ARES protocol characteristic storehouse that key technology of determining according to the document of step 2 and step 3 and step 4 are set up, design and the identification message module that realizes ARES agreement recognition system, recognition efficiency in protocol analysis system, affect whole system operation efficient, system comes specific ARES protocol massages in the agreement identification peer-to-peer network according to message length and fixed bit tagged word;
Step 6). according to the document of step 2, design is extracted relevant information with realizing ARES agreement recognition system to the message after discerning, and it is printed in the system journal preserve;
Step 7). according to the function declaration document of step 2, design and realization user interface.Can use MFC to realize interface more attractive in appearance, easy-operating at PC end, the identifying information in the system journal is printed in the dialog box in the interface.
Beneficial effect: the present invention researchs and analyses the ARES protocol characteristic, has set up ARES protocol characteristic storehouse, has solved current both at home and abroad to the very few problem of ARES agreement research.Simultaneously, utilize the Netfilter mechanism under the linux system, employing DPI technology has realized the identification to ARES agreement special packet, and then can serve the ARES protocol analysis system.
Use this scheme that following advantage is arranged:
1, good real time performance: ARES agreement recognition system has higher real-time requirement.Real-time is that the requirement system can respond external event in official hour.Therefore, in order to improve the real-time of native system, we have adopted based on the Netfilter mechanism under the linux system.Netfilter is linux kernel the inside one a cover filtering packets framework, can all packages of the network interface of flowing through be detected in real time, guarantees the real-time and the fail safe of system.
2, Gao Du stability: ARES agreement recognition system requires to be issued to 7*24 hour fault-free at Suse Linux 10.0 environment.By modularized design and ripe DPI technology, code is constantly optimized, the system that makes has good stability.
3, discrimination efficiently: the present invention carries out message identification in network layer, shortens message identification path, and the present invention simultaneously only discerns uplink traffic, and downlink traffic is not handled, and alleviates the processing pressure of CPU, improves the recognition efficiency of message.The recognition accuracy of message reaches 100%, can not occur failing to judge, situation such as erroneous judgement, and traditional carry out identification mode generally only can reach 90%~95% identification hit rate on router.
4, modularized design: whole agreement recognition system is divided according to functional module, and the message recognition function adopts deep layer scanning DPI technology, comes agreement identification association message according to the tagged word of ARES message.
5, good system extension: because what adopt between the system module is separate modular, function parallelization stratification design, communication mechanism between the system module adopts hierarchical setting fully, therefore can add new function easily, serve the ARES protocol analysis system, the prior function of also can upgrading at an easy rate simultaneously.
Description of drawings
Fig. 1 is an ARES agreement recognition system structure chart.
Fig. 2 is Netfilter system framework figure.
Fig. 3 is a HOOK function flow chart.
Embodiment
One, architecture
Shown in ARES agreement recognition system structure chart among Fig. 1, system of the present invention mainly contains abnormal detection function, DPI packet scan function and prints the identifying information function.
1, abnormal detection function
Before carrying out the identification of P2P flow, need carry out abnormality detection to flow, for the identification and the protocal analysis of P2P flow are created a relatively environment of safety.Prevent to exist some to have the transmission that the implicit data flow of safety has influence on testing result even destroys normal data on the network.Because our detection focuses on the identification of P2P flow, therefore, we will get rid of all P2P streams improper stream in addition here.Its essence can be thought a kind of simple filtering.According to network concrete environment at that time, according to the different demands that detect, different filterconditions is set as the general characteristic of period, flow number or network traffics, we are called filtering rule with this condition.
2, DPI packet scan function
Analysis according to the tagged word of known ARES protocol package extracts representative feature, comes the matching detection bag with this.Overall process can be divided into the obtaining of foundation, packet, preliminary treatment, the coupling of packet and four processes of analysis of packet of feature database.Result according to analyzing coupling can discern specific ARES protocol massages, and feature database that can supplemental data packets.
3, print the identifying information function
Utilize the syslog-ng journal function under the Linux, the information of the above-mentioned ARES of identifying protocol massages is recorded in the syslog file ares.log file.
Two, method flow
This part describes the design and the realization of various piece in the summary of the invention in detail.
1, abnormal detection function
Abnormal detection function is according to network concrete environment at that time, according to the different demands that detect, different filterconditions is set, i.e. filtering rule as the general characteristic of period, flow number or network traffics.Get rid of P2P improper stream in addition by these rules, prevent to exist some to have the transmission that the implicit data flow of safety has influence on testing result even destroys normal data on the network.Abnormality detection can be created the environment of a safety for next step ARES protocol massages identification.
2, DPI packet scan function
DPI packet scan function is the core of message identification.This part is mainly concerned with the utilization of Netfilter mechanism and the design of HOOK function, and the function flow chart as shown in Figure 3.
The process data packet that the utilization of Netfilter mechanism: Netfilter handles the network interface of flowing through as shown in Figure 2.Fig. 2 has shown that also the Netfilter framework is 5 hook points of IPv4 definition: NF_IP_PRE_ROUTING, NF_IP_FORWARD, NF_IP_POST_ROUTING, NF_IP_LOCAL_IN and NF_IP_LOCAL_OUT.Each hook point all is to be arranged on certain position of determining of network protocol stack, and current Netfilter has arranged relevant processing function at each hook point, and is specific as follows:
NF_IP_PRE_ROUTING: call in the ip_rcv function in the ip_input.c file, the ip_rev function be mainly used to check the correctness of skb, ip head and ip verification and.The hook point function that this point has been provided with at present has connection tracking (Conntrack), address transition (DNAT) and data message to change.
NF_IP_LOCAL_IN: call in the ip_local_deliver function in the ip_input.c file, the ip_local_deliver function at first becomes a message to the inclusion of burst, calls Hook Function then and handles this message.The hook point function that this point has been provided with at present has data message filtration, connection tracking.
NF_IP_FORWARD: call in the ip_forward function in the ip_forward.c file.Through after the routing policy, the grouping that transmit is through this Hook Function.The hook point function that this point has been provided with at present has data message to filter (Filter).
NF_IP_POST_ROUTING: call in the ip_finish_output function in the ip_output.c file.The hook point function that this point has been provided with at present has address transition (SNAT), connection tracking.
NF_IP_LOCAL_OUT: all call in the ip_build_xmit in the ip_output.c file, ip_build_xmit_slow, ip_build_and_send_pkt, the ip_queue_xmit function, also realized the function for the output packet route in these functions simultaneously, the bag that local process sends all passes through this Hook Function.The hook point function that this point has been provided with at present has connection tracking (Conntrack), data message to change (mangle), data message filtration (Filter), address transition (DNAT).
HOOK function flow scheme design:
Utilize the key data structure Socket Buffer (sk_buff) of the ICP/IP protocol stack in the Linux Netfilter, the data of coming the operations flows warp.Whether the skb_is_nonlinear function is used to test a buffering area is burst, and skb_linearize can be combined into a single buffering area to burst.If burst, or do not have linking number, then return and do not have operation.
The identification message: when a message flow through first Hook Function NF_IP_PRE_ROUTING, can be sent to storage temporarily among the control structure sk_buff of internal memory.In this control structure, the pointer that points to network message (as: skb->nh) is arranged, whether at first discern message is the TCP message, the network layer that provides according to the sk_buff structure and the size of transport layer header again, both head length before skb->nh adds, pointer has just pointed to the head (as: Appdata pointer) of application layer data.Also provide the total length of packet in the sk_buff, by deducting the size of network layer and transport layer header, the length of the layer data that just can be applied.After above-mentioned preparation is finished, just can compare the ARES message that needs identification, just by message length and fixed bit are mated determining by the Appdata pointer.What store in the sk_buff is the network bytes preface, thus comparison the time need use _ constant_htons () or _ constant_htonl () unifies host byte preface and network bytes preface.
3, print the identifying information function
Syslog-ng can substitute the service of syslog fully as the alternative instrument of syslog, and by definition rule, realizes better filtering function.
Daily record output is provided with:
Step 1) enters the Suse system with the root identity, opens/etc/syslog-ng/syslog-ng.conf
Step 2) adds the filtering rule of discerning ares: filter f_ares { facility (kern) and match (" ares: "); ;
Step 3) adds the path statement of depositing of concrete matched rule and daily record: destination ares{file ("/root/Desktop/P2P/ares.log "); ; Log{source (src); Filter (f_ares); Destination (ares); ;
Step 4) opens a terminal, and enters designated directory: #cd/etc/syslog-ng, restart syslog-ng with order #rcsyslogrestart again
Step 5) ARES recognition system can print to the message information that identifies in the system journal ares.log file.
Claims (1)
1. protocol recognition method based on Ares message characteristic word is characterized in that the step that this method comprises is:
Step 1). carry out demand analysis, the function that Ares ARES agreement recognition system need be finished is analyzed, and generate the demand analysis document;
Step 2). according to the analytical documentation design module of step 1, the function of each module is carried out labor, generate logical relation and function declaration document between each module;
Step 3). according to the analytical documentation of step 1, determine to use the Netfilter mechanism under the linux system to handle this key technology of network traffics of flowing through in real time, guarantee real-time, fail safe and the extensibility of ARES agreement recognition system;
Step 4). by concrete ARES agreement being studied and the load of corresponding ARES system is carried out feature extraction, set up ARES protocol characteristic storehouse;
Step 5). the ARES protocol characteristic storehouse that key technology of determining according to the function declaration document of step 2 and step 3 and step 4 are set up, design and the identification message module that realizes ARES agreement recognition system; Recognition efficiency affects whole system operation efficient in protocol analysis system, and system comes specific ARES protocol massages in the agreement identification peer-to-peer network according to message length and fixed bit tagged word;
Step 6). according to the function declaration document of step 2, design is extracted relevant information with realizing ARES agreement recognition system to the message after discerning, and it is printed in the system journal preserve;
Step 7). according to the function declaration document of step 2, design with realize user interface, can use the Visual C++ of Microsoft programming to realize interface more attractive in appearance, easy-operating at the PC end, the identifying information in the system journal is printed in the dialog box in the interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100899979A CN102185758A (en) | 2011-04-08 | 2011-04-08 | Protocol recognizing method based on Ares message tagged word |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100899979A CN102185758A (en) | 2011-04-08 | 2011-04-08 | Protocol recognizing method based on Ares message tagged word |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102185758A true CN102185758A (en) | 2011-09-14 |
Family
ID=44571829
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100899979A Pending CN102185758A (en) | 2011-04-08 | 2011-04-08 | Protocol recognizing method based on Ares message tagged word |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102185758A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152268A (en) * | 2013-02-06 | 2013-06-12 | 北京奇虎科技有限公司 | Data package processing method and device |
| CN103312565A (en) * | 2013-06-28 | 2013-09-18 | 南京邮电大学 | Independent learning based peer-to-peer (P2P) network flow identification method |
| CN105049437A (en) * | 2015-08-04 | 2015-11-11 | 浪潮电子信息产业股份有限公司 | Method for filtering network application layer data |
| CN113726917A (en) * | 2020-05-26 | 2021-11-30 | 网神信息技术(北京)股份有限公司 | Domain name determination method and device and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040267925A1 (en) * | 2003-06-25 | 2004-12-30 | Zhou Xingyu | System and method for IP logging |
| CN101286888A (en) * | 2008-05-21 | 2008-10-15 | 天柏宽带网络科技(北京)有限公司 | Operating method of log system |
| CN101854391A (en) * | 2010-05-25 | 2010-10-06 | 南京邮电大学 | Realization method of ares protocol analysis system based on peer-to-peer network |
-
2011
- 2011-04-08 CN CN2011100899979A patent/CN102185758A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040267925A1 (en) * | 2003-06-25 | 2004-12-30 | Zhou Xingyu | System and method for IP logging |
| CN101286888A (en) * | 2008-05-21 | 2008-10-15 | 天柏宽带网络科技(北京)有限公司 | Operating method of log system |
| CN101854391A (en) * | 2010-05-25 | 2010-10-06 | 南京邮电大学 | Realization method of ares protocol analysis system based on peer-to-peer network |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152268A (en) * | 2013-02-06 | 2013-06-12 | 北京奇虎科技有限公司 | Data package processing method and device |
| CN103152268B (en) * | 2013-02-06 | 2016-06-15 | 北京奇虎科技有限公司 | The method of processing data packets and device |
| CN103312565A (en) * | 2013-06-28 | 2013-09-18 | 南京邮电大学 | Independent learning based peer-to-peer (P2P) network flow identification method |
| CN103312565B (en) * | 2013-06-28 | 2015-12-23 | 南京邮电大学 | A kind of peer-to-peer network method for recognizing flux based on autonomous learning |
| CN105049437A (en) * | 2015-08-04 | 2015-11-11 | 浪潮电子信息产业股份有限公司 | Method for filtering network application layer data |
| CN113726917A (en) * | 2020-05-26 | 2021-11-30 | 网神信息技术(北京)股份有限公司 | Domain name determination method and device and electronic equipment |
| CN113726917B (en) * | 2020-05-26 | 2024-04-12 | 奇安信网神信息技术(北京)股份有限公司 | Domain name determination method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9762544B2 (en) | Reverse NFA generation and processing | |
| CN106815112B (en) | Massive data monitoring system and method based on deep packet inspection | |
| CN102932203B (en) | Method and device for inspecting deep packets among heterogeneous platforms | |
| CN103312565B (en) | A kind of peer-to-peer network method for recognizing flux based on autonomous learning | |
| CN101282331B (en) | Method for recognizing P2P network flow based on transport layer characteristics | |
| CN100553206C (en) | Internet, applications method for recognizing flux based on packet sampling and application signature | |
| CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
| CN108400909A (en) | A kind of flow statistical method, device, terminal device and storage medium | |
| CN104320304A (en) | Multimode integration core network user traffic application identification method easy to expand | |
| CN107465690B (en) | A kind of passive type abnormal real-time detection method and system based on flow analysis | |
| CN102724317A (en) | Network data flow classification method and device | |
| CN102739457A (en) | Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology | |
| CN102571946B (en) | Realization method of protocol identification and control system based on P2P (peer-to-peer network) | |
| CN106330584A (en) | Identification method and identification device of business flow | |
| US20210058411A1 (en) | Threat information extraction device and threat information extraction system | |
| CN102185758A (en) | Protocol recognizing method based on Ares message tagged word | |
| CN104333483A (en) | Identification method, system and identification device for internet application flow | |
| CN108055166B (en) | Nested application layer protocol state machine extraction system and extraction method thereof | |
| CN101582897A (en) | Deep packet inspection method and device | |
| CN104333461A (en) | Identification method, system and identification device for internet application flow | |
| CN110266603B (en) | System and method for analyzing network flow of identity authentication service based on HTTP (hyper text transport protocol) | |
| CN102164182A (en) | Device and method for identifying network protocol | |
| CN101710898B (en) | Method for describing characteristics of communication protocol of application software | |
| CN112449371A (en) | Performance evaluation method of wireless router and electronic equipment | |
| CN105991353A (en) | Fault location method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110914 |